Podcast: Play in new window | Download
Subscribe: RSS
With high profile security incidents becoming more and more prevalent, it is essential for you to take some simple steps to protect yourself from hackers.In today’s Podcast Episode and post, you will get several simple WordPress security tips from not just myself, but several community members that have either been hacked previously or have taken proactive steps to protect their sites.
Be sure to subscribe and listen to today’s Podcast Episode via one of the links above, for 2 additional bonus tips not mentioned below.
Simple WordPress Security Tips
Always Use Domain Privacy – If you don’t, you’ll not only get inundated with spam from people selling services, but you will also be subject to additional scams, phishing attempts and others trying to trick you into transferring your domains over to them.
For domain registrations, I recommend you keep them separate from your hosting account and I utilize and endorse NameCheap. They are my go-to choice for inexpensive registrations and just as importantly, consistent and inexpensive renewals. They provide free domain privacy when you register a new domain name.
Set Domains For AutoPay – This isn’t necessarily a security tip, but it was a good tip from a community member to avoid losing your important domain assets and prevent yourself from being subject to scammers.
People are always watching for expired domains and they can purchase your domain names if they expire and try to sell them back to you for highly inflated prices. At a minimum, stay on top of your domain renewals and be sure to renew them in advance to avoid being hijacked.
Change Your WordPress Login Account / Password – One thing I always recommend when installing WordPress is to not only make your password unique and highly secure for each of your websites, but also change the default account name from admin to something else.
When hackers attempt brute force login hacks on your website, they will most likely be trying the default admin account, since most people probably do not change it from the default.
Changing the default account is easy to do during the WordPress installation, but a little more difficult after the fact. There are some manual ways to do so, but I’d recommend using a plugin like Username Changer to make things easier. Then when you are done, just uninstall the plugin.
And also, be sure to have different accounts/passwords for each of your websites and do not you not utilize a password that you use for other online accounts.
These days it is becoming more and more common for user names and passwords to end up being released to hackers on the “dark web”. Some high profile hacks of accounts and passwords include LinkedIn and Yahoo Mail.
When lists like that become public, hackers can attempt to connect your account/passwords with other sites such as financial sites and other assets you might have like websites and online businesses.
For that reason, I highly recommend you have a different username and password for each of your websites and keep them completely different from any other account/password like email, bank accounts, etc.
Always Install a Plugin That Limits Repeat Logins – Brute force login attacks are one of the most common ways people will attempt to hack your website. They will hit the login page of your website over and over, trying known or obvious login/password combinations.
A plugin which limits login attempts can block repeated attempts from the same source, in an effort to prevent login related hacks.
There are lots of different plugins out there that can help with this one. It’s always best to limit the number of plugins that you utilize, to keep your sites running faster and the less plugins you have, the less you have to keep up to date.
The JetPack plugin from the folks at WordPress is a popular plugin for a number of different things and it has a security module that will limit login attempts. If you’re already using JetPack for other things like optimizing images, related posts, social sharing or some of the other features, this would be a great way to limit login attempts as well.
Utilize 2 Factor Authentication – Another way to limit brute force login attempts is to utilize 2 Factor Authentication. I’m sure most of you are aware of what that means, as many of your financial institutions and more and more other companies are requiring 2 Factor as part of your normal login routine.
This typically means that the company will either send you a unique PIN to a separate email account or mobile device or have you use a free app like Google Authenticator, as a second way of verifying you are who you say you are.
The JetPack plugin provides also provides a free way to enable this for your WordPress website.
Take Regular Backups and Store Them Offsite – Backups are essential for a number of reasons, but being able to restore your site in the event of a hack, ranks right up there.
What I mean by storing them offsite is that you set your backups to write to a location that is external to where your website is located. Most of the main backup and restore plugins help you do that with just a simple click or two.
I utilize and recommend the UpdraftPlus Backups plugin for this. You can easily store your backups offsite for free with their built-in integration with tools like DropBox, Amazon S3, etc.
With UpdraftPlus you can schedule recurring backups and I definitely recommend you do so, as a set it and forget it type thing for peace of mind. I also recommend taking backups after you create any new content or before updating WordPress and plugins.
