How to prevent your website from being hacked

Keep your WordPress website secure from hackers

Are you worried about the security of your WordPress website?

Have you taken precautions to stop people hacking your website?

We all know that owning a website can be hard work, however life can become far more stressful if the website was to get broken into.

Not only would you have to figure out how they did it, but you would have to repair all the damage!

This article will explain how you can take steps to stop a hacker from breaking into your website.

Why would people want to hack your website

Hacking websites is a terrible thing that causes a lot of stress and inconvenience.

But that doesn’t mean people won’t do it.

There are a few reasons why people would hack a website:

  1. Links back to their website
  2. Links to another website (paid for links)
  3. Hijacking your websites traffic
  4. Inject content onto your website
  5. Gain access to paid for items
  6. Gain all registered users email addresses

And of course, just for fun.

How hackers attempt to gain access

In most cases, the people that are trying to break into your website are actually not people, they are robots.

These bots are set up to trawl the internet for admin screens and try to log into them.

The most basic of these bots will go to your login screen, set the username to admin and try some of the most common passwords:

  • password
  • password123
  • hello
  • hello123
  • qwerty
  • qwertyuiop
  • your name
  • company name

Some slightly more advanced robots will add a couple of steps in before they get to the login screen.

First they will crawl the pages, /author/2 up to /author/9.

If these pages don’t return a 404 error (page not found), then there is an author set in the database.

They simply take the first name of that author, and try those common passwords with the username set to their first name.

The final (common) method for gaining access to your admin, is by trying to access a file that is known to have issues.

An example of this was the TimThumb software. TimThumb is an image resizing tool. It allows you to crop images (like you can on your Facebook or LinkedIn profile images).

When TimThumb was originally launched, lots of people downloaded it as a plugin to their WordPress websites however that software contained lots of security holes.

Consequently, bots will now try to access these files (even if they don’t exist) to see if they can change your website that way.

How to secure your WordPress installation

The first thing you must do is ensure that you use secure passwords.

You make the life of a hacker a lot more challenging if you only use strong passwords, that means ones with capitals, numbers and symbols.

They should also never be a name, or something directly related to your products or services.

Better WP Security

Better WordPress security

There is a plugin that I use on my WordPress website that will take care of a lot of security issues on your system.

That plugin is called Better WP Security.

Better WP Security allows you to change specific features on WordPress to make it harder for hackers to break into.

For example you can:

  • Change the username from ‘Admin’ to something else
  • Change the user ID of your admin from 1 to something else
  • Lock entrance to the admin at certain time periods (like when your normally asleep)
  • Ban users based on their IP addresses
  • Change the directory of your WordPress files from wp-content to something else
  • Automatically take backups of your database and email them to yourself
  • Change the prefix of your database from wp_ to something else
  • Change the URL you use to login from wp-login to something else
  • Check the number of hits on 404 pages and lock the user out if they are excessive
  • Track any changes to your files
  • Limit the number of times you can attempt to login with the wrong password
  • Enforce strong passwords

And quite a few more ‘tweaks’.

All of these are rather small changes, however they go a long way to keeping your website safe.

How to backup your database and files

WordPress Backup to Dropbox

The final thing you must do, is take regular backups of your website.

Should the worst happen and someone breaks into your website, having a backup stored safely away, will take a lot of the stress and required time away from getting your site live again.

The plugin I recommend for this is WordPress Backup to Dropbox.

This will take a backup of your files and database and upload them to your Dropbox account for safe keeping.

I also suggest you use the backup to email option from Better WP Security to send your database backup to your email as well.

This is because the Backup to Dropbox plugin will only keep one version of your website stored away; all of your content is stored in your database, so you need to have multiple versions from old to new otherwise you could restore a broken version of your website.

So what are you waiting for?

Go and change your passwords, add the plugins mentioned above and make it harder for your website to be broken into.

Believe me, the last thing you want it for your site to go down with no idea how it happened.

Has your website ever been hacked? How did you manage to fix it? Let me know in the comments below.

Never miss an article again!

Get all future articles delivered straight to your email inbox!

  • Stephan Hovnanian

    Great article Sam…I never thought of changing the ID of the admin to something other than 1, although as a matter of practice, I do 2 things to help guard against admin-related hack attempts: 1) don’t use “admin” as the username, 2) keep the primary admin username for myself and give the client another username with administrator access, this way there’s a backup admin should the client’s account get hacked (more likely than not).

