When millions of websites are being powered by the WordPress software, then there is a reason for it – simplicity, easy to create and easy to manage. WordPress is the friendliest content manager out there, and thus allows you to do almost anything with it.
Despite this, the fact that it is so popular, the WordPress comes with quite a number of downsides; security-wise!
For instance, if you are not careful with your default configurations, hackers can take advantage of the loopholes and penetrate through your website, where they access some crucial information(s) of your website.
Even a pesky user can hack into a poorly secured WordPress website. For example, anyone can simply type in ‘domain.com/wp-admin’ and this will take you right to your login screen. At this point, it is all about trying to crack through your password.
But the most common method hackers tend to use is the Brute force, which enables the hackers to test millions of various login combinations in a very short time.
As you can see, it is very easy to have your WordPress website hacked. But don’t worry, for there exists some preventive measures you can use to minimize potential hackers. So let’s take a look at some of them.
Backup Your Website More Often
It is very important that you carry out backup of your website as frequent as possible – at least weekly. Here, there are a number of WordPress plugins to help with the backup. One great example is the BackupBuddy, and even though it might cost you about $100, it is worth the price… or you sign up for an accoiunt with WPMayDay.com and we will handle it for you 🙂
And if the cost seems way beyond your affordability, and maybe would like a free option, then probably the best option is the Ready! Backup. This free plugin helps you to automatically create backups, and send them off to DropBox and afterwards restore them quickly.
Limit Login Attempts
This is self-explanatory. You need to limit the number of login attempts for your website. This way, if a hacker doesn’t guess your password right, say about five times, then he/she is restrained from attempting giving it more tries.
Here, you can go for a plugin known as Limit Login Attempts that not only limits the attempts, but also has an option where you can entirely ban the hacker’s IP address (or for just a few hours).
The best thing about this plugin is that the brute force attacks cannot pull off penetrating through it. That is, a hacker will be required to have various proxies since the plugin will keep on banning that IP address.
With this plugin, every option is customizable. That is to say, you get to select the number of attempts you can allow, and how long they can be locked out.
Avoid Using ‘admin’ as the Username
Most hackers find it easy to hack through WordPress websites that use the default admin username. And that’s why it is advisable to create another admin username, and change it through PHPMyAdmin
Here, the fastest way to do this is to register another user and give that particular admin the permission to login. After that, you can login to the new admin and proceed to delete the old admin.
And in case you’ve got many posts and pages assigned to your admin, and perhaps wouldn’t like to reassign them, then you can change the username via the PHPMyAdmin.
• Login to your cPanel
• Go into PHPMyAdmin
• Select your WordPress database
• Go to wp_users table
• Click Edit next to the admin user
• Change the user_login field according to your choice
Use Complicated Passwords
I think this is an obvious point, right? Well, I know you must be thinking the same thing; that no one can easily figure out your password. Please, don’t assume the level of a hacker’s skills to guess your password.
Most of these hackers take advantage of the passwords, most of which are dictionary-based. That is, once a hacker gets some information about you, like your birthday and your names, then he/she can easily guess your password.
Because of this, it is equally important to choose passwords that combine letters, numbers and special characters, like %, &, #, @, etc.
And what if you can’t remember passwords with special characters? Well, I would suggest using a password manager, e.g. the Dashlane. Even though there is a possibility of being hacked even with the password managers, the odds are very slim.
What If All Else Fail?
There is a time when you think that the aforementioned tips don’t really work. In such a case, the next step is to try and limit the IP addresses that can visit your ‘/wp-admin/’
You can actually do this by blocking all entries except for your own IP address by making use of an .htaccess file. This is done by creating a plain text file in your /wp-admin/ folder, and then rename it to .htaccess
More info can be found at http://codex.wordpress.org/Brute_Force_Attacks