A few weeks ago, I installed WordFence Security on the websites I manage. One client emailed me, concerned, that she had 20 alert messages that someone was trying to access her website.
The username they were using? “admin.” Do you know why so many hackers try to hack WordPress websites with that username? It's the default username given when you do one of those “one-click” installs of WordPress.
The good news, the hacker didn't gain access to her site. WordFence showed me their IP address and I blacklisted them from her site. Thank goodness for WordFence!
Another crazy situation this week–someone tried to hack a development site of mine, using the user nickname for the site. They got that nickname off of one of my demonstration how-to videos. That's so not cool. See numbers 9 & 10 below.
Here's my tips for WordPress security:
- For fresh installs of WordPress, follow the 5 minute manual process rather than a one-click solution. It's worth the minor effort. Or hire someone to do this for you who knows about web security.
- Install the WordFence plugin (free and paid versions available) and set it up to notify you if someone is trying to admin access your site.
- Install Login Lockdown plugin (free). This plugin will automatically lock an IP address out for a period of time after 3 failed login attempts.
- Have a backup solution that makes regular WordPress backups–not on your server. I use Backup Buddy from iThemes and it's the BEST investment I've ever made for my site. Seriously. It now comes with a Stash account so you can send your backups off server. Yes, hosts have “backup” options too–but I really recommend using a WordPress tool. It's the safety net that you need.
- Keep your WordPress core software up to date–it's extremely important.
- Keep plugins also up to date. I recommend backing your site before performing any updates.
- Don't leave inactive plugins on your site. Delete the files. These are holes for hackers to gain access to your site.
- When you set up usernames and passwords, don't use “Admin” as a username. Make it something unusual with capital letter variations, numbers, or special characters. Make passwords super secure with capitalization, numbers, and special characters. I use a program called LastPass for generating secure passwords. It's free. I also keep a paper log.
- After you create your user name, make sure you create a different Nickname for it and select that nickname in the drop down menu to be shown on the website as who posted items in the blog. Watch my video on how to create and change the user nickname.
- Another strategy for users related to number 9, create an additional “Editor” user to login and use for yourself for posting your blog posts. Make sure that nickname is NOT the username.
- Scan your website at Sucuri on a regular basis.
- Use Google or Yahoo webmaster tools to make sure your site is functioning properly.