I want you to visualize yourself sitting at your computer and opening up your browser to bring up your favorite WordPress site. Imagine it now--run through the process mentally of how you normally open your website and how you open your WordPress admin panel. Now as you visualize it being just about ready to open...
...Imagine a sudden feeling of panic hitting you--your abdomen muscles suddenly contract as that sickening feeling rises inside your stomach and slowly takes control of your body. You just realized that your WEBSITE IS DOWN--you have no idea why, but you can tell it's really BAD this time. Is it just a bug? Can't be.. Did a hacker take down my site? Where IS my site? What happened all to my files? Where is my wp-content folder??!! Oh boy...
Pheww, I don't even want to think about it... But did I scare you a little? I hope so... I hope that I can get you to finally pay attention now and implement some of the WordPress security tips that everyone always tells you about but you never do. Imagine how good it will feel knowing that the above-mentioned scenario will probably never happen to you, and you won't ever have to worry about losing your WP site and not being able to quickly restore operation.
While no website can ever be made 100% secure, if you follow this simple guide and implement the tips mentioned, you'll be a lot more secure than most websites and have a lot less to worry about. Below are 4 absolutely vital WordPress security tips, in order of importance:
1. Secure Your Login + More
If you're still logging in to your WordPress via the default "admin" user name, we need to change that ASAP as that is the WordPress default for every single installation in the world, and is often exploited via brute-force attacks by robots simply cracking your password. Here's how to fix this and more:
Change your default user name:
Below I'll guide you through how to do it the "real" way, but if you don't think you're up to it, click here for the easy way.
- Login to your hosting account and access PhpMyAdmin to access your raw databases (don't worry this will be easy). There's an icon for PhpMyAdmin in Cpanel. In GoDaddy, it is under Databases-->MySQL in your hosting dashboard.
- Once you're logged in, from the left column, select the WordPress database that you want to do this change to (if you only have one WordPress blog on your domain, you should only see one database besides "information_schema". The database may be called "_wrdp1" or something similar to "soc1196452288121". Click that.
- Once you're in the correct database, select the wp_users table (wp may vary according to your DB table prefix) and browse the data (there should be a tab up top titled "Browse").
- Locate the row that contains the value "admin" and click the pencil or Edit on that row.
- Change the value of admin (in the field titled "user_login") to a new name of your choice.
- Press Go to save. You have now updated your WordPress default login name and can login with it. That's it! (Don't change anything else in PhpMyAdmin, unless you know what you're doing.)
Ok that was fun. But we're not done yet. You also need to change your password to a better one.
A Fun Way To Change Your Password
Simply login to WordPress (with your new Username and existing password of course), and go to Users-->Your Profile, and use the New Password field at the bottom.
Being somewhat paranoid, I wouldn't recommend using the output of any of the free password generators that you can find online, but instead what I do is play around with the awesome Microsoft's password checker and come up with a password myself that earns a "Best" rating and then use that. Check it out, it's tougher than you think (and you'll see most of your existing passwords that you use are very weak)! I don't know the statistics, but I bet that most WordPress security hacks happen due to site owners using cheesy passwords.
Update Your Hosting Account Password Too!
While we're talking passwords, you need to also make sure you have just as secure of a password for your hosting account (CPanel, GoDaddy etc.) as you do for WordPress. Create a tough password, and use it. Don't use the same one as on WordPress though! CPanel has a "Change Password" icon to make this change easy.
Almost Done. A few Plugins to Really Keep Your Login Secure
As important as the previous tips were, these plugins offer even more protection and make it essentially impossible for anyone to login to your WordPress via unauthorized means. Install these 3 plugins (yes all of them) and they'll work in concert to offer a triple layer of brick walls for any would-be hacker. Overkill? Maybe, but they only take a second or two each to install, so you should do it.
If you're wondering why you need to install all 3 when they essentially all do the same job, the simple answer is because they each work in different ways to offer the same protection, and the security benefit is exponentially greater with multiple redundancies. The Limit Login Attempts plugin offers the first layer of protection, and is the plugin you will see logging all of the unauthorized login attempts. (You'll be surprised to see how many you'll see!)
2. Guard Your Site - Must-Have WP Security Plugins (And Plugins to Delete)
While you're working with plugins, there's one more that you need to install. It's free, and goes a long way in securing your WordPress site since it takes care of a multitude of issues that would take hours to do manually. Remember, advanced crackers and hackers will find the backdoor to your site if the front door is locked (ala the previous security measures and plugins we went over). So you need to install either one of these all-in one WordPress security solutions. Configuration is easy, and out of the box settings work great, but read everything on the download page and follow the instructions:
- BulletProof Security (The most secure and comprehensive plugin, with many built-in security features and checks that work great out of the box. Requires some configuration, and might not work well with some plugins. Try this plugin first. If it gives you problems, try the plugin below.
- Secure WordPress (An alternative to the previous plugin, but while not nearly as comprehensive, it takes care of most basic WordPress security issues such as hiding your WP version and limiting access to certain files. I use this on a few blogs I own that are running old versions of WordPress that I can't update for various reasons <-- Yes this is bad, but sometimes necessary especially with troublesome e-commerce themes that don't like WordPress updates.
