How to Secure Your WordPress Website from Hackers and Keep Your Website Safe!
WordPress is used by millions of website owners and is one of the most versatile ways to build and maintain a site. If my memory is correct, approximately 30% of website owners use WordPress – that’s a pretty big percentage!
It’s developer and user friendly platform however, leaves itself open to potential “break-in’s” and hijackers running havoc throughout your site and costing you in time, effort, money and a lot of headaches.
… and make no mistake, these hackers sleep very well at night. I’ll NEVER understand people that do this! … and never will.
These criminals are relentless, and with unsecured website vulnerabilities running unnoticed, you just have to know these “low-lifes” will be knocking on your site’s door sooner or later, you have to take EVERY PRECAUTION to protect yourself in whatever way you can. I’ve outlined the major considerations for keeping these creeps out and your website safe.
Hardening WordPress against malicious attacks are great defenses to use.
Always Change Your admin Username
Everyone knows that to get to the front door of WordPress all you have to do is type in: yourwebsitename.com/wp-admin. From there it’s just a matter of figuring out the password, since the default and assigned username is always “admin”. Change It !!! If you don’t, the hackers job is already half done.
Make Your Password Difficult
Seems simple, but you wouldn’t believe how many people use passwords that are incredibly easy to figure out. Use a series of letters, numbers and characters to thwart these hacker attempts.
A password like “wkD3ns*9 is a whole lot harder to figure out vs. “123456” or “password” or a name of someone you know, or your birthday etc.
Both the admin username coupled with easy passwords leaves your site wide open for what they call Brute Force Attacks.
Brute Force Attacks can be greatly reduced if you just make the changes noted.
Perform Frequent Back-ups of your Website
This is one of the first things a website owner is taught to do. Back-up your website!
Most people back-up at least once a week, some every day. It all depends on the scope of your site and how often you make changes to it.
I myself use BackWPup, but there are others like UpDraft, Ready! Backup and BackupBuddy (paid).
Here is a great video tutorial on how to backup your WordPress site to a free Dropbox account using BackWPup. (Thanks Craig!)
This will put you at ease knowing that if your site was compromised at all, you can get it back quickly and easily.
BackWPup and Dropbox are both free to use.
Install All WordPress Updates
Keep WordPress and all Plugins updated.
This is a must. Wordpress is always working on security updates, and if you don’t take the time to implement them you may be caught holding the door wide open for intrusion.
The same goes for plugins which are not only a security risk, but can act “screwy” if not updated – who needs that extra headache. If the developer does not keep their plugins current, get rid of them!
Limiting Login Attempts
There are plugins you can add to WordPress that will put a limit on the number of failed login attempts made before they are shut out. A very useful plugin to have, and helps deter BruteForce tactics. Limit Login Attempts will help with this.
Always Manually Approve Your Comments
Automatically approving you comments is a very BAD idea. Take just a little time to manually approve these or your will just be encouraging not only a ton load of Spam, but intrusions as well.
The latest update, WordPress 4.2.1 Security Release is aimed at stopping rogue commenters gain access thru Comments system. It “fixes a critical cross-site scripting (XSS) vulnerability, which could enable commenters to compromise a site” – Please Update !!!
Not only will this help prevent entry into your site by hackers, but it will help cut down on the amount of Spam Comments you get on your site, of which the only purpose is to promote their own usually “scammy” products.
Be Sure Your Website has Secured Hosting
You can take all the precautions available, but if your hosting company does not provide you with the best security around, it’s all for naught.
Scan Your Computer for Viruses and Malware
This should be done on a regular basis for any computer user, but in regards to website hackering it’s even doubly important.
Use a Security Plugin
There are a number of security plugins to use, and I highly suggest doing so. This will help add another layer of protection to your site. Here’s a few of the most popular and effective.
iThemes Security (formerly Better WP Security), is the #1 WordPress Security Plugin with over 600,000+ downloads. iThemes Security gives you over 30+ ways to secure and protect your WordPress site and is fairly easy to use.