    • Sam Scholfield

      Thank you Stephan. Using Admin as your username is definitely something to avoid!
      I also do the same with the administrator account. It also means that your client can have their own password (they don’t have to share) and you can access their WordPress quickly should anything go wrong!

      Another point I didn’t really mention (as it’s a little technical) is to remove the WordPress version from displaying in the Meta data. If there is a known security issue with an old WordPress version, the last thing you want to do is tell people that you have that version!
      As always, thanks for commenting :)

  • Rosemary Hall

    Great article Sam. It’s a scary thought that your website could get hacked. Backup is vital, if anything it gives you piece of mind.

    • Sam Scholfield

      Exactly! It’s normally a last resort to restore a backup, but at least you have something!
      Thanks for commenting Rosemary.
      - Sam

  • Mukesh

    Thanking you for sharing wp dropbox plugin for site backup. I was looking such plugin that store online all backup just configuring one time.

    • Sam Scholfield

      No problem Mukesh, I’m glad you found it useful!
      - Sam

  • Marilyn Kinney

    Not sure if my last post made it or not. My problem is that somehow the pet adoption application on our animal welfare website is being filled out with nonsensical words and phrases; and it is being done by the hunreds! Neither I or our webmaster has a clue how to stop this, and I’m wondering if the advice you gave above would apply to this particular problem. I’m totally clueless on how websites work. Please send suggestions about what we can do to stop this assault.
    Thank You,

    • Sam Scholfield

      Hi Marilyn, Great to see you here!

      It’s a little hard to say without knowing how your forms have been built but there are a couple of options

      1) If your forms are built with ‘Contact form 7′ or ‘Gravity forms’ then you can install the Akismet plugin, that will run spam checks on any submissions before they reach you.

      2) If your using a different form builder, or the forms are self made, you can either add more versatile validation onto the forms – most spammers will just enter random text into every field, so having proper email validation and date validation will help.

      3) The final solution is to use a captcha field – this is one of those random letter generators that you occasionally see on forms, this isn’t the best solution as lots of people don’t like them, but it will cut down on your spam. – If you’re using a form builder, it might have captcha functionality built in.

      I hope that gives you something to work with, and let me know how you get on!

  • Pingback: What Getting Hacked Means for Your Brand | Buckeye Interactive

  • Mominul Sajiv

    I had to secure my wp site –
    I think it’s really helpful for me to secure my site now.Thanks for the article

  • Kevin Ochineg

    This is so great, stay blessse always

    • Sam Scholfield

      Thanks Kevin! I appreciate your feedback :)
      - Sam

  • ThatKiddSkipp

    My brother has a political website that is hosted by IWW and a anti-political hacker group has taken the liberty of shutting down our web page. I dont want to post the name of the website in the respect that there potentially will be an criminal investigation but considering these investigations take a lot of time and money, I would like to help him avoid this at all costs… Ultimately I want to help him secure his site and get it back up and running until he switches to a different host… I have confirmed that his password has been changed and it appears that his admin page is too easily accessed (which I will be changing shortly). If anyone can help me please let me know… his HTML code is screwed and I am waiting to see if he or the host has backed up this information for him. Thanks in advance…


    • Sam Scholfield

      Hi Skipp, this sounds like a nightmare!

      If you have a database backup, then the first steps are to delete the current database and revert back to the backup – then change your passwords. Do the same for the files.

      This should get your site back up and working again. If you don’t have a backup then hopefully your host will get back to you with some files – these might be very old so you may lose some data.

      If you don’t have any backups, and can’t get hold of any, then you need to gain access to your database. You should be able to do this through your hosting account. Within the database you can find the users tables and reset the passwords – you may need someone technical to do this (if you’re not).

      Once you have reset your passwords, you should be able to access the WP admin again. At this point it will be a matter of going through your files and cleaning them as much as possible – not a pleasant job.

      When you have finished, make sure you take further backups and your friend keeps a copy of the website somewhere they can access it (like on their local computer, or in Dropbox etc).

      I hope you manage to get the website back up and running again!
      - Sam

  • Stephanie

    Great article Sam… wondering though if the plugin called “Wordfence” does the same thing? I’m not overly techie and fear if I add this plugin also it would be redundant?

  • Pingback: 10 common WordPress mistakes that make you look like an amateur

  • Pingback: How to prevent your website from being hacked | Welcome to Olajide's web log