Whilst a determined Hacker will try many ways to gain access to a website, here are a number of ways to make their lives harder. These tips are very important if you're running a website that collects information about your users, especially personal information and most importantly credit card data.
Keep up to date!
Always ensure your Wordpress installation is up to date. The community behind Wordpress is an extremely active one and when security issues arise, WP is quick to push out a new version. In the admin interface you will always see notifications from WP that a new version is available and also you will see when updates are available for your plugins. Be wary that sometimes upgrading WP may make your Plugins stop working, so following a WP upgrade; it's worth keeping an eye on your installation as Plugin updates won't be far behind.
Don't do Admin
'admin' is the default username for the Wordpress Administrator account. The majority of attacks from users wanting to gain access to your website will be using the name 'admin'. Change it to something long and use a combination of letters and numbers
Passwords are relatively easy to guess these days because people will not put much thought into them. Make it hard for hackers, use a longish password and use a combination of upper and lower case characters and numbers and change it on a regular basis.
Purpl3Pengu1n! could be one example but come up with your own unique variation.
Implement security plugins
There are a number of Wordpress security plugins available and it is worthwhile investing in implementing a few of them to make sure your website is as secure as possible.
- Better WP Security
- Secure Wordpress
- IQ Block Country
- Wordfence Security
- Using a plugin that hides any indication of Wordpress and Plugin versions, etc will make a hackers job just that little bit harder.
Backup Backup Backup
Backing up your website on a regular basis is a key way to help you get back on track should you get hacked. Hosting companies will back up the server your site is hosted on normally, but be wise and take your own backups just in case.
This is paramount if you are upgrading the core WP app or the plugins you're using. Seek out a plugin that will enable you to manually backup your Database online, implement it and then once each backup is done, copy it somewhere safe, but not too safe. Make a copy of all the WP files including the plugins, the images you've uploaded and most importantly your theme.
If in the unfortunate case you've been hacked and don't have the time or skills to investigate and remove offending changes to your code, you can copy everything over and use your copy of the Database to replace what is there in case data integrity has been compromised.
If you're installing Wordpress yourself, it's a relatively painless process to set up. But in the same way that people stick with the default admin username, people will also bypass changing the default table prefix.
By default all tables created from the installation will have the prefix
Because the same installation file is used for any WP install, it's not hard for Hackers to use wp_ as their first attempt when trying to gain access to your site.
As with the Admin account, make their lives harder by changing this default value and try to make it less obvious.
Protect your wp-config.php at all costs!
Your wp-config file contains all the juicy details for the DB connection to your site. If you're not a power WP user, you can add this level of security quite easily to your website.
Open a text editor like Notepad (on Windows) or Textedit (on Mac)
Copy and paste these lines
Order allow, deny
Deny from all
Into your editor, then save the file as .htaccess
FTP this file up to the root of your website.
N.B The .htaccess file may already exist on your website if you've set up permalinks, etc. so replace the step of creating a new .htaccess file and copy the one down from your website, edit it to add the lines above and then copy it back up to the website.
Scan your site!
With a plugin such as WP Security Scan, you can keep a watchful eye over your website on a regular basis, run scans to check to make sure everything is looking healthy and will make suggestions on potential problems such as file permissions. In conjuction with the other plugins mentioned in this article, it's a neat way of keeping everything ship shape and give you that extra peace of mind. And if you spot in the logs that someone has discovered your admin username, change it and change your password at the same time.