25% of all websites seen on the internet are powered by WordPress. That’s a huge number of websites, which unfortunately means it’s a target for hackers with malicious intent. If you’ve had your WordPress website for some time, you’ll probably notice sometimes that login attempts have been made in different countries. This is often enough to cause panic.
You might assume your website is too small or insignificant to be hacked but you’d be wrong, most WordPress hack attempts are automated by a bot that’s sent to scour the internet for WordPress websites.
If a bot does find a hole in your website, it’ll take advantage and it could turn into a more targeted attack that could badly affect your website and destroy all content and SEO efforts.
Preventing WordPress Hacks
Preventing attacks is much easier than trying to fix what’s been broken, so here are our tips for keeping your WordPress website clean and hack free.
1. Keep WordPress, plugins and themes up to date
Updates are usually released to fix security issues and so it’s always important and highly recommended to keep everything as up to date as possible. It can be hard to get into the habit of doing it, so checking regularly on a set day of the week could be helpful. You can also enable automatic updates which keeps everything up to date for you, but please be warned that backups should be made before turning on automatic updates.
2. Use a security plugin
A good security plugin includes:
- Brute force protection
- Regular security updates
- File scanning and file change detection
3. Use a strong username and password
We’ve seen a lot of people just use the word “admin” as their username but we’d recommend using something different, something unique to you. When hackers use brute force tools, “admin” is one of the first usernames they will try.
Your password is another important factor to consider, probably even more so than your username. We recommend not using full words that can be found in the dictionary. Dictionary attacks are also tried first in a brute force attack. Just sticking a number on the end won’t help much either, as the tools they use are advanced and can try lots of different combinations at once.
Your password should be at least 8 characters long and a mixture of letters, numbers and symbols.
4. Change your login URL
5. Use HTTPS
HTTPS (Hypertext Transfer Protocol Secure) is the secure version of HTTP. It enables security, encrypted traffic between you and the server where your WordPress website is hosted. Most good hosting providers will provide SSL certificates for your website which will enable HTTPS. SSL certificates can be paid for, but there are also free options available.
6. Enable 2-factor authentication
Enabling 2-factor authentication means you’ll need two methods of authentication to access your WordPress admin dashboard. The first will be your standard username and password, the second can come in other forms such as a text message with a code in or via an authenticator app.
WordFence allows you to easily set up 2-factor authentication and has login security built in.
It can be a bit of a pain having to pull your phone out every time you want to login but it helps keep your website safe and secure from hackers.
7. Use secure hosting
Most of the cheaper website hosting companies provide shared website hosting which is where you’ll share space and resources with other websites on the same server. This will not only affect your website performance, it can affect your security. If another website on the same server as you becomes compromised, it can lead to other sites also becoming infected.
Make sure the hosting company you choose has a great reputation and don’t choose them as a host just off their pricing alone.
We’d recommend using a company like Krystal hosting (use code 44CD39B0 at checkout for a free £10!); great reviews, decent speed and awesome customer service. The price isn’t all that bad either.