The grim truth is there is no way to completely protect yourself against hackers and security threats towards your WordPress website or blog. A determined hacker will find his or her way into your system whether you like it or not. It is up to you to make their job as difficult as possible. Unless there is a large financial payoff, there is a good chance the hacker will give up and try an easier website if you make hacking your website difficult enough. Here are a few ways to make your website less appealing to hackers.
1. Do not use defaults
There are numerous ways to sign up for and use WordPress. Some companies have easy-to-use packages that cost a fortune and others give you the basics for a great price. When you pick your hosting plan, domain name, and installation software, you should be wary of defaults. Hackers can use defaults to cut a lot of time off of brute-force attacks. Without going into details, simply remember that the more a hacker knows about your accounts, then the easier it is to hack them.
Do not use the default username and password you are given for both your hosting account and for your website content management system. Change your username and password as soon as you have purchased your package and installed WordPress.
Change your details even if the hosting company allowed you to enter your own details when you signed up (i.e. your username and password were not a defaults) because you cannot be sure how secure the hosting company’s servers are or who else has access to the information you entered into the system.
2. Delete unused plugins and even unused images
Some people say you should delete unused images because they waste space on your servers. Others think they may pose a security risk, even though the theory seems very specious. However, the theory that unused plugins are a threat to your WordPress security is very true. A hacker may target plugins that people purchased en masse because they were popular.
People keep plugins on their system despite never using them, and a hacker relies on this. A hacker gains access to your website and/or your information via a hole they find or create in your unused plugin. There is a good chance you haven’t updated it recently because you do not use it; the hacker gains access, and there is an even bigger chance you do not notice the breach because you rarely use the plugin.
For example, a plugin called TimThumb had a big bug that hackers exploited to gain access to people’s WordPress websites. The people that still use the plugin will have hopefully updated it by now, but the people that do not use it may still have the old buggy version on their system to this day.
In short, it is a good idea to delete plugins you are sure you are not going to use again. For example, there are people that still have plugins for the Google+ authorship program despite the fact that Google closed that program down a long time ago.
3. Have a long password and change it every 72 days
The password you choose should be over 8 characters long. It should be a mix of letters and numbers and should not feature any words. It should be a random mix of numbers and letters. Do not write your password onto anything electronic except for the small encrypted password box on your WordPress system. If you cannot remember your password because you are not Stephan Hawking, then write it down on a notepad that you store somewhere safe in your home.
Change it every 72 days because it makes a hacker’s life a little more difficult. It means the hacker has to start from square one again if he or she has a brute force program running on your website.
4. Consider security options from your hosting company
Many times the company you sign up with to host your website will offer its own security options. For example, if you go with HostGator, you can click to sign up for their “Security and Accelerate your site” add-on. It takes care of a few fundamental security options.
Beware of paying too much with hosting companies such as these. They often put out frequent discount codes and vouchers that can save you money and many times they have more than one, which means the discount code you have found may not be the best one.
5. Use WordPress plugins
These are pieces of additional software you can add to your WordPress content management system. They vary in quality, with some being worth the money and others being a bust. Do not forget that many of the plugins were made by regular people, which means some are useless and some are works of perfection. Do your research before buying security plugins and do not trust the marketing hype you read about them.
Remain skeptical and research testimonials with a negative bias. Look for bad comments about the plugins instead of searching believing the positive ones. If you can find a plugin that is established (not new), that has a fair amount of positive reviews that span over at least half a year, and that has very few negative reviews, then that may be a plugin you can trust with your WordPress security.
Do not download and install plugins that are not from trusted marketplaces. There are trusted WordPress marketplaces that check the plugins first, the same as there are trusted app marketplaces for mobile devices. Download and install plugins from independent websites at your own risk.
6. Stop being so blasé when it comes to other authorized contributors/editors
There are many examples of people hiring Middle Eastern freelancers to contribute to WordPress blogs. In most cases all is fine until after the freelancer is paid, the website is then hacked and something nasty happens to the website. Some of the web pages the hackers put online became semi-famous in themselves (see pic) because they appeared on prominent WordPress websites.
The worst part is that these hacks could have easily been avoided if the web masters had done any or all of these things:
+ Removed usage authorization from the freelancer once the job was complete
+ Used a random password for the freelancer instead of giving him/her one that the web master frequently uses
+ Restricted the permissions /authorization capacity of the freelancer so he/she didn’t have as much control
Do not make these mistakes with any of the people you have contributing to your WordPress website, especially when it comes to permissions. Severely restrict what other people can do so that only you have complete control. This is especially true when it comes to giving contributors the ability to control already posted items/pages. An angry contributor or freelancer is not above removing all your content and replacing it with photo-shopped pictures of you in a compromising condition.
7. Use secure hosting
This should go without saying, but you should find a host that puts security as a top priority. Many free hosting packages cannot afford to spend a lot of money on security, though that doesn’t automatically mean a big and expensive company spends a lot of money on security either.
It is up to you to find a hosting package that takes security very seriously because gaining access to your website via your servers is the ultimate backdoor pass. Done correctly, by getting into your website via hacking a server, the hacker may be able to overcome almost all of your security measures with ease.
8. Back up your website
Let’s not forget that if someone is motivated enough to get into your website, then that person is going to do it. A 15yr old hacked NASA, a 16yr old London boy Richard Pryce hacked American military systems and was noted as the biggest threat to US security at that current time, and Gary McKinnon managed to hack the USA’s most secure military computers that include Area 51. So, if you think your plugins and security protocols are a match for hackers, then think again.
Your best defense is to backup your website and if you are hacked you can wipe the slate clean, restart your security, change all your access passwords, improve your passwords, and re-upload your website data all within one day. Manually back up your website unless your hosting company offers the service for free and doesn’t charge for the extra space the backups take up. You only need the last 2 versions of your website. Do not keep all your backup copies as they will take up space on your servers, which is space you are probably paying for.
9. Keep things up to date
This goes for all your technology, software, and accounts. Keep up to date with WordPress updates, and if your security plugins come with free updates you should update as soon as they are released. Do not stick with old versions of WordPress because the longer a WordPress version exists, then the higher the chances are that hackers have found a way to break into it.
Make life a little harder for hackers by removing the WordPress version from being displayed to the public. Login as the administrator and go to Appearance > Editor > Functions.php. Before the closing tag ?> you should enter
remove_action(‘wp_head’, ‘wp_generator’);
The piece of code is highlighted above to show you how it should look. Do not forget that your may need a closing tag ?> that is not present on this image because there is more code below that is not featured on the image.
You should also add this following function to your functions.php file to remove the version number from other areas such as your RSS feed.
There are some security plugins that will do this sort of thing for you, but why pay for them to do it when you can do it yourself manually?