One of the worst nightmares for any WordPress website owner is having their website taken over by hackers. This happens very frequently, unfortunately, because there is money to be made from desperate business owners who are willing to pay a ransom to get their website back.
The truth is that there is always a chance of having your website hacked, no matter how careful you are. This article is meant as a list of best practices to implement in order to minimise the risks. These principles have been elaborated by IT security specialists and WordPress developers and are sufficient to safeguard your website against the most common attempts made by hackers.
As a general rule, you should always keep a recent backup copy of your website in a secure location, rather than on the same server as your actual website. In the worst case scenario, you can re-upload this backup copy, if you cannot restore the website itself. This being said, there are other ways in which you can prevent your WordPress site from being hacked:
- Rename the Login URL
The standard URL for the admin section of a WordPress site is www.yoursite.com/wp-admin. This is what hackers will usually try when they launch a brute force attack over a series of websites. A brute force attack means trying hundreds of thousands of username/password combinations until the correct match is found.
By changing this standard URL, you have taken a first step to thwart the hackers’ nefarious attempts. Using something like my-login or safe-login instead of wp-admin helps you prevent or delay the initial phase of a brute force attack.
- Change the Default Admin Account Name
When your website is first created, the administration account has the default username “admin”. Many WordPress website owners leave it like this–which is a serious mistake. By reference to item 1 above, if a hacker launches a brute force attack, the default “admin” account name simply makes their work easier.
You should change this account name to something you can remember, but that is not easily guessed. Avoid using your own name (which can be guessed from the contents of the site). If possible, add numbers to the account name and capitalise at least one letter.
- Use Two-Factor Authentication
Two-factor authentication involves receiving a code on your mobile phone and inserting it into a special field to gain access to the backend of your website. In this way, you add an extra layer of protection (your own phone number) and can avoid brute force and other types of attacks.
Plus, if by chance a hacker guesses the username/password combination and you get such a code on your phone, you can alert the hosting service that the server on which your website is stored is under attack.
- Keep WordPress and the Plugins up to Date
Those pesky updates to WordPress and plugins occur for a good reason: they fix recently discovered vulnerabilities and add supplementary protection mechanisms to those already existing.
Instead of being annoyed, you should be thankful for these updates and proceed to install them as soon as you are notified of them. An out-of-date WordPress platform can be easily hacked even by less than professional cyber-criminals.
- Set Strong Passwords for Your WordPress Website
A password you can easily remember is a password that can be easily hacked. Our strong recommendation is to use a password manager, which can generate strong passwords that you do not have to remember (or write down).
Any kind of common words or names used in passwords can be guessed by tools used by hackers. This is why a combination of your wedding date and your child’s name is not a good password. Your website is as safe as the password you use to login to its backend, so make sure it is a strong one.