So, you have your WordPress site up and running, the wind is blowing nicely in your face, and all is going well, until… what is this? You have been hacked!
WordPress is the most widely used web platform in the world, so that’s one of the reason that some hackers are after you (it’s not personal, you know).
Here are a few things that you can do to avoid being hacked (listed in order of importance, from highest to lowest):
1. Keep your WordPress version up to date.
This is crucial: every so often, new vulnerabilities that affect old WordPress versions come out, and hackers rub their hands when they find a site with an old version of WordPress. Don’t let this happen to you! Especially knowing that you can update with just one click!
2. Use a secure password for your site (and whenever possible, a secure username too).
Fist, the username. In old versions of WordPress, the admin username was, yes or yes… “admin”. But not anymore! When you install your site, you are prompted to choose a username. Make sure to pick something creative and give hackers a hard time.
As to the password, make sure not to choose one of these (seriously? “hottie” is number 14?). Ideally, your password should combine uppercase/lowercase/numbers, and if you want to be a bit more paranoid, add a symbol like %$!?()/
This is a bad password: jonathan
This is a good password: JoNa1hAn
This is a pretty good password: J0nA1H%n123$
This is an awesome password: 5e9@XKNTvhRBCMgl
The reason behind choosing a hard password is that hackers sometime use what is called “brute force” attacks, ie, testing thousands of possibilities to try to log in to your site. Which password do you think they will try first, jonathan or 5e9@XKNTvhRBCMgl ?
By the way, if you have trouble remembering passwords, I recommend using lastpass (I use the free version). It will help you generate and store as many passwords as you like. I couldn’t live without it now!
Have you heard about the Pareto Principle? It says that 80% of your results, come from 20% of your actions. Well, those 2 were the top 20%! Do these and your chances of being hacked are very very low.
Here are a few extra tips for the power users:
- Make sure your plugins and theme are up to date. Every so often, new vulnerabilities in common plugins are found, so keep an eye for updates.
- Use a security plugin like Wordfence or Sucuri (both free; do not install both, just pick one; my personal recommendation is Wordfence, but both are very similar). This will prevent many attacks from happening.
- Use a plugin to limit login attempts, like Login LockDown (free)
- Use this plugin (free) to add an extra field (aside from user and pass) to be able to log in.
- For advanced users, hide to the outside world the fact that you are using WordPress, with Hide My WP (paid plugin)
Final advice: if the worst thing happens and your site gets hacked, make sure you have a backup! There are paid and free plugins for that, so don’t be lazy! (Ideally, backups should be stored somewhere else, like Dropbox or Google Drive)
So that’s it! Do you have any other tip? Make sure to share your thoughts in the comments, I’m always happy to learn new things 🙂
PS. If you would like to add an extra layer of security to your site, and make your WP site almost bulletproof, make sure to check Chris Hitman’s WP Site Guardian plugin. Totally recommended!
Thanks Raul, good stuff as i expected.
I wish i new all this before i lose all my sites at once. The problem is i give my WP pass to fiverr guys to fix things on my site and i keep the pass simple for them to remember. I think this is how i got hacked.
Thanks for your comment Khalid!
If you give your password to someone, make sure to change it after they are done with the work, will save you some headaches 😉
Also, instead of using a simple password, have a complicated one, and let lastpass remember i for you…
Thanks again for stopping by!
Thank you, Raul, for all your good tips and recommendations. They are very helpful:-)