It’s a blogger’s worst nightmare. You visit your blog and get a malware warning. Or maybe you try to log into your dashboard and find that your password no longer works. The signs of a hacked WordPress site can manifest themselves in many ways, but one thing’s for sure: It SUCKS to find your hard work has been ruined and your space violated by a stranger. Luckily there are lots of ways to prevent your WordPress site from ever being hacked in the first place.
The Tools
Limit Login Attempts Plugin: This plugin allows you to lock people out when they try (and fail) to log into your WordPress dashboard. It will block their IP from accessing your site so they can’t sit around trying tons of password combinations. You’ll also receive an email when someone is locked out, giving you the chance to block them completely through your host. (If your hosting has cPanel, look for the IP Deny Manager.)
Change your username: I wrote a post about this awhile back. Everyone knows that the standard WordPress login is “admin” and that’s what most would-be hackers will try first. By choosing a different username, you’ve taken a small step that will go a long way toward protecting your site. Hint: Don’t use the same name that will show as the author of your posts. If your login name is Bob and your posts say they were written by Bob, you just gave it away! Instead, choose a complicated username like bobbyjones3679 and choose Bob as the name that shows on your posts.
WordPress Firewall 2 Plugin: Some hackers use scripts that send malicious code to attack your site. WordPress Firewall will identify those attacks and prevent the code from completing its intended action. You can also opt to receive email notifications of any attempts to hack your site, though I had to turn them off because I was literally getting over 100 emails a day.
Keep everything updated: If your theme, plugins, or WordPress core are out of date, you’re at risk for being hacked. Many of those updates include fixes for issues a hacker could exploit to gain access to your site. It is IMPERATIVE that you use the latest version of any and all elements of your WordPress installation.
Make frequent backups of your site: It’s really not hard to keep backups of your site, yet too many people don’t take the time to do it. Get a backup plugin with good ratings, set it to make daily backups, then have them sent to your email and/or whatever cloud storage service you use. That way if the worst happens, you can restore your site to its former glory.
Use good passwords: This should go without saying, but make sure all administrators on your site have strong passwords. Using “abc123″ or “password” is just begging for someone to break in and mess up what you’ve worked so hard to create. It’s fine to set easy temporary passwords when you add a new user, but make sure they change it as soon as they log in for the first time.
Check your folder permissions: Every folder for your website has a set of permissions that determine who can view, access, and edit the files. If you don’t know how to find or change the permissions (or what settings you should use), hop on chat with tech support for your hosting and find out. Many hosts also allow you to password protect your admin folders as well. If a hacker can get into your website files, s/he can find more than enough information to compromise your site.
Pay attention: Check all your sites periodically to make sure everything looks the way it should. Log into your dashboard(s) and look around, updating any plugins or themes that are out of date. Even if you own sites that are on auto-pilot, it’s important to check on them on a regular basis.
The Bottom Line
Even if you have a tiny little WordPress blog and your cousin is the only person who reads it, you’d be surprised how many hackers cruise the internet just looking for WordPress installations to destroy. It’s fun for them, but it’s far less fun for you. These simple steps can prevent problems and keep your website or blog a fun place for you to interact online.
Awesome post! I'd had been searching for something just like this. Limit login attempts is the best plugin I have on my site, I'm going to install WordPress Firewall 2 ASAP.