Wordpress site security should be number one priority if you're running or hosting wordpress sites. Recently there has been an overwhelming amount of reports to large hosting companies like HostGator, LiquidWeb and InMotion that wordpress site security is a large target right now for hackers. We've come up with some tried and true methods of securing your wordpress site to avoid being hacked. While these methods won't guarantee anything they will certainly reduce the risk of possibilities.
What hackers are doing is creating what are called botnets. When a hacker gains access to a system they infect it with an application that allows them full access to the system. These botnets can be comprised of 90,000+ systems and hackers use these botnets to attack other systems, such as your wordpress site, by using what is called a "brute force attack". A brute force attack is where hackers run a program on your site that tries to login, over and over, with hundreds of thousands of login and password combinations starting with the most common combinations first. Since the botnets come from so many different systems, it's impossible to block them completely but what you can do is tighten up security and make it more difficult for them to gain access.
1. Start using Sucuri to monitor your site
Sucuri is one of the best services you can possibly have to keep your wordpress site security in check. Sucuri monitors your site on a constant basis for malware and hack attempts. Once identified Sucuri automatically removes the malware and resolves the situation along with contacting you to let you know about the attack. It's a great service and highly recommended for keeping your site secure 24/7.
2. Limit access to the admin login by IP address
There is no reason anyone site admins should be accessing the admin login page so why not limit who can see it by IP address? You can do this a couple different ways. One is to limit access by entering the following PHP code into wp-login.php:
<?php if($_SERVER['REMOTE_ADDR'] != '220.127.116.11') header('location: http://www.yoursite.com/blog'); ?>
This will redirect anyone who's IP address is not 18.104.22.168 back to the blog homepage. This may not be an option for sites who actually allow users to login to the blog to comment so another option is to add a redirect to /wp-admin/.htaccess to deny access to /wp-admin if the IP address doesn't match and you can do that with the following lines:
deny from all
allow from 22.214.171.124
allow from xx.xx.xx.xx #A second IP allowed access
3. Change the "admin" username to something else
Using a common or default username like admin, administrator, root etc... is like giving hackers 50% of what they need to access your site. Change your administrative usernames to something a bit less common. This goes for all sites, not just wordpress.
4. Use a strong password
Since hackers try to brute force access to your wordpress site, make sure you're using a strong password. Strong passwords always contain a capital letter, a symbol, a punctuation mark and at least 8 characters. Another good practice is to never use the same password twice. Use a browser plugin like 1password or LastPass to secure all your passwords so you won't have to remember all of them.
5. Keep regular incremental backups
Keeping backups is one of the most important tasks you can do to secure your site from permanent loss. It does take extra time to setup but you should have an automated incremental backup system in place that automatically backs up your site on a daily basis and uploads it to another server somewhere else in the world. Incremental means each backup only holds the differences on the site since the last backup, this keeps your backups small and easy to manage.
6. Contact Us If You Need Help
We're happy to help with your wordpress site security no matter what platform it's on. Contact us below and let's get secure!