Sucuri Security scans your website and detect PHP mailers, injections, malicious redirects, phishing attempts, malware and more.
Acunetix WP Security This plugin checks for vulnerabilities in passwords, theme files, and your admin area.
All In One WP Security & Firewall
CONCLUSION
There will ALWAYS be threats to the integrity of our websites and we can’t protect ourselves 100% of the time, but we can certainly take steps to do as much as possible to help keep the hackers out and make it a lot more difficult to gain access.
It doesn’t take long to implement these precautions and I urge everyone to put this on the top of your “To Do List“.
Learning how to secure your WordPress website from hackers will go a long way in staying one step ahead of these intruders.
Be Safe – Stay Safe!
You’ll be glad one day that you did!
TOP CHOICE ~ APR's #1 Pick
Loaded with a ton of awesome features and benefits,
this program offers the best training and the most supportive environment
I have come across online yet!
Hi Joanne,
This article is unique and I thoroughly enjoyed reading it.
Internet security has become a buzzword and rightly so. You have gone to great lengths to explain the possible issues and remedies to secure your site. Your section on backing up a site with DropBox was particularly useful I appreciate that.
Thanks,
Howard
Thanks for the tips here, this is really great advice. I know from past experience how quickly hackers and spammers can take over a wordpress website. An old website that I used to own was set up all wrong, I know that now! I had my comments set to auto approve, my password was fairly simple and I had no protection at all from spammers. As soon as the website got indexed within Google, I was getting 200 to 300 comments per day all on auto approve, every one of them spam! Eventually I had to shut the site down, there was no chance of repairing the damage done. You learn from your experiences in life!
Hello there,
Great tips to protect your website from hackers. That’s so important when it comes to your business & your hard work – you should guard your business. I like the idea for back up your website data on DropBox. I will try this one.
… thanks for this informative article!
Ehab
Hi Ehab
The small steps necessary are definitely worth it. Way to much work goes into producing a good website, every precaution should be taken to keep it safe.
Thanks so much for the comment.
Hi there,
I really love your site. You have really gone out of your way when it comes to presenting good content and I would like to congrats you on this. The tips on protecting WordPress from hackers is very helpful. Thanks!
Your site really helps people out there who are trying to get into the online marketing world. It shows them on how to look out for scams. Because there are a lot of them out there.
I really like how you are showing people the good online products compared to the bad ones. Keep up the good work.
Cheers
Jay
Thanks Jay !!!
… trust me;
I’ve seen so many “unscrupulous” marketers and companies out there it makes me want to ……….!
Hope you’ll stop in again.
Excellent article, I’m glad that WordPress 4.2.1 update also reduced the amount of spam comments. These types of comments are quite annoying. Lol
I do have a question, If someone purchases a premium WordPress website, does that also help reduce the chances of being attacked? Thanks for your great article.
Yeah – I hate spam too. We all do!
In short – YES
You ALWAYS want to make sure your WordPress theme stays current and updated. If not, you’re opening yourself to problems and the likelihood of getting hacked. If you use a premium WordPress theme chances are pretty certain you will be much safer. These Premium Themes are being improved upon and updated continually for security issues that might arise.
Never use a theme that doesn’t get the proper attention from its developers.
This was a great read – but a little worrying overall ( I had no idea this type of thing could happen!! )
The idea of changing your name from admin is a really obvious one but one I hadn’t thought of myself.
Tell me, does this type of thing happen frequently and how damaging can it be?
Yes, the very first thing you should do is to change that “admin”! Simple, but the first line of defense.
I urge everyone to find out and implement how to secure your WordPress website from hackers!
On average 30,000 new websites are identified every day (source Sophos Lab) distributing malicious code to any users passing by.
That bit of news doesn’t make me feel so good!
