WordPress is a hugely popular blogging platform – according to a study undertaken last year almost half of the top 100 blogs worldwide are hosted on WordPress. Being such a widely used platform it is also a prime target for hackers. For example, right now there is a huge automated hacking attack running which is trying to crack the administrator passwords of any self-hosted WordPress blog it can find.
Scary stuff. So if you are running a self-hosted WordPress blog it’s really important that you take a few simple steps to protect your blog from hackers…
1. Back up your blog. There are many different ways to back up your WordPress blog, and the right method for you depends on how frequently you want to save any changes (i.e. how far would you want to “roll back” if you lost the whole site). You want to make sure that any backup method you choose takes a copy of both your SQL database AND your website files, as you need both to restore your site. I like the WordPress Backup to DropBox plugin as a very basic solution – it’s free, and you can very easily configure it to back your blog up to your DropBox account on a regular basis. At the other end of the spectrum if you want to make sure you can always restore your blog back to its very latest version there is a system called VaultPress, which backs your blog up every time something changes. There is a monthly subscription charge, but you really can just set it up and leave it running without worrying about it.
2. If you have a user account named “admin” or “administrator” then create another user account with a different name, set that up with administrator privileges and delete the admin/administrator account. If someone is trying to hack into your site they need a user name and a password. When you install WordPress for the fist time it prompts you to create your first administrative user – many people leave that username set to the suggested “admin” or “administrator”. So some hack attacks will simply try to guess the password on that user account. If you don’t have a user account with that name, you can’t be hacked in that way. Here are some good step by step instructions on how to set up a new administrator user if you need them.
3. Ensure any user accounts with admin privileges have strong passwords. A strong password is one that contains a mixture of upper and lower case letters, along with numbers and symbols, and the longer you make it the more secure it is. A simple way to make your password longer and therefore more secure is to just add a load of full stops at the end of it, or even use a special character like a colon to join two memorable sequences together to make one long one. Over on the Tots100 blog you can read how to create a strong password, and you can see how long any password would take a hacker to crack using this password search space analyser. This short video gives a brief overview of how to choose secure passwords:
4. Keep your WordPress installation up to date. As the WordPress developers find weaknesses in the code which could be exploited by hackers they release updates to the code to remove those weaknesses. Most recent installations of WordPress will advise you as soon as you log into your Admin Dashboard that an update is available, and you can install the update with just one or two clicks of your mouse. Always make sure you have an up to date backup of your site (see point 1) before installing the update, but do try to apply it as soon as possible. Running an out of date installation of WordPress makes you more at risk of a successful hacking attempt.
5. Only install the plugins that you need, keep them updated, and delete any you don’t use. It’s not just the WordPress core code that can have vulnerabilities – it’s the plugins you use as well. When installing a plugin for the first time check to see when it was last updated, read user reviews, and look at the plugin support forums – if it’s not been updated for a number of years, has negative reviews, and support queries are going unanswered you might be well advised to find a different plugin to do the same job. As your blog needs change you may find yourself no longer needing some of the plugins you’ve installed in the past, but it’s often easy to just leave them running. This could have the effect of slowing down your site by loading unnecessary code, and could also increase the risk of being hacked. I recommend that you deactivate any plugins you don’t require, check that your blog still works as expected, and then delete the plugins. Making sure you’ve taken a backup first, of course (see point 1!)
6. Choose a reputable theme, and keep it updated (with caution). Choosing a theme is a minefield – first of all you’ve got to find one that looks right, and then you have to configure it so that it looks exactly the way you want it. As with plugins I recommend choosing one that’s been updated recently, and checking user ratings before you install. Also consider buying a paid for theme – these are most likely to be maintained and regularly updated. One word of caution here – do be a little careful about installing theme updates. Always make sure you’ve got a backup (see point 1), as if there are any problems you may end up with an unattractive (or worse still, broken) blog, and you want to be able to roll back to the previous version of the theme if you need to. Also be careful with theme updates, and ensure you’ve read any theme-specific documentation on how to apply updates – you risk losing some of your customisation if you do this wrong.
7. If you’re still worried there are WordPress security plugins that you can install, like Wordfence. These should be treated in the same manner as any other plugins (see point 5).
I can’t guarantee that you won’t get hacked if you follow these guidelines. But you will significantly reduce your risk of being it. And if you are hacked, you will at least have a backup of your site to restore (see point 1).
P.S. The picture at the top of this post doesn’t show hackers. It shows my kids playing Minecraft. It’s the closest I could get…!