You probably often heard about hacking of websites. Many times you just read a news story and forgot all about it.
WordPress hacking though is something which could visit any one of us running a WordPress site.
Why would a hacker want to hack a small WordPress website you may ask?
- Use it to get their adverts ranked better in search engines
- Use it to distribute malicious software
- Use it to attack other websites …
The list goes on.
You need to do a few strong and hard actions to prevent your WordPress website from getting hacked. Here are 7 easy tips should implement on your WordPress website.
This article first appeared on DART Creations as The Essential Checklist to Prevent WordPress Hacking
1. WordPress Security starts with your workstation
Funny, how when we think about the security of our computer we tend to forget our own computer. If your own desktop is infected, it is more than likely going to pass on the infection to your website.
Make sure you keep all of your software updated. Mac or Windows. Software and browsers should be on the latest SUPPORTED versions!
Old versions will have vulnerabilities which WILL infect your machine no matter how many precautions you take.
2. Keep WordPress on the latest version
Every release of WordPress addresses a number of security fixes. Each time you don’t update to the latest version, you are literally leaving a door unlocked.
There are known vulnerabilities which hackers will exploit if you don’t have the latest version of WordPress installed on your site.
Side note: Consider a host which keeps your WordPress site updated automatically and takes your website’s security seriously.
3. Use a complex admin password
Prevent WordPress hacking: create a secure password and don’t use easy passwords
Complex password are NOT overrated. Users tend to prefer something shorter and easier to remember; a fact hackers know and take advantage of.
A good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your WordPress blog. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either. What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.
4. Use trusted sources only for downloads
If you are running on a tight budget you might be tempted by the option of downloading all the features and functionalities of premium plugins/themes for free – through pirate sites.
Would you trust a pirate with your gold? I think not.
Pirated sites are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let the downloaders do the rest. They will put hidden backdoors in that software. They will convert your brand’s online appearance into a giant poster for enlargement pills – or even worse, malware.
This is a known and very popular tactic of hackers. Pirated themes and plugins are riddled with backdoors and malware.
You can on the other hand trust sources like Envato Market (Theme Forest, Code Canyon), Elegant Themes, etc.
5. Plugins to prevent WordPress hacking
Your wp-admin should be protected. The login page and admin directory are available to all: including those with malicious intent.
You should strengthen the guard around admin with WordPress security plugins like:
It will limit number of login attempts for each IP address, including your own (with auth cookies).
This plugin is a superb security solution in general. It runs a WordPress security scan. It also pays close attention to preventive measures so you don’t get hacked in the first place.
6. Backup your WordPress site (just in case)
What if, in spite of all the prevention, you still get your WordPress hacked. A backup is one of the first things you’ll need to restore your site if you do get hacked.
Backup your WordPress site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some quite thorough services and plugins that will run automated backups for you. There is VaultPress, UpdraftPlus, WP-DB-Backup, BackupBuddy, etc.
Create a schedule and let the plugin do the rest. Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up entire site, including all databases and directories.
7. Secure WordPress though correct File permissions
The rule of thumb is 755 for directories and 644 for files. Although, this varies depending upon server and the type of file in question – in most cases, you should work very well with these permissions. It would be best to ask your host to check, or if you’ve got direct access, you can do this yourself.
Never ever set file permissions to 777 (not even temporarily)
If you are serious about wanting to prevent WordPress hacking – Never set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers.
There is a very dangerous tendency amongst beginners to set file permissions to 777, “because it’s easy”, or “because we’ll fix it later”, or “because I’ll change it later”. This is extremely dangerous – 777 means anybody who wants can change the contents of that file. With those permissions set, your website is an open house.
Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.