There is nothing good when your blog is hacked. The least its tons of spam in your posts and comments. The worst is you become a transmitter of this spam, sometimes harmful, to the other resources which may result in blocking your blog.
There are some bad and some good news about security:
If someone has a strong intention to hack your WordPress and has more than one method and a good experience and software, many chances are that this attack will be successful.
Good news is that most likely you will be attacked by occasional hackers or bots. And the more measures which you take to secure your WordPress will result in less chances that it will be hacked. Just because there are so many other users, not so careful as you.
The most popular attacks your WordPress blog may suffer are SQL injection, brute-force attack, XSS-attack. Besides, the threat may be in your computer, such like viruses and other malicious or advertisement software; in WordPress itself and even in web server which hosts your WordPress.
Here in this post we are going to list the most simple yet efficient ways and basic tricks to prevent these hack attacks on your WordPress.
1.Update your WordPress
With the release of the new updates the older version of your WordPress becomes even more vulnerable than before because most often with the new release there appears the description of the weak points in the previous updates.
What is more, the new security plugins and protection features are not developed for older versions. Luckily there is always a notification of new updates available on your admin dashboard, which we recommend to install. They are free and at your service, with old bugs taken into account.
2.Back up your WordPress
It is more a safety than protective measure but it is necessary and really becomes useful in the case of trouble of any kind. And obligatory complete back up before every new upgrade installation is not enough. It should be done on regular basis.
There are numerous automatic and manual ways to back up your WordPress database and website files. You just choose which is more comfortable for you and the frequency you want it to be done. Database which contains settings and all information on everything you or other people posted in your blog must be protected most accurately. You may restore website files or install them again but you will never restore your database which is the whole of your posts, comments etc collected /posted in different times and if lost, then lost forever.
However backupping your files with WordPress software, plugins, themes etc. is also very useful if you don't want to waste your time looking for them again some day. Normally regular 2-3 weeks back up is ok if no special changes were done during this time.
3. Customize your default Login link
Using a default login link makes your WordPress vulnerable for bruteforce attacks. That is when the cracking software uses thousands of combinations of numbers and letters to guess your login and password.
You may use WordPress Stealth Login plugin which will let you change the default
http://blogname.com/wp-login.php into something like:
The point of this plugin is that it doesn't let a bot to access the login page. That is especially useful when your password is hacked because there is no login form to actually login.
This method of protection doesn't protect your WordPress 100% but it definitely makes hacking it a much more difficult task.
4. Customize your default userid
When you install your WordPress, your default user is Admin. We highly recommend to change it into a custom one. Leaving the admin login you make the task of brute forcing your WordPress many times easier – as only your password is needed for a successful login. Our advice is to avoid simple logins like for example the name of your blog. Do not forget to delete the admin userid and “attribute all posts and pages” to your new one.
5. Use a strong password
It is impossible to overestimate the importance of the strong password. It is a well known issue but so many users keep complaining their weak passwords were hacked. We will remind you a few simple but efficient rules:
- Avoid having the same passwords on more than one site.
- Make it look like a random mix of letters and numbers.
- Change your password at regular intervals.
You may use WordPress Password Strength Detector to check the vulnerability of your password.
6.Limit login attempts
Remember the ATM pin code entry limit? It works just the same and is efficient against bruteforce attacks. The delay in login attempts reduces the chances of password hack greatly. As instead of constant login process it is for example 3 unsuccessful attempts per day allowed.
We advise using a Login Lockdown plugin. It records the IP address from which the wrong password was entered and blocks the user for a certain period of time. The default settings are 1 hour IP block after 3 unsuccessful login attempts within 5 minutes but you can change the settings to your preferences via your admin dashboard.
7.Hide failed login notification
The failed login notification appears when you enter the wrong login/password. Most often it explains what exactly was invalid. When the bot which tries to hack your site receives this message it becomes clear which of the two was correct. And again, it makes the task much easier. We advise to hide this error notification completely
Just add the below mentioned code to the functions.php file in your theme folder:
add_filter('login_errors',create_function('$a', "return null;"));
8.Change the wp_ prefix of your WordPress database tables
The default prefix of your WordPress database table is wp_. But that prefix makes your highly important files more vulnerable as it is easy to determine them and then attack. Since your WordPress database keeps all the needed information and is metaphorically the flesh and blood of your blog. Losing these tables would be a great loss. Therefore we recommend you changing this prefix into something customized and hard to recognize. A set of letters and numbers will be most appropriate.
Note: don't forget to back up before you start renaming.
9.Restrict Access to your WordPress-Content Directory
You may use the following code:
Order deny,allow Deny from all <Files ~ ".(xml|css|jpe?g|png|gif|js)$"> Allow from all </Files>
Just add this code snippet to the .htaccess file in the wp-content folder in the wp-includes directories.
10.Deny access to wp-config.php file
It is also is also very important to deny every user's access to this file as it contains your WordPress most secret information: your login information (userid and password) and unsecured Database name. Just add the code below to the htaccess file in the Word press root directory to deny access to your wp-config.php file:
# protect wp-config.php <files wp-config.php> Order deny,allow Deny from all </files>
11. Use WordPress Authentication Keys
Using Authentication Keys is a very good method for a better encryption of your password. Use the WordPress Key Generator to generate a random phrase. Open your wp-config.php file and find the following lines:
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here');
Replace 'put your unique phrase here' with the generated phrase you got from WordPress Key Generator.
Thanks for reading this post.
Remember, there is no one 100% effective method. Only the whole bunch will be effective.
We'll appreciate your opinion and whatever you may add.