[Estimated reading time: 5 minutes]
WordPress security is important. Is your blog a hacker’s dream? What would happen if someone got into your WordPress site and redirected everything to spammy sites selling viagra or worse?
It’s a business owners nightmare, but it’s one I found myself in the middle of about a year ago.
A friend messaged to tell me my site had been hacked. It looked fine to me but the hackers were clever. The site was redirecting to spam sites selling Viagra and the like when people visited from Google and Google+. If my friend hadn’t alerted me I’d never have known.
I panicked, I had no idea what to do. I had to put the rest of my work on hold for the day and started searching Google for a solution. I found some plugins that could help and set about trying to fix it. The good news was that I got rid of most of the issues, the bad news was I managed to take my website offline whilst doing so.
I had to give in, admit that this was too big a job for my limited technical ability and I called an expert. My web guy was able to fix the problem swiftly but of course this cost me money, time and my site was offline for a significant amount of time.
Listen below to find out about the WordPress security measures I’ve taken
Podcast: Play in new window | Download
Subscribe: Apple Podcasts | RSS
This is not something I want to happen again. I know that a site can never be 100% secure but there were some simple things I could do to make it much less likely to happen again.
The most important thing
Keep everything updated. It can be frustrating when you log into your site and see yet more updates pending. It’s my advice to do them all as soon as possible. Updates fix bugs and security holes so keep your plugins, themes and WordPress version backed up.
Delete plugins and themes
How many themes do you have stored on your site? You can only use one at a time so delete the rest, even those standard WordPress ones. Out of date themes are vulnerable, the more themes you have the more potential weaknesses your site has. Delete them.
The same goes for plugins. I try and keep the plugins I use to a minimum anyway as they can slow down site speed but review the plugins you are using on a regular basis. Do you need them? Are there any you don’t use anymore? Deactivate and delete these.
Choose plugins wisely
Plugins are brilliant, they enhance and expand our sites. When you are choosing them be cautious. Search the WordPress Plugin Directory for them. You can access this from your site itself, within the plugin menu or go to wordpress.org/plugins. When you find one you want to use, look at the reviews, does anyone flag anything dodgy? Look at when it was last updated. If it was several years ago give it a miss and look for another, an out of date plugin could have vulnerabilities that let hackers in.
Avoid the ‘admin’ username
When you log in to WordPress what is your username? Is it ‘admin’? If yes you need to change it. It’s an easy guess for hackers or bots that want to access your site. Changing your username is harder than it seems for some users.
I was unable to change the username from my WordPress dashboard so I looked for another solution. The answer came in the form of a plugin. ‘Username Chager plugin‘. I downloaded it, updated my username to something cryptic and then, taking my own advice, deleted the plugin.
This is just the first step. There’s another problem, one flagged to me by Elaine Rogers from the Smart VA. She noticed that if a site visitor hovers their cursor over an author’s name, they can see the username in the preview link.
If you want to keep your admin username a secret you’re going to need to set up another user, an author level admin that has less site access and attribute your site posts to that user.
Setting the user up is a quick job, attributing all posts to that user is a longer one.
To do this:
- Visit the ‘Posts’ menu in your website’s dashboard
- Click ‘Mine’ in the top menu
- Select all the posts on the page and choose ‘edit’ from the ‘bulk actions’ menu
- Change the author name to your new low-level admin user
Repeat this process one page at a time. It will take a while and it’s not a fun job but you’ll feel great once it’s done.
So far you’ve made it harder for hackers to get in by guessing your username but what about all the other users on your site?
Who has access to your site and what level of access do they have? Review this, delete anyone you don’t work with anymore and downgrade anyone that doesn’t need full admin access.
Here’s a post that shows you what each WordPress level of admin means.
Hands up if you use the same password for everything? I know you know you aren’t supposed to. It’s crucial that you have a different and difficult password for your website. I recommend using a password generator, like passwordgenerator.net to create them.
Yes, this makes it hard to remember but your site security is more important. If you don’t want to use a generator create a password that has a mixture of uppercase and lowercase letters, numbers, special characters. And don’t make it in any way related to you, your interests, your kids names or anything personal. This info can all be guessed by hackers. If you find it easy to remember to abandon it and try again.
Earlier on I recommended deleting plugins but there are a few you can add that will help secure your site. Here are the three I recommend.
This is a general security tool that scans your website looking for vulnerabilities and will give you peace of mind. It should spot anything odd going on and report back to you. There’s a free and a premium version.
2. Mini Orange 2 Factor Authentication
Mini Orange makes it harder for users to log in. Instead of just logging in with your username and password you’ll also need a one-time security code. You can choose to get this by email, by text message (premium) or via their app.
It is a bit of extra hassle but it’s worth it for the security of your site.
This isn’t technically a security plugin but it will help if the worst happens and your site gets compromised. BackWP up will backup your site and database to dropbox or another service or location. You can ask it to do this on a schedule, once a week once a month or more frequently. It keeps a number of versions of your site meaning you can revert to a pre-hack version if the worst happens and you lose your site.
I’ve been lazy with my security in the past and it resulted in me getting hacked. One of the things I love about this podcast is that if makes me take action. I’ve implemented all the above and I’m looking at some more advanced stuff now too.
Don’t be like me, take action and secure your site right now, don’t put it on the long finger like I did.
And that’s your challenge this week.
A proposition for you
Before you go I’ve a proposition for you. The one-year anniversary of Blogcentric is speeding towards us and I’d love to feature some of you. If you have made changes to your blog as a result of listening I want to hear your stories and record a short slot for the anniversary edition. So get in touch, email me email@example.com with your stories and we’ll set something up.
Do Facebook ads make you tear your hair out? Let us manage your Facebook ads for you. We'll save you time and improve results. Get A Quote Now.
Super advice Amanda and congrats on first anniversary of Blogcentric – where did that year go!
Colm Baker says
Great post Amanda I’m going to take some of this on board. I have no security plugins at the moment. Use last pass as a way to store all your different passwords its a great tool and free
Amanda Webb says
I tend to use my memory and some assorted bits of paper for my passwords. But my memory is rubbish. I must try last pass, I tried a password managment tool once but found it too clunky. Is Last Pass quick enough to do it’s job?
Amanda Webb says
I’ve another 10 episodes to go but thought I better get prepared ahead of time (most unlike me). Let me know if you want to do a slot on the show and we’ll set up a time.
Joanne Dewberry says
Great post and tips. I was hacked once and my hosting were ridiculous that I ended up moving and my new host found so many corrupt files left by the hacker. I also actually tweeted the person who hacked me (as they left their Twitter ID as the new home page!) and he apologised and helped to fix it!! These people make me so cross!
Amanda Webb says
Wow! The hacker left his Twitter… how cheeky is that.
Jenni Grainger says
Really helpful thank you, going to delete my plugins and themes now. I’m struggling with a back up though as I don’t have enough space in dropbox to save it x
Amanda Webb says
That plugin does have a few other options for your backup too. I used to have the exact same problem but eventually upgraded to a paid dropbox. Worth every penny!
Lorna Sixsmith says
Thanks for that username tip, I didn’t know that. Updating and deleting plugins is something I do every few months and yes, due an update again.
Amanda Webb says
It took me ages to work out the username. So glad I finally fixed it!