WordPress is a fantastic platform and used by around 25% of the internet for publishing content. Unfortunately this makes sites built with WordPress a regular target to brute force login attempts and attacks. Insecure WordPress installs can sometimes used by other sites using DDOS attacks. Attacks like this are automated across hosting platforms and attempt to find authors that are using default usernames, weak passwords and outdated WordPress installations. See the next post about reasons for keeping your WordPress install up to date.
Most WordPress users and content creators are not aware of the threats hackers pose and sometimes may not even realise an attack has successfully been carried out before it is too late, which then effects visitors and search engine rankings. Do not let this happen to your site. These security measures are simple and any blogger can implement them to properly secure their WordPress sites and to help stop the threat of hacking attacks.
1. Create a new user account
Lets start with some basics. Now if a user and password both have to be cracked then it is by far harder for a hacker to break in to your site. So folks this is going to mean that you’re going to have to delete that golden old WordPress Default “admin” user. Alternatively when creating a new WordPress install, you could create your account without a default name of admin. Either way get rid of the user name admin. Call it any thing you like, just not admin, as this is what the hackers will be looking for as Default usernames. “Admin” is one of the most common targets for attacks, so they should not be used and be removed if they have been.
Before you go running off and just straight out deleting your existing “admin” account, you will need to create an administration level account that can take its place. You do this by going to “Users” then “Add New” in the WordPress menu. When your are creating a new user you are going to want to make sure you give this a role of “Administrator”.
This will ensure that you have full access and authority in managing the site. Once you have done this you’re going to want to log out of your default “Admin” account and then login with the new user details that you have just created. Once you’re back in go to users, here you should find a list of all user accounts. Select the default admin account and press delete. Make sure you select the option to your new administrative account. Make sure you do this before progressing to the next step.
2. Use a strong password
Use a strong password. See our guide to Strong Passwords for a more in-depth guide to these. A simple password may make it simpler to remember, but its also far easier for a hacker to crack. Your password should be a minimum of 8 characters long and should include numbers, special characters and upper and lowercase letters. The longer the password is the harder it is to crack, the best method by far is to use a password manager to deal with your passwords.
3. Set a new nickname
You don’t want your username to show up as the author name on any of the posts you create using this account. So what you need to do here is set a nick name. To do this you’re going to go again into “Users” under “Your Profile” fill a nickname into the Nickname field and set “Display name publicly” as your new nick name.
4. Disable logins from certain IP addresses
The Login LockDown plugin records the IP address and time stamps with every failed login attempt. If a certain number of login attempts are made within a short period of time, the login function is then disabled for any request made from that ip address. Other plug-ins such as Limit login attempts do the same, if you review the login attempts that have been made on your site you will notice most of the attempts are made using the username “admin” hence the reason for removing this altogether.
5. Blacklist all IP addresses except your own from logging into your admin
Alternatively to step 4 you can black list all users who aren’t using a designated IP from accessing the admin area. This step is suitable for all sites, for instance sites membership aspects to them. If you don’t have one of these type of sites you can do this step by going to the wp-admin folder in your WordPress installation and updating the .htaccess file using the below code anywhere in the file make sure you add your IP numbers in there (type “what is my IP” in Google to find your IP address):
deny from all
# whitelist home IP address
allow from IPNUMBER
# whitelist work IP address
allow from IPNUMBER
# whitelist holiday IP address
allow from IPNUMBER
You can put different IP addresses in there if needed but one should be enough. From now on when someone without a designated IP address tries to access your site they will get a message similar to the one below.
Forbidden. You don’t have permission to access /wp-admin on this server.
Sometimes IP addresses change. This can be a downside of this method as it will mean if you move, or if your IP address changes for any reason you will have to go to your ftp and update the .HTACCESS file with your new IP address. This can become tedious if your IP is changed regularly or you use the internet to access your site from different locations.
6. Block bots from accessing WP-Admin login page
This is a simple one and it means that if a bot stumbles upon your site and tries to login to the wp -admin it will be blocked from doing so and won’t be able to damage your site.
To block bots you will need to access the htacess file for your site in the main directory, not the one in the /wp-admin folder like the last step and paste the following at the top of the file borrowed from the guys over at hackrepair.com
7. Do not allow guest user registrations
If you do not have a membership site, then there is no reason to allow visitors to register for a guest account on your site. To check that you have registration turned off, click “Settings” and make sure that the “Anyone can register” option is not checked.
8. Do not allow pings
Some WordPress sites have the ping-back option enabled. This can be used in DDOS attacks against other sites, ping-back is enabled by default so it is important to disable it. In “Settings” go into “Discussion” and in “Default Article Settings” tick off “Allow link notifications from other blogs (ping-backs and trackbacks)”.
9. Activate a security plugin
There are several security plug-ins that can help protect your site and prevent any hacking attempts. Two options are ithemes security (We at RGB prefer this one) and bulletproof security . They both do quite a few things to make your site safer, including forcing you to use stronger passwords. This also makes you delete the admin username and block bot traffic and helps you do regular security scans.
10. Keep an eye on the Webmaster Tools
Google Webmaster Tools is a fantastic resource for your sites security. check out the Security Issues section of your profile which will notify you if Google detects malware or security issues on your site.
11. Always upgrade
Always upgrade to the latest version of WordPress, latest version of your theme and latest version of the plugins you use. this has been mentioned on our blog before and will be again developers upgrade their software and plug-ins because security vulnerabilities tend to be found in older versions. When there is a new upgrade available, WordPress notifies you in the dashboard. No excuses not to upgrade. Since WordPress 3.7 the upgrades are now can automated with automatic background updates however you may want to check compatibility with themes etc before you do upgrade
if your not upgrading due to you using a old theme which you fear you may lose settings from you may want to look at changing your theme or alternatively change to some thing different
its not recommended to down load plugins from any unknown sources such as the WordPress Directory or from official websites of premium plugin and theme developers you can normally tell reliable plugins and themes by the frequency they are updated, high number of downloads and good reviews.
12. Automatically Backup WordPress
Backing up your site regularly is important it keeps your content and database safe this means in the event that any thing happens with your site it can be rolled back to before the damage happened and means your site is normally back up and running far quicker than if you were to manually put things back together. hosting providers normally use system backups to keep there servers safe and you will sometime be able to ask theme to roll back a site but don’t count on the back up being what you need. WordPress site consists of two parts
Database: this is where all your sites settings, pages, posts and comments are stored
Files: which are made up of things like media, attachments, themes and plugins.
It’s recommended you make a full backup of the entire site, meaning both database and files.
The most convenient and most acceptable way even for non tech-savvy users is doing backup by using plugins. There are many different plugins available. One of them is BackWPup another backupbudy.
you can activate the plugin and set it to automatically backup your site and send the backup file to your email address. once you have activated set it to it send you a new email when a new backup is created be it every day, every week what ever you decided.
No more Hacks whoopee
you can set these security measures up relatively quickly and majorly reduce the chances that your site will be hacked.
if your unsure of backing up your site or just don’t have the time to keep your plugins or site up to date check out the RGB Updates,Security and Back-up services we offer