As a website owner, you may be distributing malware etc. without even knowing it. It would be worth it to have your site checked – you can do that with several of the links listed here. Not only would your site be hazardous for yourself and others, you will possibly be “Blacklisted” by Google and you’re not going to be getting to many visitors at your website door.
It can cause you major mishaps within your site, and let us not forget the nightmare of anyone’s financial information being compromised!
WordPress has a good set of reference pages as on hacking. You can find them below along with some other great information, some free security checks – give them a look:
If you have problems, these may help you close the door that the attackers are coming in thru.
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://codex.wordpress.org/Hardening_WordPress
http://www.studiopress.com/tips/wordpress-site-security.htm
Good luck.
Thanks for your comment!
What a great post, Joanne. I learned a number of things as I read through this one.
I’ll be honest, I haven’t been backing up my site as often as I should, so I really appreciated the video and tutorial on BackWPup. I was not aware of that plugin or that I could sync up my backups with Dropbox. All for free! I’ll start using that bit of advice right away.
Regarding the security plugins, do you use all of them on every site you develop? I get a bit confused with all the plugins that are suggested, especially knowing I’ve been taught to keep the number of plugins small.
Thanks for the great advice!
Backing up is the first thing website owners should do, and on a regular basis. Once a week at the very minimum and more depending on how much work you are adding to your site.
… yeah – I love free and BackWPup in conjunction with Dropbox work great.
Use the fewest number of plugins as you can, but don’t worry about it too much – you need what you need, and security should be at the top of the list. If you’re interested about “using too many plugins” you can read this post on just that subject – very useful. I’ll get into this a little deeper in another article.
Any of the plugins listed above should work well – choose the one that’s right for you.
The steps given will certainly help keep your website safe from hackers, making it more difficult to cause you trouble, time and frustration.
Thanks for stopping by – and be safe!
Hey – thanks for the great tips for keeping your wordpress website safe.
This is a big problem. I’ve never personally been hacked but I know of people who have been. And I think part of the reason I’ve never been hacked is that I’m careful.
But recently I’ve been a bit paranoid. I used to use a plugin called “Limit login attempts” which essentially blocked anyone that attempted more than 5 or so wrong passwords. This prevented these hackers from brute forcing the password.
Do you know any of this plugin? Would you recommend it? Or should I go with one of the plugins that you’ve mentioned above?
Thanks in advance for your help
Hi Nate!
I’ve not personally used “limit login attempts” but I’ve heard it was very good.
Try using any one of the security plugins listed, or search WordPress for one that looks right for you.
I’ve chosen the All In One, but you may like another.
Whatever you choose, at the very least make sure you cover the basics with backups, keeping WordPress updated and manually approving comments. Just those three things will help tremendously.
Thanks for stopping in!
Hi Joanne, WordPress is the most used CMS platform out there and with popularity come responsibility. I frequently backup my entire site on my self-hosted WordPress and my other sites are done automatically. But, putting a security plug-in should be a no-brainer for most. I have been using Wordfence for most. It has a serious little firewall in there and notifies me of anything suspicious. Also, it has a nice caching feature that seems to speed up my site’s responsiveness. Thanks for the great tips!
Pj
That’s excellent! You’re taking the right precautions. Wordfence is another good security plugin to use, and I’ll go ahead and add it to the list – thanks.
Anything you can do to keep yourself safe from these hackers reeking havoc on your wordpress site helps. Unfortunately, they will always be around so the more you do in the way of a good “defense” is encouraged.
Thanks PJ
Hey, Joanne
Thank You for a superb blog post on how to secure our WordPress websites from hackers 😀 There are some awesome tips here for me to follow, and I’m actually surprised that we can also use Dropbox to back-up our blogs, which I didn’t know! Good Stuff!! The great thing with my WordPress website is that it’s built using the SiteRubix website builder that was created by Kyle and Carson, the founders of Wealthy Affiliate.
Kyle and Carson choose the login password for me, which makes my site impossible to hack, and I can change the password every day if I really wanted to give hackers the run around, lol.
