WordPress Security Tips and Tricks

Do you run your own blog or website? If so, you most likely use WordPress. WordPress is a great platform for blogging as well as creating full featured websites. Many of my clients use WP to run their website. But with all great technologies there are risks. Bad guys and gals are out there roaming the internet to make your life difficult. 3MergingDesign’s website is created upon the WordPress platform. Over the years, the site has been hacked and defaced numerous times. For every barrier that is put up, the bad people seem to find a way around it. So today I wanted to share with you some techniques that I implement for not only myself, but my clients as well.

WordPress Username

I cannot emphasize this enough, do not make your WP username the same as your domain name. Hackers will try to login to WP using your domain name then ‘admin’ as the login id. Yesterday alone I had 40 alert emails from users all across the globe trying to log into my site using 3mergingdesign as the username. I suggest using a mix of random letters and numbers. Another option would be to use an email address as your login id. Please make sure that your password for you WP site is not the same as your actual email account. I use a password management tool to keep all my credentials so I do not need to remember them. I also have that backed up in case my computer ever decides not to turn on one day.

2 Factor Authentication

I use this because most hackers are running bots to try and gain access to your site. I highly suggest this option to users who do not want to have a complex password. This second layer of protection may shield the bot from gaining access because it is looking for an additional bit of information which can be anything. If you choose to have a simple username and password (I urge against this) do not use your username or password as the answer to the second layer of authentication. This is like leaving the house key in the door with the alarm code taped to it.

Monitory WP Files

 

There are many plugins that help monitor your WP files with what is currently in the repository. I am a fan of Wordfence. The setup is easy and the free version provides you with all the tools you will need to get started.

Create Backups

Most hosting companies provide a service that can back up your WP files and database. I highly suggestion this and it has saved my butt many times in the past. When an attack happens, you can simply restore a backup from the previous day and change your password. This will hopefully be good enough so that any code changes the attacker may have planted would get wiped out.

Keep WP Up-to-date

WP like anything else in life is not 100% bullet proof. Humans code the software. So when WP releases an update, it is a good time to upgrade because the hackers now know that there is a way to get into your site and you need to block it before they get in.

Limit Login Attempts

 

Attackers usually use a method called brute force. This attack method is just like it sounds. The attacker will try and try and try again until they get in. Think of someone banging on your front door with a hammer. Eventually the door will break and the thief will gain access. A way to beat the attacker is to limit the number of attempts they have to try to get in. Wordfence has this functionality built in. I allow 5 attempts then I block the user’s IP address for 60 days. After they are blocked they will most likely move on to their next victim.