Running a self-hosted WordPress site and concerned about security? With the intelligent use of plugins and password management, this short guide will show you how to protect WordPress from hackers and botnets.
The latest string of mass WordPress brute force attacks is a reminder that this could happen at any time.
It’s one thing to have your website slowed down by the temporary load on servers as they’re assaulted by bots. It’s altogether more inconvenient to have pages on your site injected with malicious code that could have your site blacklisted by Google.
If you’re a WordPress.com user the two things you can do is use a strong password and turn on two-factor authentication.
How to protect WordPress from hackers and botnets
Here are the most potent ways you can secure you site from the most common forms of hacking and botnet attacks now.
Having a strong password on your WordPress login is essential. This is one of the most important lines of defence to password/username (often called brute force) attacks.
Read more about how to manage passwords in WordPress.
You can update or change your password by navigating to Users >> Your Profile. If you’re using a text document to store passwords remember to update this immediately.
Use Unique Usernames
Forced entry style attacks often use a list of common usernames. If your username is ‘admin’ or anything else generic like ‘user’ or ‘test’, change it now with the Admin username changer plugin.
After activation, navigate to Admin username, enter a new username and click the Change button.
You will have to login again straight away with your new username and password. If you’re using a passwords template file, be sure to update the username there immediately.
If you have multiple authors and users on your site you can check them all by logging in with an admin account and navigating to Users >> All Users.
Keep WordPress Updated
The WordPress team are constantly updating the core software for increased speed, security and features.
You can check for updates by navigating to Dashboard >> Updates.
Updating plugins is also usually a good idea, however before updating themes you should check that you won’t be overwriting any changes you’ve made to the files. This is where a WordPress child-theme is handy.
Use the Limit Login Attempts plugin
The Limit Login Attempts plugin locks out anyone that tries (and fails) to login to your site for a set time.
You can change the options for the plugin by navigating to Settings >> Limit Login Attempts. With strong passwords in place we can afford to decrease the number of retries and increase the lockout time as well.
Use the Stealth Login Page plugin
The Stealth Login Page plugin adds a rather sneaky layer of protection to your login page, making it near impossible to find! It creates a complex URL that you can use to login, while everyone else is redirected to a web address of your choosing.
After activation, navigate to Settings >> Stealth Login Page, enable the plugin, enter a redirect URL and enter a question and answer string into the fields.
After clicking the Save Settings button it will display your custom login URL.
Use this address when you want to login to your WordPress site. Everyone else is sent somewhere else, in this case Google’s home page.
Make Regular Backups
The reality is that sooner or later something will go wrong with your WordPress site. It may not be hacking but no matter what form the disaster takes, having a backup means you can revert to the last save. Get your WordPress backups setup.
Other Security Tips
The more generally secure your site is the less likely it is that some person, or bot, will be able to break into your site. Read 10 WordPress security tips you can implement right now.
Now don’t you feel better knowing that those naughty hackers can’t get in?
Questions or issues? Let us know in the comments. 🙂