It seems like, lately, I can’t make it through the day without seeing some new version of “New WordPress Vulnerability! The Sky is Falling!” That’s not necessarily a bad thing, but if one were to become preoccupied with paying attention to these things one could develop the web site owner’s version of agoraphobia — too afraid of the possibility of being hacked to let your website out into the open world of internet script kiddies and miscreants.
Fortunately, you don’t have to head down that rabbit hole into psychological meltdown. There are ways to protect your website, and a few things to keep in mind about your site, your hosting, and the internet in general.
First — and I really am not trying to scare you here, just a little reality injection — if a determined, very talented hacker focused his/her/its attentions on your website or its hosting server, there will be an intrusion. That’s just the way it is. After all, if hackers can break into the likes of Home Depot, Target, various and sundry government agencies, and even banks, our WordPress websites are just child’s play to them.
Next, in the overall scheme of things, WordPress itself is very secure. It is a mature piece of software that undergoes constant improvement and updating and if a security hole is found it is patched quickly, usually within a matter of a few hours.
The popular target of hackers nowadays are themes and plugins. Unfortunately, there are quite a number of developers to whom security of their code, if they think about it at all, is a secondary consideration. There are more who just don’t pay attention to security best-practices.
Taming the beast
So what can we, as everyday website owners, do to minimize the possibility of being hacked and, if it happens, mitigate the damage? As it happens, quite a bit. Enough so that our sites won’t be an easy target and the lowlifes who are trying to get in will move on.
- Back up your site’s database and content folder regularly. There are a number of backup tools available so it’s pretty easy to do. Keep copies of your backups on your local computer.
- Keep WordPress, your theme, and your plugins updated. Do not turn off WordPress’s automatic updates (yes, it can be done but I’m not going to tell you how). They allow your site to update itself whenever WordPress pushes interim security updates.
- Delete unused plugins and themes. You should keep one of WordPress’s standard themes in your themes folder as a backup, but in general anything that isn’t being used should be deleted.
- Use strong passwords. I know this is inconvenient, but it’s one of your best defenses against getting hacked. If you need to, use a secure password manager on your computers and devices. I use LastPass, but there are others available.
- Don’t use ‘admin’ as a username. In order to log in to your site, hackers have to guess the username and password. ‘Admin’ has been the most popular username since the dawn of WordPress, so use something else. Don’t give the hacker a freebie.
- Use a security plugin. WordFence and iTheme’s Better WP Security are both good, although they both have annoying pokes for paid upgrades.
- Limit users with Administrator privileges. The fewer usernames that have Administrator capabilities, the better. Just one more line of defense.
If you do these things, you’ve done just about as much as a normal person can do to protect your site from being hacked. If you pay attention to point #1 especially, you’ll still be able to restore your site to its pre-hacked status. You may need some professional help to clean out the bad stuff but at least you’ll have a starting point.