10 tips to prevent your WordPress blog from getting hacked
1 – Install a good WordPress backup plugin for your blog. There are about a zillion things that can go wrong with a WordPress blog, and often the fastest and easiest way to fix a problem is to simply restore the blog from a recent backup. And sometimes, restoring from a backup will be the ONLY way to fix a problem. That’s why I strongly recommend that you have a good backup solution in place and have at least one backup “in the bank” before continuing on with the other steps listed below. There are several good WordPress backup plugins to choose from but I use and recommend the fantastic VaultPress plugin from Automattic (the company that makes WordPress itself). VaultPress isn’t free, but it’s dirt cheap and it provides the easiest and most reliable backup and restore processes you’re likely to find in a WordPress backup solution. If you prefer going the free route (and there’s absolutely nothing wrong with that), a fantastic second choice would be UpdraftPlus. 2 – Never use the default WordPress username admin. Hackers know that every WordPress blog is created with a single default user account that’s named admin. They also know that the vast majority of bloggers use that default admin account to write their posts and administrate their blogs. Therefore, they will always try to break into your blog using the admin username. For that reason, I strongly recommend that you first create two new user accounts (one with administrator-level privileges and one with author-level privileges) and then delete the default admin account. Just follow the steps below… First, log in to your WordPress Dashboard and click on Users, then add a new user with a username of your choosing. Give that new user account administrator privileges (select Administrator in the “Role” field). You will use this new administrator-level account ONLY for doing things inside the WordPress Dashboard that require Administrator privileges. Now, click on Users again and create another new account and assign it the role of Author. You will use this new author-level account to write and edit your blog posts. You’ll need to be logged into the new Admin account you created earlier to do anything else. Now, log out of the default admin account and log into the new administrator-level account you created earlier. Once you have successfully logged into the new admin-level account, delete the default admin user account. Note: During the deletion process WordPress will give you the opportunity to transfer authorship of all existing posts that were written using the default admin account to a different user. I recommend that you transfer those posts to the new author-level user account that you just created. 3 – Create new passwords for the two existing user accounts that are hard to crack, yet easy to remember. This post explains how to do that. 4 – Make sure you’re logged into the WordPress Dashboard with the new administrator-level account and then click on Plugins>Add New. Search for a great plugin called Wordfence Security, then install and activate it. Wordfence provides dozens of powerful security features that will help prevent hackers from logging into your WordPress installation’s Dashboard and prevent them from taking control of your blog. This plugin is simply amazing thanks to the number of powerful security features it adds to a WordPress installation! 5 – Go into the Settings screen for the Wordfence plugin and activate Two-Factor Authentication for both of the existing user accounts. Once enabled, Two-Factor Authentication will prevent hackers from logging into your WordPress Dashboard even if they somehow manage to get your password. 6 – ALWAYS keep your WordPress core files, themes and plugins up to date. Most updates are distributed to plug known security holes, and every minute that you wait before installing them gives the hackers that much extra time to find and attempt to break into your blog. I install all updates immediately upon their release (or as quickly as I possibly can). 7 – Don’t use any plugins that your blog doesn’t actually need and uninstall every currently installed plugin that isn’t actually being used. Every plugin that’s installed on your blog is another potential back door into your blog for hackers to break through, even if one or more of the plugins aren’t currently activated. If a plugin is secure and truly adds value to your blog, by all means use it. But if it doesn’t, don’t. 8 – Check the permission levels of your WordPress directories. If you see any that are set to 777, lower them to at least 755 or 750. Individual files should be set at either 640 or 644. Set the all-important wp-config.php file to 600. 9 – Enable TLS encryption on your WordPress installation. Enabling TLS will help protect your blog’s login information from hackers. What’s more, Google and all the major web browsers have now made TLS encryption a necessity anyway if you want to keep your blog’s traffic levels from plummeting off the edge of a cliff. 10 – Log out of your WordPress Dashboard when you finish the task(s) at hand. Remaining logged into the Dashboard will allow anyone who manages to gain access to your computer (either physically or remotely) to take full control of your WordPress blog. Enough said.