Are you worried about the security of your WordPress website?
Have you taken precautions to stop people hacking your website?
We all know that owning a website can be hard work, however life can become far more stressful if the website was to get broken into.
Not only would you have to figure out how they did it, but you would have to repair all the damage!
This article will explain how you can take steps to stop a hacker from breaking into your website.
Why would people want to hack your website
Hacking websites is a terrible thing that causes a lot of stress and inconvenience.
But that doesn’t mean people won’t do it.
There are a few reasons why people would hack a website:
- Links back to their website
- Links to another website (paid for links)
- Hijacking your websites traffic
- Inject content onto your website
- Gain access to paid for items
- Gain all registered users email addresses
And of course, just for fun.
How hackers attempt to gain access
In most cases, the people that are trying to break into your website are actually not people, they are robots.
These bots are set up to trawl the internet for admin screens and try to log into them.
The most basic of these bots will go to your login screen, set the username to admin and try some of the most common passwords:
- your name
- company name
Some slightly more advanced robots will add a couple of steps in before they get to the login screen.
First they will crawl the pages www.your-domain.com/author/1, /author/2 up to /author/9.
If these pages don’t return a 404 error (page not found), then there is an author set in the database.
They simply take the first name of that author, and try those common passwords with the username set to their first name.
The final (common) method for gaining access to your admin, is by trying to access a file that is known to have issues.
An example of this was the TimThumb software. TimThumb is an image resizing tool. It allows you to crop images (like you can on your Facebook or LinkedIn profile images).
When TimThumb was originally launched, lots of people downloaded it as a plugin to their WordPress websites however that software contained lots of security holes.
Consequently, bots will now try to access these files (even if they don’t exist) to see if they can change your website that way.
How to secure your WordPress installation
The first thing you must do is ensure that you use secure passwords.
You make the life of a hacker a lot more challenging if you only use strong passwords, that means ones with capitals, numbers and symbols.
They should also never be a name, or something directly related to your products or services.
Better WP Security
There is a plugin that I use on my WordPress website that will take care of a lot of security issues on your system.
That plugin is called Better WP Security.
Better WP Security allows you to change specific features on WordPress to make it harder for hackers to break into.
For example you can:
- Change the username from ‘Admin’ to something else
- Change the user ID of your admin from 1 to something else
- Lock entrance to the admin at certain time periods (like when your normally asleep)
- Ban users based on their IP addresses
- Change the directory of your WordPress files from wp-content to something else
- Automatically take backups of your database and email them to yourself
- Change the prefix of your database from wp_ to something else
- Change the URL you use to login from wp-login to something else
- Check the number of hits on 404 pages and lock the user out if they are excessive
- Track any changes to your files
- Limit the number of times you can attempt to login with the wrong password
- Enforce strong passwords
And quite a few more ‘tweaks’.
All of these are rather small changes, however they go a long way to keeping your website safe.
How to backup your database and files
The final thing you must do, is take regular backups of your website.
Should the worst happen and someone breaks into your website, having a backup stored safely away, will take a lot of the stress and required time away from getting your site live again.
The plugin I recommend for this is WordPress Backup to Dropbox.
This will take a backup of your files and database and upload them to your Dropbox account for safe keeping.
I also suggest you use the backup to email option from Better WP Security to send your database backup to your email as well.
This is because the Backup to Dropbox plugin will only keep one version of your website stored away; all of your content is stored in your database, so you need to have multiple versions from old to new otherwise you could restore a broken version of your website.
So what are you waiting for?
Go and change your passwords, add the plugins mentioned above and make it harder for your website to be broken into.
Believe me, the last thing you want it for your site to go down with no idea how it happened.
Has your website ever been hacked? How did you manage to fix it? Let me know in the comments below.