Wordpress is the most popular content management system in the world today. According a study, there are approximately 19 million websites around the world that use WordPress, and it’s actually 12 times more popular than Drupal.
Despite of this, the sad truth is that WordPress websites in a default setting and security are very prone to hacking. According to a 2017 study, there are approximately 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.
81% of attacks are based on insecure or stolen passwords, being the main tactic used as stated by Panda Security.
And that number could be even higher now.
Why Hackers Hack
You may be wondering why people even bother to go through the trouble of hacking WordPress blogs, especially a smaller blog that doesn’t have a lot of traffic. There are a number of different reasons why hackers do what they do.
Here are a few:
Many hackers do it out of curiosity, boredom, or bragging rights. They aren’t malicious.
They just want to practice their skills or brag to their friends they got in. The worst this type of hacker is likely to do is deface your site with a calling card to prove to their friends they did it.
Some do it to be mean, often because they think it’s funny. These hackers have one purpose, and that is to harm you or piss you off.
They are likely to delete content, lock you out by changing your password, redirect to pornographic websites to hurt your reputation, or something similar.
Some do it for financial gain. They may redirect your blog to an affiliate link, to their own website, or they may steal financial information you may have stored on your blog.
This type of hacker is likely to take sensitive information and use or sell it, or to install malicious software that installs on visitors computers and infects their system with adware.
You may even be targeted by competitors who hack you in an attempt to make you lose your search engine rankings, lose traffic, or hurt your reputation.
There are many other reasons someone might want to hack a WordPress blog, but these are some of the most common.
Basic WordPress Security
This section is going to focus on some very basic WordPress security things you can do to secure your website installations. You should be taking these steps on every single blog you set up, and you should be doing it without fail!
The easiest thing you can do to protect your blog from hackers is to update your WordPress installation often. WordPress issues critical security updates from time-to-time, so don’t become complacent and think all updates are purely cosmetic or offering new functionality.
Those security updates are absolutely vital, and they can stop some really nasty stuff dead in its tracks!
Choose a Good Username
Be careful not to choose an easy username for logging into your WordPress admin area.
Make sure it is not easy to guess, and whatever you do, do not use the username admin! Nearly everyone uses it, because it’s default upon install, so avoid it like the plague!
Also, don’t use your name or any variation of it. Don’t use anything having to do with your blog’s name or niche. Don’t use any variation of your email address or any other usernames you may have.
Use a Strong Password
A strong password is absolutely critical, yet most people choose something easy to remember thinking they’ll never get hacked.
This could be a big mistake! Your password should contain, at the very least, both numbers and letters (both capital and lowercase) and consist of at least 8 characters minimum.
Never use any variation on your username, name, email, birthday, anniversary, phone number or any other information a hacker may have access to. And never use common passwords or even include them in yours.
Some of the most common passwords include:
Avoid using anything even close to these passwords! In fact, you may want to use a password generator and then keep your password secure using a password manager.
There are many of these on the market, and will keep your password secure without allowing you to forget it.
Vary Login Information Across Multiple Blogs
Another WordPress security mistake people commonly make is using the same login information for multiple blogs.
If you have several different blogs, be sure to use different usernames and passwords for each so if one is compromised, your others can’t easily be attacked.
Remember, there are websites that will allow someone to see all of the other domains hosted on your server, so if your WordPress installations all reside on the same hosting account, it’s easy for hackers to find your other blogs in order to target them.
Don’t Use Usernames or Passwords from Other Sites
If you are a member of a forum, social network, etc., never, ever use one of those usernames or passwords as your blog username or password!
If the forum or website gets hacked and user data stolen, your blog could be compromised! Use something different for every site you register with, including your own!
Limit Login Attempts
One very simple thing you can do to thwart brute force attacks is to limit login attempts. There are plugins available on the WordPress website that will let you limit login attempts.
Additionally, you can get the Whitelist IP plugin that will let you add your own IP addresses to a whitelist to ensure you don’t accidentally lock yourself out.
You may experience some minor frustration if you accidentally lock yourself out if you forget your password, but the extra security is worth the potential of frustration!
If you use the whitelist plugin and add any IP addresses you might log in from, this isn’t likely to happen.
Two Factor Authentication
If you want to make sure your site is extra secure, you can use a two-step authorization that sends a secret verification code that cannot be guessed to your mobile phone. You must then enter this code onto your blog.
There are also other types of two factor authentication such as Google Authenticator and barcode authentication.
You can read more about two factor authentication here:
You can get plugins for your own hosted WordPress installations that will let you use two step authentication.
Password Protect wp-login.php
One easy way to make it harder to brute force attacks to get through is to password protect the file wp-login.php. This is the file that shows you the form to log into your blog.
It’s relatively simple to password protect this file. Hostgator has a simple tutorial you can follow, although this may or may not work on other hosting accounts:
A final method for securing your WordPress site is through the use of a CAPTCHA form on the login page. There are plugins that will allow you to do this.
One such plugin is known as “Captcha on Login”. This plugin will also allow you to change the default “admin” username to something more secure if you already have blogs that use it.
Using CAPTCHA on your login page will help prevent brute force attacks, because it adds an extra layer of protection.
Hackers will have to spend time entering the CAPTCHA, or paying someone to do so, for every login attempt. Most hackers will not be willing to do this unless your blog is a prime target for some reason.
Additionally, the “Captcha on Login” plugin will block IPs after a specific number of failed attempts, which you can configure. So if you’re not already using another plugin to do this, it will add that additional layer of protection.
Final Words on WordPress Security
Hopefully you now fully understand the gravity of the situation. Hackers may hack your blog for a variety of different reasons, and many of those reasons could end up causing you serious harm.
Fortunately, securing your blog isn’t difficult. You can take a few of these simple steps right now, and they’ll only take you a few minutes to put into place.
If you found this information helpful please leave a comment and share.