7 WordPress Security Tips to Lock Down your Site

You’ve heard about WordPress security issues and wonder, why would anyone want to hack into my site? My site has no ecommerce, aren’t hackers more interested in stealing credit card information?

Yes, they are, but that’s not all.

Listen to this post

What hackers most often do is install malware to turn your site into a zombie to do their bidding. Like, infecting other sites to do the same. Or, to send spam emails.

Accidentally becoming a spam zombie has the added insult of getting your site blacklisted by Google, so there goes your page rank.

Unfortunately, the popularity of WordPress has made it a target for hackers. They know 60 million sites are running on WordPress and they’ve figured out ways to break in.

Perhaps you’ve heard the phrase, “Brute Force Attacks.” That’s when a hacker tries to break in with the brute force of knowing your login and using a tool to guess your password.

Here are some tips to improve your WordPress security and stop hackers.

Create Obtuse Usernames

wordpress loginYears ago, all new WordPress site Administrators were assigned “Admin” as a username and people just kept it. Hackers knew that and they developed this method of entering “Admin” in your login page and then guessing at the password to break in.

That is no longer the case. Now, when you install WordPress in a hosting account, you have the option of choosing a username. Choose wisely.

Don’t use:

  • Your name
  • Your site’s name
  • Site keywords
  • Any words associated with your website

Once WordPress is installed, you cannot just change your username in your User Profile. If you want to change your username here’s what you must do:

  1. Create a New User with an Administrator role with a unique username
  2. Logout from the old account and login as the new user
  3. Go to the User list and delete the old administrator account
  4. When WordPress asks you what username to assign the old posts to and choose your new username

In Users>Your Profile, enter your full name and choose a version to “Display Name Publicly As.”

Otherwise, WordPress will by default display your username in your blog and that gives hackers half of what they need to break in.

Use Mantra Passwords

For increased WordPress security, picking an uncrackable password is essential. Fortunately, passwords can be changed in User Profile every day of the week if you want.

Again, the password should have no relation to you or your site’s content. The more obtuse, the better.

Some people like to create logins and passwords that are unmemorable and nonsensical and using an app to create or keep track of them. Good luck with that.

I like to use mantras for logins and passwords. Having a full sentence of positive, intentional and inspirational words to type in before beginning an online task, you will not only focus your attention and intent, you’ll also have a bit of fun.

Personally, I look to pedestrian subjects as inspiration for login mantras, like the weather.

What’s even more fun is creating a password to answer the username, such as:

Login: theskyissodamnbluetoday

Password: Imightjustgoforawalkon10thave!

Who is going to figure that out if their password bot is spinning through combinations like “7c667f37e7ffc542fe585921ad99ccfb”?

Mantras: confusing to hackers, but memorable to users.

Use Security Plugins

I’ve been using the Login Security Solution plugin ever since my sites were first attacked.

Whenever an attack is waged, I get an email telling me how many attempts were made (20-40), the Network IP address used, and the username and passwords tried.

The 450 emails I got alerting me to brute force attacks to my wine site since April of 2013 revealed their top username choice is “Admin.”

They also tried “tastingroomconfidential, wineriesnovember, support, contact, valley dry, viognier, vineyards, grub (?), oomconfiden, confidentil, room confid, quickly, targeting, communicating, life, piano, and alerttoday,” among others.

Each email reminds me that, “The Login Security Solution plugin (0.47.0) for WordPress is repelling the attack by making their login failures take a very long time.  This attacker will also be denied access in the event they stumble upon valid credentials.”

Inside WordPress, the plugin nags me to change and harden my passwords, and it will log me out after a predetermined time, according to my settings. It will also limit the number of times someone may attempt to log in.

So, I feel pretty secure knowing that Login Security Solution has my back.

There are more plugins you can use to increase your WordPress security, among them:

Better WP Security
Bulletproof Security
All in One WP Security and Firewall
Sucuri Scanner
Website Defender,
WordPress Security
Exploit Scanner

Plugins can also be the source of malware, so choose your plugins carefully and keep your ears open for news of security holes. I have in the past used plugins that were later found to be insecure. When found, delete and uninstall.

Update WordPress and Plugins

Because hackers will always hack and software is always being secured, plugins and WordPress versions need constant updating.

The WordPress core needs updating about twice per year at every major version, and sometime for .1 versions.

Here’s how you update:

1. Backup your data on multiple drives

2. Deactivate all plugins

3. Go to Dashboard>Updates and press Update WordPress. (You can also upload WordPress manually.)

4. Update plugins displayed on that page, and activate

5. Check your pages to make sure all functions are working correctly

Visit your Installed Plugins page often. Update cautiously as plugin updates can pose unforeseen problems with your theme, or with other plugins.

Plugins can be updated automatically through the WordPress Dashboard, but it’s more secure to FTP them to the server. One is quick and easy, the other long and tedious.

Be Wary of Free Themes

Your theme can also contain security holes. Be sure to buy premium themes from reputable developers and only use the free themes available through the WordPress repository.

Backup, Backup, and Backup

Constantly backing up your site will not fend off attacks or malware. But if your site gets infected, having a stock of backups may be your site’s saving grace.

Use a Secure Host

Secure web hosting companies offer the Secure Socket Layer protocol (or SSL) for encrypting data transmitted between your site and the user’s web browser. SSL protects you and your site’s visitors from hackers.

Two secure hosting companies are Bluehost and HostGator, affiliated through this site.

Enjoy WordPress Security

By acting on these 7 tips, you will significantly reduce the chance of being hacked. If your site gets hacked, the first thing to do is contact your host and get help from them. They have resources to kill bugs and quarantine your site.

If you have any other tips for securing WordPress sites, please comment below.

Good luck and stay safe.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.