Cheers. Neil
Hi Neil!
Dropbox works out great for me – I set it to backup once a week automatically.
Quick and easy!
Hi there Joanne,
This article couldn’t be more timely. Recently I received several comments to my blog – from survey sites – that are obviously spams. They were not directed to my “spam” box and somehow found their way into my ‘proper’ commenting area. How do I go about fixing this annoying problem? Thank you.
Hi Cathy
I think I may have received the same comments, or at least something similar.
Almost all of spamm get’s caught by Akismet but sometimes a couple sneak in, at least that’s my experience.
If you’ve set to manually approve your comments, you’re covered.
Hi Joanne,
This is an excellent warning to some of us who are somewhat lazy about important website housekeeping. When I work in Photoshop I save regularly, but in WordPress am much more lax about it. I do export an .xml backup file occasionally, but you have encouraged me to take security a bit more seriously.
Thanks for that – must go and change my password again!
Rob
Hey Rob!
… glad you stopped by.
Yeah – sometimes “life” gets in the way of us doing things that are “on the list”.
I’m glad it spurred you on to take a couple of those precious minutes and take some precautions!
Most Important!
Hi Joanne,
A timely post! Just yesterday i found something called “guardlinks dot org” showing up as 5 landing pages in analytics. Further investigation traced that site to Latvia. Needless to say, I was quite worried! I immediately reset my pw , and don’t see them showing up tonite. I have wordfence installed, but WA doesen’t allow it…WA also states they have adequate protection from login attempts. I’m still worried though. Which plugin would you recommend as an alternative to wordfence? I’d really like to block some countries and specific IP’s from my site . Thanks for your great article!
Hi Marant
Yikes – Glad you caught it!
Don’t worry. This is a direct quote from Kyle:
“What I can tell you is that our hosting platform is full redundant (we run mirrors of your sites in parallel on different servers in case on instance goes down)…and we automatically do back-ups daily on your websites.
This shouldn’t be something that you have to worry about, we have you covered. If you want to back-up your content, simply do a Tools => Export. That should be more than enough.”
You’ll be fine here at WA.
Wealthy Affiliate does not allow third party applications of any kind for security reasons – it is very safe.
Great post Joanne! WordPress is really one of the best and advanced platforms that I know. It really does our work much easier because it has many options including plugins that allow to modify and improve our website performance and user experience dramatically. I’m using some of the plugins mentioned by you too. As I can see, you are giving very valuable info to your readers and I’m sure many will benefit from it. Website security is really very important if you own a website and especially a business that makes you money. I also back up my site almost every day and recommend it because I know people that lost their sites because of not paying attention to this simple task that takes a few seconds. As for the # 1 Pick recommended by you I can say that they are very strong at security issues and if you host your site there you can be safe from hackers attacks.
Hi Rufat!
Thanks for your comment!
… I love how WordPress is so versatile and easy to use too. With a few defensive tasks it’s as secure as it can get, and takes the worry way down. Backup’s are extremely important and I’m glad you do that on a regular basis.
… You must be talking Wealthy Affiliate? If so, your right! I have high regard for WA; I haven’t seen anything better out there!
Glad you stopped by Rufat!
Hi,
Thanks for the advice I will definitely back up all my websites straight away.
Great site by the way well done.
Hi Marc!
It’s much more than just backing up though Marc.
Follow all the steps that you possibly can – one day you’ll be happy you did – for sure!
Thanks for stopping by.
Hi Joanne!
… this is some great information. Luckily I am already doing most things but I was not aware that you could also get a site security plugin, so I will have to look into that.
I unfortunately, managed to infect my computer system a few months ago with malware when downloading a program. I had to reformat my hard-drive to get rid of it, so I learned that one the hard way.
I’m not paranoid, but you mentioned to Edy that you also download your site content to your computer, how do you do that?
Thank you for your help.
Lis.
