Could Your WordPress Site be Hacked by a Teenager With a few Simple Techniques?
OK, so you’re skeptical. Just how seriously should you take security for your website? Well, no one ever takes it seriously until it’s too late. And by then, well, it’s too late… Just a few days ago, a good friend of mine had his site hacked. A few lines of malicious code was injected into the site and it would redirect visitors to spam sites when the visitor came from an exterior link. If the malicious code goes unnoticed for a while, Google might even punish your website by dropping it’s ranking significantly. Don’t let it happen to you!
Below are a few areas that you can tweak to make your website much more resistant to threats. I am going to focus specifically on WordPress security in this article since a lot of you are WordPress users. I hope this list is easy to understand, but if you have any questions, please leave me a comment.
By default, WordPress will set you up to use the “admin” as your username. This should be avoided. By changing your username to something unique, you can make your site significantly stronger. For example, by just using your name “johnsmith” you can improve your site’s fight against WordPress security problems.
So maybe this is something that should be taught in school. Pre-school. Yeah, it’s that basic. Don’t use the word “password” as your password… do I need to run that by you again? OK great. Also, don’t use real words in your password. The password “idontlikecats” would not stand up well to a brute force attack (a type of security attack), because password guessing software can try all the variations that include real words fairly quickly.
You should keep this in mind when you chose a password for the database, as well as for your users accounts. Many free password generators are available; a quick google search will reveal quite a few options. I use a program called 1Password to manage all my passwords (I have close to 400). At $50 it is not cheap, but it has become an indispensable part of my daily routine.
Read more about choosing good passwords here (especially the section called How Not to Choose a Password):
If you have ever used a FTP program you probably saw three numbers next to your files. For important system files the permissions should always be set to “644.” This is especially crucial for the “wp_config.php” file. After installing WordPress, you may have accidentally changed the permissions. Double check in your FTP program that it is set to “644.” Read more about file permissions.
Change the prefix of your database away from the default “wp_” to something like “wp8s92nz_”. By doing this you make it almost impossible for your database name to be guessed. By keeping the “wp” at the beginning, you can still easily remember its purpose as the WordPress database prefix. Use WP Prefix Table Changer to change it in one click.
Every six weeks or so, a new version of WordPress will become available for update. It is important for the best WordPress security practices to update your system as soon as possible. In these routine updates, WordPress will add security patches that address recent threats. It is always best to stay up to date. Download the latest release at WordPress.org or use the auto update button built into WordPress.
On occasion Google has even warned WordPress site owners to upgrade.
You should also keep your plugins updated. Besides the fact that updated plugins will give you the newest features, on rare occasions upgrading could actually fix a security vulnerability. WordPress will automatically prompt you when there is an update ready for your plugins. It’s as easy as clicking a button.
Database backups are an important part of any WordPress security routine. Depending on the frequency that you add content to your site, you should set up a database backup on a weekly or more frequent schedule. There are many plugin options available which each have different strengths. I would go with Simple WordPress Backup for a simple option. I prefer WP-DBManager but it is a little more complicated.
You can have your database backed up on your server or you can even have them mailed to a specific email. I do both; I have a certain email address set aside just for backups.
Backing Up Your WordPress Files
An .htaccess file can be accessed though your FTP program. By default it will be hidden but you should be able to see it by turning on a setting… something like “View Hidden Files” in your FTP program. Htaccess files are really outside the scope of this article, but I wanted to bring them up briefly. By adding a few lines of code to this file, you can improve your WordPress security tremendously. Unfortunately, editing it can be very hard to understand and it can be very easy to make mistakes. Instead of editing the file directly, I would recommend installing BulletProof Security or WP Security Scan and using their built in tools to do the heavy lifting for you.
Well, that about wraps it up. There is a ton more to talk about but hopefully this was helpful to you!
How do you address security for your site?
I’d love to hear from you in the comments below!