How to prevent your website from being hacked

Keep your WordPress website secure from hackers

Are you worried about the security of your WordPress website?

Have you taken precautions to stop people hacking your website?

We all know that owning a website can be hard work, however life can become far more stressful if the website was to get broken into.

Not only would you have to figure out how they did it, but you would have to repair all the damage!

This article will explain how you can take steps to stop a hacker from breaking into your website.

Why would people want to hack your website

Hacking websites is a terrible thing that causes a lot of stress and inconvenience.

But that doesn’t mean people won’t do it.

There are a few reasons why people would hack a website:

  1. Links back to their website
  2. Links to another website (paid for links)
  3. Hijacking your websites traffic
  4. Inject content onto your website
  5. Gain access to paid for items
  6. Gain all registered users email addresses

And of course, just for fun.

How hackers attempt to gain access

In most cases, the people that are trying to break into your website are actually not people, they are robots.

These bots are set up to trawl the internet for admin screens and try to log into them.

The most basic of these bots will go to your login screen, set the username to admin and try some of the most common passwords:

  • password
  • password123
  • hello
  • hello123
  • qwerty
  • qwertyuiop
  • your name
  • company name

Some slightly more advanced robots will add a couple of steps in before they get to the login screen.

First they will crawl the pages, /author/2 up to /author/9.

If these pages don’t return a 404 error (page not found), then there is an author set in the database.

They simply take the first name of that author, and try those common passwords with the username set to their first name.

The final (common) method for gaining access to your admin, is by trying to access a file that is known to have issues.

An example of this was the TimThumb software. TimThumb is an image resizing tool. It allows you to crop images (like you can on your Facebook or LinkedIn profile images).

When TimThumb was originally launched, lots of people downloaded it as a plugin to their WordPress websites however that software contained lots of security holes.

Consequently, bots will now try to access these files (even if they don’t exist) to see if they can change your website that way.

How to secure your WordPress installation

The first thing you must do is ensure that you use secure passwords.

You make the life of a hacker a lot more challenging if you only use strong passwords, that means ones with capitals, numbers and symbols.

They should also never be a name, or something directly related to your products or services.

Better WP Security

Better WordPress security

There is a plugin that I use on my WordPress website that will take care of a lot of security issues on your system.

That plugin is called Better WP Security.

Better WP Security allows you to change specific features on WordPress to make it harder for hackers to break into.

For example you can:

  • Change the username from ‘Admin’ to something else
  • Change the user ID of your admin from 1 to something else
  • Lock entrance to the admin at certain time periods (like when your normally asleep)
  • Ban users based on their IP addresses
  • Change the directory of your WordPress files from wp-content to something else
  • Automatically take backups of your database and email them to yourself
  • Change the prefix of your database from wp_ to something else
  • Change the URL you use to login from wp-login to something else
  • Check the number of hits on 404 pages and lock the user out if they are excessive
  • Track any changes to your files
  • Limit the number of times you can attempt to login with the wrong password
  • Enforce strong passwords

And quite a few more ‘tweaks’.

All of these are rather small changes, however they go a long way to keeping your website safe.

How to backup your database and files

WordPress Backup to Dropbox

The final thing you must do, is take regular backups of your website.

Should the worst happen and someone breaks into your website, having a backup stored safely away, will take a lot of the stress and required time away from getting your site live again.

The plugin I recommend for this is WordPress Backup to Dropbox.

This will take a backup of your files and database and upload them to your Dropbox account for safe keeping.

I also suggest you use the backup to email option from Better WP Security to send your database backup to your email as well.

This is because the Backup to Dropbox plugin will only keep one version of your website stored away; all of your content is stored in your database, so you need to have multiple versions from old to new otherwise you could restore a broken version of your website.

So what are you waiting for?

Go and change your passwords, add the plugins mentioned above and make it harder for your website to be broken into.

Believe me, the last thing you want it for your site to go down with no idea how it happened.

Has your website ever been hacked? How did you manage to fix it? Let me know in the comments below.