Update WordPress and Plugins Often – One of the most important steps after securing your login/password, is to make sure you regularly update WordPress, plugins and themes. That is very easy to do inside your WordPress dashboard, as there is an “Updates” button inside the Dashboard towards the top.
I recommend taking a full site backup prior to installing any updates, as there is always a slight chance that an update can cause issues. Having a full backup will allow you to restore things to the way they were prior to any updates.
Jeff from the community recommended at least monthly updates, but I take things a step further and say to backup and update your site any time you publish new content. If you publish content daily, that might be a bit excessive, but I’d recommend at least doing updates every other week, to close any security holes that might pop up.
Check Plugins Details for Last Update – This is an important one that is often overlooked. Checking to see if your plugins are still being maintained is just as important as keeping them updated.
When you go to the Plugins tab in your WordPress dashboard and select Installed Plugins, you will usually see a “View Details” or “Visit Plugin Site” link.
Click that and check to see when the plugin was last updated.
If the last update date for the plugin was over a year, I’d highly recommend you search for a different plugin to accomplish what you need. Ideally you’re looking for a plugin that is updated weekly or monthly, to not only fix any bugs, but also to fix any security vulnerabilities that crop up.
Don’t Go With the Cheapest Bottom Dollar Hosting Company – Jeff found this one out the hard way after his site was hacked twice in 1 week several years back, due to no fault of his own.
Pay a bit more. Why? Because the bottom-dollar companies probably don’t have the funds to reinvest in infrastructure and security, or they’re just a re-seller and the infrastructure isn’t theirs anyway.
Always look for a good deal, but utilize companies with a proven track record, that people that you know personally have been very happy with over time.
The hosting company that I have utilized with success for over 7 years is WebHosting Hub. They have fast, secure and reliable hosting along with excellent 24/7 customer support, which is so important in the event you have any issues and need assistance.
Several members of the community have either signed up with Webhosting Hub as a new customer, or utilized their free transfer service to transfer from a host that they were unhappy with over to Webhosting Hub and I’ve heard nothing but good things since.
A bonus is that their rates are very competitive and I’m able to provide a discount that is not available to the general public, for being a member of the Niche Site Tools community. Through my discounted affiliate link you will always get the lowest rate currently available and will be in good hands.
Install a Security Plugin – Having a security plugin is essential when scanning to see if your site has been hacked, but it is an excellent tool to have enabled to help you identify any future issues right away.
There are several different well known plugins for this, two of the most popular are Sucuri and WordFence.
I installed both of them on all my sites prior to doing this post for review purposes and I think most of you will find Sucuri does a great job for helping identify if your site has any hacks or malware in place currently and in addition, they help you identify additional proactive steps to take.
For instance, when I first installed the plugin and scanned my sites, none of them had any current hacks or malware, which is always good. However, in the lower right they listed many recommendations for exactly how to increase security and plug potential threats that hackers have been known to take advantage of.
In addition, I immediately started to receive email updates anytime I logged into one of my websites, any time I updated a post, etc. That is helpful to know right away, in case someone does gain access to your site and makes unauthorized changes. That is fully customizable.
I found that WordFence was also helpful, but I needed to manually get an API key before I was able to scan my sites and it just wasn’t as user friendly as Sucuri.
However, if you are someone that is very tech savvy and is looking for more detailed and granular features, WordFence seems to provide a lot more in-depth features, but many of them will require an upgrade to their premium version.
If you find yourself in a situation where you suspect your website is hacked, here is a full step by step post from Sucuri on exactly how to clean a hacked WordPress website.
Conclusion
Today’s post and Podcast episode were a direct result of hearing about a recent hacking event that a community member Chad went through, along with tips and suggestions from another community member Jeff who has been hacked 2x in one week several years back. Thanks also to Jeff for some great tips and suggestions.
We can’t always prevent every possible security event from occurring, but having an excellent proactive hosting company like Webhosting Hub, along with following the steps above can go a long way towards helping to prevent many of the most common hacking attempts.
Note, some of the links above may be affiliate links and if you click through and make a purchase, I may receive a commission, at no additional cost to you.