I think it’s safe to say that most bloggers don’t think a lot about WordPress security. I certainly didn’t until I noticed that someone was trying to access my login page. Since then, I’ve learned a lot about keeping a self-hosted site secure and I’m going to share with you a few simple tips to keep your site protected from hackers.
1. Change the default username
When you install WordPress, you will automatically have the username ‘admin’. This is the first name hackers will use to access your site, another one being the name of your blog. It’s easy to change it from your dashboard by going to Users/All Users.
Since you are in the ‘Users’ area, you should delete extra usernames or change the ones you want to keep to subscribers.
2. Update WordPress and plugins
Anytime there is an update to WordPress or any of your plugins you will get a warning. That little orange dot in the left corner is very annoying so I update every time I see one. And yet there are so many people that just leave them there to pile up.
These updates are very important because not only do they introduce new features, but they also fix issues. Some of these issues might not be important, but others are big security vulnerabilities. By not updating, you are leaving the door open for hackers and they might make changes to your site or even steal it.
3. Use strong passwords
You should use strong passwords for every account you have, not just your blog, and you should use different passwords for every account you have.
What does a strong password mean? Well, there are different opinions on this, but it should have at least 10 characters, and you should use a combination of letters, numbers, and symbols. There are 2 types of passwords that are considered safe:
- random letters, numbers, and symbols
- a long sentence that doesn’t have to make sense
4. Limit login attempts
You can limit the number of times someone can try to log into your site by using the Limit Login Attempts plugin. This is the best protection against brute force attacks.
Brute forcing is when a bot or a person tries to access your site by guessing your username and password. Even if you don’t have the default username and your password is strong, these attacks might slow down your site. This plugin temporarily blocks them after a certain number of attempts. You can adjust the number from Settings/Limit Login Attempts, and you can also see the IP of those who tried to access your site and the number of attempts.
5. Backup your blog
This doesn’t prevent hacking, but you will be able to recover your files. There are many plugins that do this automatically. The only thing you have to worry about is updating your plugins. I’m using UpdraftPlus to save everything to Dropbox. It can backup your files to many places, including Drive, FTP, or email. There are many other plugins available like BackWPup or BackUpWordPress.
If you are more tech savvy and want some advanced security tips, you can read more in the WordPress Codex.