  • Great article Sam…I never thought of changing the ID of the admin to something other than 1, although as a matter of practice, I do 2 things to help guard against admin-related hack attempts: 1) don’t use “admin” as the username, 2) keep the primary admin username for myself and give the client another username with administrator access, this way there’s a backup admin should the client’s account get hacked (more likely than not).

    • Thank you Stephan. Using Admin as your username is definitely something to avoid!
      I also do the same with the administrator account. It also means that your client can have their own password (they don’t have to share) and you can access their WordPress quickly should anything go wrong!

      Another point I didn’t really mention (as it’s a little technical) is to remove the WordPress version from displaying in the Meta data. If there is a known security issue with an old WordPress version, the last thing you want to do is tell people that you have that version!
      As always, thanks for commenting 🙂

  • Rosemary Hall

    Great article Sam. It’s a scary thought that your website could get hacked. Backup is vital, if anything it gives you piece of mind.

    • Exactly! It’s normally a last resort to restore a backup, but at least you have something!
      Thanks for commenting Rosemary.
      – Sam

  • Thanking you for sharing wp dropbox plugin for site backup. I was looking such plugin that store online all backup just configuring one time.

    • No problem Mukesh, I’m glad you found it useful!
      – Sam

  • Marilyn Kinney

    Not sure if my last post made it or not. My problem is that somehow the pet adoption application on our animal welfare website is being filled out with nonsensical words and phrases; and it is being done by the hunreds! Neither I or our webmaster has a clue how to stop this, and I’m wondering if the advice you gave above would apply to this particular problem. I’m totally clueless on how websites work. Please send suggestions about what we can do to stop this assault.
    Thank You,

    • Hi Marilyn, Great to see you here!

      It’s a little hard to say without knowing how your forms have been built but there are a couple of options

      1) If your forms are built with ‘Contact form 7’ or ‘Gravity forms’ then you can install the Akismet plugin, that will run spam checks on any submissions before they reach you.

      2) If your using a different form builder, or the forms are self made, you can either add more versatile validation onto the forms – most spammers will just enter random text into every field, so having proper email validation and date validation will help.

      3) The final solution is to use a captcha field – this is one of those random letter generators that you occasionally see on forms, this isn’t the best solution as lots of people don’t like them, but it will cut down on your spam. – If you’re using a form builder, it might have captcha functionality built in.

      I hope that gives you something to work with, and let me know how you get on!

  • Pingback: What Getting Hacked Means for Your Brand | Buckeye Interactive()

  • Mominul Sajiv

    I had to secure my wp site –
    I think it’s really helpful for me to secure my site now.Thanks for the article

  • Kevin Ochineg

    This is so great, stay blessse always

    • Thanks Kevin! I appreciate your feedback 🙂
      – Sam

  • ThatKiddSkipp

    My brother has a political website that is hosted by IWW and a anti-political hacker group has taken the liberty of shutting down our web page. I dont want to post the name of the website in the respect that there potentially will be an criminal investigation but considering these investigations take a lot of time and money, I would like to help him avoid this at all costs… Ultimately I want to help him secure his site and get it back up and running until he switches to a different host… I have confirmed that his password has been changed and it appears that his admin page is too easily accessed (which I will be changing shortly). If anyone can help me please let me know… his HTML code is screwed and I am waiting to see if he or the host has backed up this information for him. Thanks in advance…


    • Hi Skipp, this sounds like a nightmare!

      If you have a database backup, then the first steps are to delete the current database and revert back to the backup – then change your passwords. Do the same for the files.

      This should get your site back up and working again. If you don’t have a backup then hopefully your host will get back to you with some files – these might be very old so you may lose some data.

      If you don’t have any backups, and can’t get hold of any, then you need to gain access to your database. You should be able to do this through your hosting account. Within the database you can find the users tables and reset the passwords – you may need someone technical to do this (if you’re not).

      Once you have reset your passwords, you should be able to access the WP admin again. At this point it will be a matter of going through your files and cleaning them as much as possible – not a pleasant job.

      When you have finished, make sure you take further backups and your friend keeps a copy of the website somewhere they can access it (like on their local computer, or in Dropbox etc).

      I hope you manage to get the website back up and running again!
      – Sam

  • Stephanie

    Great article Sam… wondering though if the plugin called “Wordfence” does the same thing? I’m not overly techie and fear if I add this plugin also it would be redundant?

