Hundreds of WordPress sites are hacked each day. Scary but true.
Usually, hackers install malware, or malicious code, on a hacked WordPress site. This not only causes problems for the site’s visitors; it can even destroy a site’s Google ranking.
The good news? There’s lots you can do to protect your site. Here are my 6 essential, easy-to-follow tips for locking down your WordPress site against attackers.
1. Use a strong admin password
Guess what? Right now, someone is probably trying to break into your WordPress site by guessing your admin password! This is called a brute force attack. They don’t even need to do this by hand; hackers have tools that can try hundreds of passwords per minute using words from a dictionary. If you have an easy-to-guess password — such as a single English word — then there’s a good chance they’ll guess it eventually.
So make sure you use a strong password for your WordPress login. A good strong password contains a combination of upper- and lower-case letters, numbers, and special characters (such as &, $ and !). For example, “squirrel” is a weak password, while “Squ!rr3186” is much stronger.
2. Install the Wordfence plugin
Wordfence is a fantastic, free-to-use plugin that keeps your WordPress site secure in all sorts of ways:
- It includes a firewall that blocks attackers before they even reach your WordPress site’s code.
- If a hacker keeps trying to guess your admin password, it automatically locks them out of your login form.
- It regularly scans all of your WordPress, plugin and theme files for malware. If it finds dodgy code, it can automatically repair the file to remove the malware.
Wordfence is always the first plugin I install on my clients’ sites!
You can install Wordfence by choosing Plugins > Add New in your WordPress admin, searching for “wordfence” (without quotes), and clicking Install Now.
3. Keep everything up to date
Apart from brute force attacks, the main way hackers get into your site is through a security hole in one of these three areas:
- The WordPress core code
- One of your installed plugins
- Your site’s theme
WordPress, plugin and theme developers often release new versions of their code that patch security holes. So the best way to defend against this type of attack is to keep these three things updated at all times. Whenever you log into your WordPress admin, if you see a little “updates” icon available in the black bar at the top of the page, make sure you click it and update everything. (It’s a good idea to backup your site first.)
4. Watch your plugins
While the WordPress core developers are pretty good at finding and patching security holes, plugin developers are not always quite so on the ball. Many plugins are badly coded and littered with security holes. Lots of plugins are also abandoned by their developers over time, which means no more updates to patch any holes that are discovered.
Here’s how you can minimise the security risk from plugins:
- Keep just the plugins you really need. Delete any plugins that are deactivated or nonessential.
- Only install well-known plugins from reputable developers. Check the reviews for each plugin, and make sure it’s been recently updated.
5. Turn off file editing
By default, WordPress lets users edit the files that make up a site’s theme and plugins via the WordPress admin. This means that, if a hacker manages to guess your admin password, they can easily add malicious code to your site’s files.
Luckily, it’s easy to disable this feature. All you need to do is add the following line of code to the end of your
6. Backup, backup, backup
While it won’t directly protect your site from attack, backing up your site regularly is a very important security measure. It means that, if you are hacked and malware has been added to your site, you can quickly roll your site back to an older, clean version. Trust me, this is usually a lot quicker and easier than trying to remove all the malware code from a hacked site!
Install a popular WordPress backup plugin, such as UpdraftPlus, and set it to back up your site regularly.
Secure your WordPress today!
These simple, easy security measures only take a few minutes to put into place, and they could save you hours of time and headaches in the long run. So why not set them up today, and keep those hackers out of your site!