WordPress is great until what happens…….Your site is hacked into. That precious site you spent so much time planning and working on. You spent countless hours getting that site up and running. Just when your business or organization is really beginning to reap the benefits of having a web presence, your beautiful website is hacked! What do you see in front of you? Maybe a white screen or the site is there, but strange ads are displaying. How can this be! Not you, not now, not never! If you have ever had your site hacked into, you know firsthand that feeling of frustration.
Following these tips below won’t guarantee your site will never get hacked, but it should greatly reduce the risk. When it comes to web technology, risk is a constant variable in a long equation. The key to sustaining a website is minimizing that risk and practice what is called ‘hardening’ your site. If you follow the best practices for ‘hardening’ or what could be understood at fortifying your website, you will greatly reduce the risk of getting hacked.
1. Create a Strong Username and Password
I can’t tell you how frustrating it is when a marketing department ask me to work on their WordPress website and I find out that their username is something like ‘admin’. Worse off, they are using a password that includes a reference to the title of the website or service. By default, your WordPress username is set to ‘admin’, but you this should be changed to something more unique. You should also create a password that you cannot remember unless you had a photographic memory. I would use at least 10 characters and use a combination of numbers, lowercase and uppercase letters and special characters. A good password would be something like ‘(8*9p0ouLuY$39!3#’. While it may not be convenient to have a password that you cannot remember, it is much better than having your site hacked. Keep in mind that WordPress sites usually aren’t hacked by individuals but rather by ‘brute force attack bots’. Basically, these bots pull up to your site and try to crack your username and password with thousands of combinations in a matter of seconds. If you have a soft password, there is a high chance that your site will eventually get hacked. You can also add security plugin to your site like iThemes or WordFence. Be advised though that a security plugin may slow your site down. In case you are hacked, make sure that always have a recent backup. I would advise contacting your hosting company and make sure that you have at least a weekly backup configured. This will save you a future headache.
2. Keep all plugins, themes and versions of WordPress up to date
At any moment, there are significant amount of vulnerable sites out there simply because of neglect or some kind of myth that updating a plugin or the latest version of WordPress is going to break your site. While it is true that a site may malfunction or even go down once in a while after an update, but it is probably less than 5% of time. As I mentioned before, always have a recent backup of the site in the rare that an issue arises. You may be thinking that you would rather not deal with the rare event of the site going down and opt not to update anything. I can tell you from experience that this approach will eventually lead you down a path to a much bigger headache. Take my advice, keep your plugins and themes updated and always update to the latest version of WordPress. For best practice, update your plugins and theme first before you update to the latest version of WordPress.
I have managed WordPress sites for small sites and microsites used by large organizations. I have across a fair number of individuals part of marketing or content departments that are scared to update their WordPress for fear that something will go wrong. This is not a good approach to the web and especially towards web security. Not only will your site to begin to malfunction if you neglect to update for a long period of time, the chances of it either getting hacked and infected with a spam virus greatly increase. I have seen it happen a few times. Whether you are using WordPress or another platform, when it comes to WordPress security and manteniance, it is always better to be proactive. As a good rule of thumb, never forget that WordPress security and maintenance are really two sides of the same care. Proper care and management of your site will drastically reduce the risk of hacking attacks.
3. Delete plugins that are not active and reduce the number of active plugins
There is a good chance that you may have one or two deactivated plugins on your site. If you are not going to use them, then it is best practice to delete. It’s perfectly ok if you need to deactivate a plugin for a few hours or even a few days, but don’t just leave like that. Remember that deleted a deactivated plugin will have no bearing on how your site functions. Keep in mind that your theme and plugins are also potential avenues for nefarious players to enter your site. Again, the emphasis should be on ‘hardening’ your site and minimizing those entry points.
With above being said, you also want to reduce the number of plugins. I would advise having not more than 7 plugins. If you really need 8 or 9, then go for it, but only if you can justify it. Too many plugins will not only slow your site down and even cause it to go down due to a confliction in code, but as mentioned before, plugins serve as additional avenues into your site. You want your website to be a fast-loading, efficient machine that isn’t vulnerable due to overexposure. Remember, that the Internet is volatile environment and your website has to live in that website. Just as you would fortify your house, the same is true for your site.
4. Only use trusted Themes and Plugins
There are thousands of free themes and plugins available in WordPress. If you are going to use a free theme, then I highly recommend only using free themes that are registered in the WordPress Codex. You also want to use a theme that receives updates on a regular basis. Updates are important because they usually are related to potential security vulnerabilities. So each time you update your theme or plugin, you are essentially ‘hardening’ your website as mentioned in the previous section. I also recommend trying to stick with themes and plugins that not only have good customer reviews and ratings, but have been downloaded a fair number of times when possible.
Another route is to use a paid theme and a high number of paid, premium plugins. This is more costly, but in addition to technical and customer support, you are going to have more eyeballs watching these types of themes and plugins for potential security vulnerabilities. Keep in mind that there are also plenty of free plugins and themes that also offer a free version. More often than not, the free version is enough. It is also possible to have a custom theme or plugin tailor-made for your site by a developer. There is nothing wrong with that, but just make sure you are working with a trusted developer. Like all things in life, you get what you pay for.
5. Block IP addresses countries from certain countries
Ok, let’s not get all PC and beat around the bush. The minimize the chance of your site getting hacked, then you should block all IP addresses from Russia and parts of Eastern Europe. It is no secret that much of the world’s hacking comes from this part of the world. There are two ways to block IP addresses. As mentioned before, you could use a plugin like iThemes or WordFence or you can manually add the IP blocks to your
.htaccess file. To get to your
.htaccess file through Cpanel, go into ‘file manager’ , click ‘settings’ in the upper right-hand corner and click on ‘show hidden files’.
Go back into your public_html folder and the
.htaccess file should now be visible. Open your
.htaccess and enter the IP addresses of the countries you want to block.
Look towards the bottom of the code snippet below where it says order deny, allow and the code underneath. You can deny whatever IP address you want here and add as many lines as necessary. In fact, you could end up having hundreds of lines of code. Copy and paste this part of the code to the bottom of your
.htaccess file. Be sure to replace the example IP address in the snippet with the IP address that you want to block. You can add as many lines as needed. You may end up having hundreds of lines denying individual IP addresses.
WordPress security is not something to take lightly. More importantly, good WordPress security really begins with proper site maintenance. When it comes to implemented best security practices and providing proper site maintenance, it is always best to be proactive rather than passive.