  • Pingback: 10 common WordPress mistakes that make you look like an amateur()

  • Pingback: How to prevent your website from being hacked | Welcome to Olajide's web log()

  • There are a number connected with good reasons which can be related to that unquestionable link.
    Definitely the common income will certainly carry on and adhere to Clash of Clans
    Hack for that near future. Your financial press appears unable to make-up it is intellect upon these kinds of issues which usually unsettles shareholders.

    To price on the list of wonderful politics analysts Odysseus Bootlegger ‘The achievement associated with almost any political system
    can easily only absolutely end up being evaluated in the
    event the excess fat female has sung. a Extremely, they brand new nothing involving Clash of Clans
    Hack till he or she had been very well straight into the thirties.

    I’m strongly when political figures put in a smaller amount time period thinking about Clash of Clans
    Hack in addition to place far more attempt to their loved ones life, that we could employ a unique nation.

    The reason did Clash of Clans Hack cross punch the road?
    : So that the other part! Simply my own very little scam, although why don’t we wish in which
    Clash of Clans Hack won’t encourage related hilarity
    within the next elections. Many people feel Clash of Clans Hack should not be permitted to
    acquire in the form of the larger query: the reason are we here?
    Putting this kind of away its regarding good value.
    The idea secures order, puts out ‘fires’, also it delivers the
    best available throughout individuals. I will get away
    from the last word towards well-known Beyonce De Niro: My partner and i need Clash of Clans Hack, nothing at all more absolutely nothing much less.

  • Hey there! I’m at work surfing around your blog from
    my new iphone 4! Just wanted to say I love reading through your blog and look forward
    to all your posts! Carry on the fantastic work!

  • I was recommended this blog by my cousin. I’m not sure whether this post is written by him as no one else know such detailed about my difficulty.
    You’re wonderful! Thanks!

  • Thanks for the marvelous posting! I quite enjoyed reading it, you may be a great author.

    I will be sure to bookmark your blog and definitely will come back in the future.
    I want to encourage that you continue your great job, have a nice evening!

  • Howdy! This is kind of off topic but I need some guidance from an established blog.

    Is it very hard to set up your own blog? I’m not very techincal but I can figure things out pretty
    fast. I’m thinking about creating my own but I’m not
    sure where to start. Do you have any ideas or suggestions?

  • Yes! Finally something about Munnar resort deals.

  • Verʏ good article. I will be going through some of these
    issues as well..

  • You need to be a part of a contest for one of the best websites on the net.
    I’m going to highly recommend this web site!

  • Wow that was strange. I just wrote an really
    long comment but after I clicked submit my comment didn’t show up.
    Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say superb blog!

  • Pingback: honeymoon in kerala()

  • Of course, when the game isn’t a hit, thirty million dollars vanishes into a black hole of despair.
    These unrivaled programs can be accessed from any Internet capable device
    with a broadband connection to experience the state of the art graphics and
    special effects that top designers implement.

    All gamers should have close encounters with how fun these space games truly are.

  • Ңello tߋ every , for the reason tɦat I am really keen off reading tɦis webpage’s post tօ bе updated oon a regular basis.
    Ӏt carries pleasant material.

  • If you want to learn manga for your own enrichment and have limited time
    and resources, a free tutorial could be the route to take.

    The book sellers always said that they have not bought a single piece of this book.

    They are fabulous in architect, offer the most exquisite
    cuisine, and provide the pleasure of a gambling experience that is truly one-of-a-kind.

    In my opinion, the best way to learn manga drawing
    is actually to learn how to draw it on a piece of paper.
    In this series, three high-school students are the only survivors after the train they are on wrecks and kills hundreds of their classmates.

  • Pingback: places to visit in munnar()

  • Pingback: what is the best male enhancement pill()

  • Pingback:

  • Hurrah! After all I got a weblog from where I be capable of really get helpful facts regarding my study and knowledge.

  • I blog frequently and I truly thank you for your information. This great article has truly peaked my interest.
    I will take a note of your blog and keep checking for new details about once a week.
    I subscribed to your RSS feed as well.