6 Ways to protect your WordPress site against hackers
When starting a blog, people usually think about making them functional, good looking and full of great content. In this euphoria, many people forget about security though. This is usually a beginner’s mistake, since they are always asking “Of all the websites in the world, why would anyone hack into mine?”. However, we noticed overlooked security in well established blogs as well.
In this article, we are going to discuss a few concrete measures you should take to ensure the security of your data. Remember, your blog or website is your second home. Keep the unwanted visitors out!
Here are some of the most common mistakes and appropriate fixes:
1. Choose an excellent password.
Here’s a recent top of the worst passwords people choose:
- 123456 (we can’t imagine why, in 2014, people are still using this)
- password (obviously)
Your SO’s name or your birthday are also bad ideas. If you have a social media account of any kind, these are really easy to find out.
Fix: Generate a password.
2. Choose an excellent username.
When someone tries to hack in, the first usernames he will try will be: admin, administrator or your name.
Fix: Choose a less obvious username. If necessary, to avoid asigning previous articles, you can change the username directly in the database trough PHPMyAdmin.
3. Protect your wp-config file.
This is the file that stores everything you don’t want people to know, including database details.
Fix: In your .htaccess file, add the following:
<Files wp-config.php> order allow,deny deny from all </Files>
4. Limit the number of attempted log ins
If someone is trying to guess your password, what are the odds he’ll guess with just one try? If this happens, seriously, read again point 1.
Fix: Use a plugin to limit the number of failed log in attempts. Here‘s a great one.
5. Block all IPs but yours.
Assuming no one will hack your website from withing your website, this is an extreme measure but it works perfectly.
Fix: Create a NEW .htaccess file and upload it in your wp-admin folder. Add the following:
order deny,allow allow from 100.100.1.1 (to be replaced with your IP) deny from all
However, there is a major disadvantage. You won’t be able to access the admin area from anywhere else. Also, this doesn’t work if you have a dynamic IP,
This is a great plugin! Not only does it block an attacker, but all the other websites block it as well. For instance, if you and me both use WordFence, if John Doe attacks my website, yours will automatically block John as well!
The plugin also alerts you in the email when someone is trying something fishy.