There is nothing worse than checking your email to find out that your host has disabled your site because it was hacked. Thousands of people and small businesses have this problem annually. Most of the time, these issues can be prevented by following a few simple steps. With the correct preventative actions and tools, your site can be most secure.
- Update your site – WordPress hackers look for vulnerabilities in the core code of WordPress, plugins, and themes. If you login and see there are updates available, this should be your first priority. Some of my clients are reluctant to update plugins and this, in itself, has potential to cause a security breach.
- Use strong passwords – For anybody who has installed WordPress recently, they have noticed that WordPress now requires you to confirm the use of a weak password. For best results, use a couple of words and numbers. Then use variations of the letters or numbers. For instance, use + instead of T or t. Use 3 instead of E. Use @ instead of a. For best security, start and end the password with a symbol. Be creative and try to have at least 10-12 characters in your password.
- Use WordFence or another plugin to protect your site – WordFence has two versions. For most, the free version will suffice. Simply install the plugin and activate it. It will block malicious attempts to get into your site. You would be surprised at how many attempts your site will have daily. Also, WordFence will scan your WordPress installation for vulnerabilities and will let you know how to correct them.
- Never install a paid plugin or theme that is pirated – This is a no-brainer. Attackers want to get into your system. What better way to get in than to give you a paid plugin or theme that has been injected with malicious code to create a backdoor?
- Secure your wp-admin area with .htaccess – For most people, this is foreign. Simply put, .htaccess is a file that the server reads to tell it how to proceed with the request from a browser. A few lines of code, along with a .htpasswd file will give you additional protection. It is a given that you should use a different username and password for .htpasswd than you use to login on your site. For those of you with muti-user WordPress installations, you can still create .htpasswd for each user on your site by entering their information in the file. Enter their info on a new line and email your users of the new security protocols.
- For secure connections, only use TLS – SSLv2 and SSLv3 are no longer secure. There have been multiple breaches of websites because the secure connection wasn’t secure after all. There isn’t a plugin that will do this for you, unfortunately, and sometimes require the help from your hosting provider. For the diy group using VPS or dedicated servers, simply update your SSL.conf file to disable SSL.
By following the steps listed above, you can prevent most hackers from accessing your WordPress installation.