Hi Lis!
Yikes – sorry to hear about the trouble you had, but glad you got it resolved. These people drive me crazy!
OK – yes, I do back-ups with BackWPup (to Dropbox) and download a copy as well. You can see a video of how it’s done here at Wealthy Affiliate. It’s easy to do and I feel a little better doing so.
Hi!
I’m in this business (online) for 3 months and by now I never had any problems, but thanks for this post because it’s always better to be prepared and you showed me the way.
I wish you a good day and thanks again!
Hi Doru!
It’s kind of like wearing a seat-belt.
Hopefully you will not need it, but it will help protect you if you’re in an accident.
Just always take precaution, no matter what kind of website you have!
WordPress is the most hacked website platform for a reason. The most people use it. Reminds me of the PC world and why Windows gets hacked more than other operating systems, because the widespread use.
I think you have done a great job of showing people how to avoid some of the most common mistakes they can make when using wordpress. Passwords is a big one and simple scripts are out there where people can attempt to brute force attack WP login boxes in a widespread way. Multiple this by 10,000’s of hackers doing this and you are bound to be cracked if you have a simple password.
Not sure if you use SiteRubix, but I am really loving the new password system there that automatically creates secure passwords for me.
Hi Jake!
Yeah – you’re absolutely right!
I know what you mean too about Windows; that’s why I now have an Apple as well.
There are things that can be done though to protect yourself. I have own Joomla site too, but I really like WordPress a lot and with just a little time put into making it as safe as possible, I feel pretty secure.
I don’t have a SiteRubix site right now, but Wealthy Affiliate gives you the same password protection for your own domains as well. They really take great care surrounding the topic of security.
Thanks for stopping by Jake!
More hackers are on the move!
Should have extra protection for our wordpress website.
I personally Export my website file into my computer.
Dropbox is a good idea too to secure our data.
Very helpful information you have here to prevent hijacking from hackers.
Awesome buddy!
Cheers,
Edy
Hi Edy!
I actually do both!
I’m not paranoid at all, but I’ve gotten into the habit of not only backing-up to Dropbox regularly, but also download/export my files to the computer as well. I’m pretty sure that when you export just your files to your computer, you are not backing up your theme and all that comes with it – only your files.
… so I do both.
Thanks for stopping by!
Thanks for the tips on how to protect my website. I am going to make some changes on my site now
Hi Gan!
Your welcome – don’t put it on the back burner.
These are important and easy things to do to help keep your website secure.
This is great Information for anyone with a website. I never thought of backing up my website.
Hey Mike!
… thanks for stopping by.
BACK-UP your website! – this is the #1 thing to do first, and often.
But don’t stop there. Take every precaution you can – the more the better. These creeps are persistent!
This is a very informative post that is useful to anyone using the internet these days. Great job!
Hi Melody!
Thanks – I hope you take some time to make sure you’re covered in these areas. It doesn’t take a lot of time and will be a lifesaver if anything happens. Take Care
Great post Joanne! I myself use many of these precautionary measures. Fortunately, knock on wood, I haven’t been compromised. As with many bad things in life, prevention is always key! The changing of my Admin Username was the first thing I did, and not really because of the security issue, but because it makes your website more professional if there is a real name. Using Admin appears to be amateurish to many people. Thanks for sharing this info!
Thanks for stopping by Robert!
– “knock on wood” for me too, but … I’ve heard some pretty awful stories out there of what can happen when these “low-life’s” hack and get into your website; not a pretty picture and certainly not one I want to be in.
I agree on the admin username – cold and unprofessional in my opinion too.
Hope to see you again Robert!
Nice info, I constantly concerned about security on my website. I will be implementing some of this ASAP. Thanks so much.
Hi Mark!
You how the old saying goes; “an ounce of prevention” …
It’s so worth it to take a little bit of time to take these precautions. There’s nothing worse than waking up one morning to find your website has been hacked!
Well worth the effort indeed!