WordPress is the most popular content management systems (CMS) out there. The company behind the development of WordPress is Automattic. It’s based on PHP as well as MySQL, and about 30% of all websites on the Internet use it. Next to TechCrunch, BBC America, Bloomberg Professional, the official star wars blog, and many other great sites, TechAcute is also using WordPress to publish and offer our content to you.
While using the most popular CMS out there has a lot of benefits, it also makes you a target for hackers and other digital evil-doers. If you keep the default installation with configuration out of the box, you might become victim to one or many attacks which could have all kinds of results, varying from your website being taken offline, to getting your content deleted, and could even extend to having data stolen. That could also include personal data of your customers if you are using your website for commercial reasons.
There’s a lot you could do to increase the security of your website, and while this is certainly not the ultimate list that can protect you from all evil, it can help a lot, and it’s mostly applicable even to people who are not all that tech savvy.
1. Relocate the WordPress login page
If you keep the default login site of your WordPress installation, it will be known to everybody where they have to start trying their attacks. If machines keep trying to brute-force their way into your website, chances are they are successful and get access, or they are not, and your site goes down because the server cannot cope with the load.
A great way to prevent this from happening is to change the URL of this login page. You can do this manually if you know what you’re doing on the WordPress backend, or you can use a plugin. For this purpose, I recommend WPS Hide Login as it’s very light and configured in a few clicks. After you changed the login URL, make sure you don’t share it with too many people. Of course, partners and team members won’t be too risky but publicize the login information.
2. User IDs and access management
When you install WordPress, you get an administrator account with access to everything and the rights to do as they please. If that’s you, no problem. If that access is available to someone else, it’s risky business, to say the least. This initial account will have user ID 1, and mostly its name is “admin.” Knowing this information can significantly help hackers to gain access to your website.
Once you have everything set up on your new WordPress site, you should create a new account and provide it with admin level access. Don’t name it admin though. The username can be anything really, even if you’re going to use it for writing and publishing since you can add separate first-name and last-name data to it later in the profile. After that is done, verify it by logging in to the newly created account. If everything works, navigate to the user overview and delete the default admin account. You should then no longer have issues with the user ID 1 or the “admin” username.
Another good way of avoiding to get hacked, even if they were to find your new login page as mentioned above, is to use usernames that cannot be easily predicted based on the authors’ full names. Also, you should make use of strong passwords that can be generated in the user management of WordPress under the user profile.
3. Limit login attempts and trigger blocks
This one is best done within WordPress security plugins. Basically, you should set up a limitation to failed login attempts to avoid getting brute-forced until you breach or break. Feasible values for that could be to block an IP after ten unsuccessful login attempts. You can set the duration of the IP block to be around one or two hours long.
Having this in place makes an attack much harder to execute because it would take forever to find the right password out of millions of possible passwords by having to wait an hour every ten times a wrong password is entered.
4. Stay up to date
A rather simple way of preventing from being hacked is to stay up to date with new versions of plugins or WordPress as a whole. If your dashboard tells you about new releases on things that you have installed, think about updating them. It usually takes only a click from you to do so. If you want to be sure that everything still works after the update, have a non-productive test environment of WordPress with precisely the same plugins as your production installation and test it out there first.
5. Using a CDN
CDN means Content Delivery Network. Such services are usually acquired by third parties if you want to improve user experience by reducing load times. Some CDN service providers offer you security measures on top of that and leverage their network information to assess malicious behavior of users and machines and blocking them out autonomously. They can control that because they are between you and the users.
While I am sure there are many great CDN solutions out there, I have personally only tried Cloudflare, who offer a lot of good services, such as security features and analytics, even if you stay in their free plan. If you’re not sure how to set up the CDN with your WordPress site, you can check with the support documentation of the CDN provider or ask their support team to help you, in case you’re struggling with anything.
Security plugins
Installing security suites and plugins wasn’t the focus of this article, but of course, they can help you with hardening. On the negative end of things, it should be noticed that every plugin you install potentially impacts your site’s performance and some security plugins could be too heavy for you. Trial and error on this one. If you’re not sure what WordPress security plugins to choose you can either google for review articles with a focus on that or check out the following ones that I know of:
- Akismet / Jetpack plans by Automattic
- Wordfence
- WPMU Defender
Bonus: Don’t forget backups
From my personal experience, I’d like to recommend to you, in this context, to have a service enabled that autonomously backs your WordPress up along with all your articles, plugins, images and everything else. Most people put their sweat blood and tears in their blogs and in their work. They do this for years and years and pile up hundreds or even thousands of articles that the world benefits from (more or less, depending on the subject matter).
It’s devastating to see all that content vanishing into thin air for an attack or even a simple technical issue. I promise you that your provider most likely doesn’t care. Also if you’re hosting yourself, who controls the data? Who backs up the disks? This is no space you want to go easy on. You want a solution in place that works on its own and records daily images of everything you own in your WordPress installation.
Because Automattic is developing WordPress, they are very integrated into the system and can offer excellent services. Their backup solution is called VaultPress and takes daily backups of your content, and if you give them enough access (e.g., FTP), they can even fully restore your website if it was wiped due to an unfortunate event. Takes you one click without stress and if something is wrong, the support is extremely helpful and friendly. They have sufficient empathy to understand that your whole world just collapsed and that you panic to save your blog.
Again, I am sure there are many other good solutions, but that’s the one I worked with before. Sounds weird but it gives me a lot of peace of mind. Whatever happens to the tech, nothing will be lost and everything can be restored. What are your favorite plugins and how do you go about hardening your WordPress instance? Tell us below in the comment section. Thanks for sharing!
Photo credit: Florian F. / Brian Klug
