WordPress Security Tips: Avoid The Hackers Series (Part 1)
“Ack!! What happened to my blog??”
As with everything that becomes popular, WordPress is not immune to the potential breach of security that hackers can inflict, and it certainly has not escaped the attention of hackers around the globe. There is always someone out there who wants to do more harm than good… that’s how I see hackers, anyway. As a law-abiding citizen, I really don’t understand what the whole point to breaking into people’s websites and computers is (and what kind of pleasure is apparently achieved), however, I do completely understand the repurcussions of such a breach of security.
Here’s a dictionary definition of the word “hacker”:
Hacker: A programmer who breaks into computer systems in order to steal, change or destroy information as a form of cyber-terrorism.
Does this sound like the type of person you’d want accessing your site? Heck no! You would definitely want to avoid having this type of person accessing your site! I’m writing this series to give you a little insight on some steps you can take in order to protect your WordPress website or blog.
I’ve been doing a lot of research in the past few months on WordPress security, especially since I set up WordPress blogs and sites for customers. I work in the Security Industry at the moment, so I’m very aware of how malicious people can be, so to me, it’s extremely important to understand how to protect the WordPress blogs and sites that I set up, and because I’m passionate about helping people, I’m sharing the tips I’ve learned with you!
Disclaimer: There is no way to safeguard your WordPress installation 100%, however, there are many steps you can take towards protecting your blog or site. Read on to discover a few tips you can put to action right away (if you haven’t already)!
- Keep your WordPress installation up to date!
This is EXTREMELY important. WordPress releases regular updates to the platform itself, and part of the reason for these updates is the implementation of new features, but another big reason is closing security gaps! Over the years, the WordPress developers have discovered security vulnerabilities that are patched up and fixed in newer releases, so it is ABSOLUTELY CRUCIAL to keep your self-hosted WordPress site at the latest version. I can’t stress this enough! At the moment, you should be running version 2.9.2, and if you’re not, you need to upgrade urgently, and I mean AS SOON AS POSSIBLE! (Can you tell I can’t stress this enough?) 😉 If you’re not sure how to upgrade, it’s actually really easy, but let me know (leave me a comment below this post) and I will record a tutorial on how to upgrade your WordPress installation.
Also make sure you’ve kept all of your plugins up-to-date as older versions can also pose a security risk. The easiest way to upgrade multiple plugins is to login as the Administrator, then go to Tools –> Upgrade, select all of the plugins that have updates available, and click on the button named “Upgrade Plugins”. It takes less than a minute of your time, but could save you a lot of heartache and frustration!
Note: This area will also let you know what version WordPress you’re running, and if an upgrade is available, you can also upgrade the WordPress installation itself from here. However, if you’ve installed via Fantastico or SimpleScripts, I’d recommend using those tools to upgrade to the latest WordPress release.
- DO NOT leave the default “admin” username as the Administrator
If you’ve installed WordPress with Fantastico or SimpleScripts from your hosting provider’s Control Panel, then you’ve had the opportunity to use a different initial username for the Administrator account, and hopefully you will not have chosen “admin” as your username. If you’ve gone through WordPress’ “famous 5-minute installation” and downloaded and installed everything yourself, your default username is “admin”. It doesn’t take very long for a hacker to figure out what your password is and then log into your site or blog and cause some damage to your site! It is much harder for a hacker to figure out both the proper username AND password than just the password itself, and they know this and have already taken advantage of this fact! You don’t have to take my word for it – just google the keywords “wordpress hacked” and you’ll find lots of information about WordPress sites/blogs being hacked and precautions you can take. My goal here is to try to lay it out in an easy-to-understand manner so that even someone who is not very technical can protect their WordPress site.
So, if I can’t use the username “admin”, what should I use?
You shouldn’t use anything that’s obvious (for example, your name), and you should also make sure you update your nickname to be unrelated to what your username actually is, and then update what your name appears as to the public. To do this, you must go to Users –> Authors & Users, then click on “Edit” under your username. Here you will find the “Nickname” field, and below it you’ll see the “Display name publicly as” with a drop-down menu that will show you user username, your name, and your nickname. Make sure you pick your nickname, and again, make sure your nickname is NOT the same as your username.
Doing this will at least make it a lot more difficult for a hacker to try to access your site and hopefully deter the hacker from even trying.
If you haven’t take action on these steps yet, do so NOW!
These are merely two tips to help you protect your WordPress site/blog, and there are many more tips that I will be sharing in this series. I perform these steps myself with my own sites/blogs, as well as with my clients’ blogs and sites, and I do offer WordPress maintenance packages in which I ensure your site is as protected as possible. If this is something you’re interested in, please do not hesitate to contact me to inquire about these services as I would be happy to help you make sure you’re as safe as possible from hackers, but again, there is no 100% guarantee! The measures we take to protect our sites are mainly deterrants, but it’s definitely better than being wide open to hacker attacks!
Have you ever had your own blog/site attacked by a hacker, or do you know someone who has? Share your story by leaving a comment below – it will help others understand that it is a very real threat, and it’s something that’s important to always keep in mind! I’m very thankful that my sites have never been hacked, but I’ve read some nightmare stories that really got me thinking about this subject – I hope I’ve sparked that in you too if you weren’t aware of the potential risks!