Delete any Plugins You Don't Use
This is important: if you have any old plugins installed (even if they're deactivated) that you don't use anymore, delete them! There's no reason for them to be on your server, and with the off-chance that they contain malicious code (it's happened to me), you don't want them anywhere near your site.
3. Always Update Your WordPress
WordPress is an open source software that's used throughout the world in all types of hosting environments, and as such, security issues and other bugs are very quickly discovered and fixed by the community and the developers. Some of these are small bugs, while others are major security issues, but hackers love to go after the outdated and less secure WordPress versions. There's no reason your WordPress site should be at risk to this if a fix already exists. Therefore, always update.
Another important reason to regularly update is because if you don't upgrade WordPress for a long enough time, like from say version 2.8 to the current 3.3.1 version, there will be so many changes that if you suddenly update across that many versions, your theme or some plugins may not work correctly afterwards. It's best to always do small, timely updates as they come out, and always check to make sure everything is working as it should.
4. Backup Your WordPress, Like You Mean It
This vital tip ended up last in this list, but it is equally important as any of the other WordPress security issues. Why? Because unless you're storing or processing truly sensitive information on your site (not including credit card transactions or other things that go directly through a secure merchant website), you probably wouldn't even care that your site went down for whatever reason IF you know that you could easily restore it from a backup and be up and running quickly. In other words, if all of the above security measures fail and someone still hacks your site (it can happen because nothing can be made 100% secure), you can at least feel good knowing that nothing was lost and your site can be brought back to life easily.
The irony with backups though is that any backup you do will only be as good as the restore (and your restoration skills), therefore I don't recommend anyone with an important and/or money-making WordPress site to trust any of the free WordPress backup plugins or manual solutions out there unless you've done a restore before. Why? Because if your site really does go down, at best it will take several sphincter-clinching hours for you to restore your database and re-configure your installation, admin access, and plugins etc. (even if they're backed up right), but at the worst you'll realize that you can't handle the task of piecing back together your site and you'll be in for a major headache and a WordPress site that's down for a day or more until you finally fix it. Also, backups are pretty much useless if they're done manually, because quite frankly you'll forget to make timely backups.
So Instead... I'd recommend either of these 3 popular WP backup solutions that take care of everything for you when it comes to realistically backing up and restoring your site should the worst happen:
Either of these providers will allow you to backup your WordPress site in its entirety to a secure server they provide (or your own secure location, such as an Amazon S3 cloud account etc.), and this means that if something happens to your site, even if you don't know what it is, with their setup you can restore everything exactly the way it was, in its entirety, with just one click. Everything from your posts to your plugins to your WordPress version will be restored to the exact way it was before, and you will be back up and running like nothing ever happened.
Sound too good to be true? It's not... All it will cost you is a few bucks, and it will be the best money you ever spent should your site be hacked or otherwise compromised. Prices range from $6.00-15.00 per month with these services, so it's about the same as your hosting bill. And it is just as important. Go sign up to one of these now. I'd personally recommend BlogVault, as it is the easiest to set up and use, and technical support is outstanding. Also, if for some reason you're running a WordPress installation older than version 3.0, BackupBuddy and possibly VaultPress won't work. BlogVault costs $9 per month for one site, or $19 for three sites. There are other packages available for more sites.
That's It!
If you've followed all of the steps I mentioned, you are now much more secure with your WordPress site, and should anything happen, you are protected by the automated backups performed by either of the 3 services I mentioned. All of the tips I mentioned can be completed in 1-2 hours (total), and there's no reason not to do them. Especially if you're making money with your WordPress site or if you have many important things on there that you couldn't stand to lose. Thanks for taking the time to read this (rather lengthy) post, but have fun and happy WordPressing! (If you have any questions feel free to ask as I respond to all comments)
Also, see my last article on Search Engine People on removing duplicate content on a site after Panda.
Recently I’ve been hearing more about attacks on WordPress websites. Thanks for this valuable information.
Must. Backup. Now.
Thanks for reminding
I was suspecting something wasn’t right when & installed the WP firewall 2 plugin. Within 24 of doing so, I received emails telling me that it detected unauthorized access and stopped it. Scary stuff. I will definitely check out your other suggestions and get to deleting all the plugins I no longer use. Great tip! Thanks.
As well as the above I recommend that you also ideally:
1. restrict access to wp-admin to only your IP address. Not so easy if you have multiple users and dynamic IPs, but if you are running the blog yourself and your ISP gives you an IP it means nobody else can log in, even if they have your password.
2. WordPress Firewall – there are a couple, both work. Both block suspect URL queries which are often related to MySQL injection attempts, and they also help protect when a plugin goes bad.
3. Back up on 3 levels:
3.1 Full server backup, and download.
3.2 Backup your wp-content files and database
3.3 Create a WordPress export file.
4. Never keep FTP logins and passwords saved on your PC. Many programs save them, such as FTP clients, html editors etc. Just remember them, or even keep them written down in a book. Some trojans / virus are designed to sniff out FTP details.
Plugins to be careful with are any image upload (or any file upload) plugins. These are notorious. Although most are secure, some themes use them built in and they are not updated. So final tip:
5. Make sure you use secure themes!
So far I have only used Login lockdown plugin on my site. Backup is vital thing for any wordpress owner.
Nowadays, many websites had been hack due to low security. I have a websites that had been hacked but I learn my lesson. Thanks for this information. I had done some of them but I never yet started to back up my website.