According to Forbes, up to 30,000 websites are hacked every day. If you rely on your website as a source of income, then having your site hacked can affect your livelihood, your clients and your business. There are various reasons people hack sites; monetary gain, stealing information, maliciousness, inserting links to redirect your readers and customers to another site, or installing malicious software on your reader’s machine so the hacker can perform an attack consisting of thousands of machines. Sometimes you don’t even realize your site is hacked because there are no visible signs.
How to protect your website
I’ll concentrate on WordPress because that is the most popular platform used, but a lot of these tips can be applied to any website.
- Change the default username – When you initially install WordPress the default username is “Admin”. Hackers know this and will try what is called a brute force attack to try and guess the password. During the installation of WordPress, or right after it is installed, change the username to something else. I usually make it something that isn’t obvious, like JimMgr99#. Someone trying to hack into your site needs both the username and password, so I suggest making both difficult to guess. Use upper and lower case, symbols, spaces, repeating characters and make it long, at least 16 characters. Don’t use any words you might find in a dictionary. Here is an example of a password that I might use ZOUt6oAroe-#9aQ5. You can see how the password would be very difficult to guess. Here is a free random password generator that you can use to generate secure passwords.
I use the same types of passwords for my personal logins for any site I use, not just WordPress. Those same hackers are also trying to hack into your bank account and online shopping accounts, so make it as difficult as possible.
- Install one of the security plugins – There are some great free WordPress security plugins available. The plugins we've used are Wordfence, iThemes Security and Securi Security. They all work well and do a good job at protecting your site. These plugins all have subscription options available, but most of the time you can get away with using the free version.
- Use 2-Factor Authentication (2FA or TFA) - Many financial, shopping and other websites offer the ability to use TFA to secure your account. This involves receiving a code by text, email, phone call or using an authentication application like Google Authenticator or Authy. It's also possible to set up TFA for the admin login to your WordPress site using plugins such as Wordfence or many others.
- Keep your WordPress site and plugins up to date – Many hackers exploit “holes” in software so the developers of WordPress and most plugins are always updating their code. Updates to WordPress always include security fixes. It is important that you keep your site current. Check for updates at least once a week.
- Back up your website – It’s inevitable that your site will have an issue at some point and it is possible that the only way to get your site working again will be to restore from a backup. There are many ways to do a backup which include manually backing up the database and WordPress files, having the host do a periodic backup, or installing a backup plugin. Also, don’t keep the backups on the same server as your website. I’ve seen instances where a hacker wiped out all the files or the hosting company had a server issue and lost all the files. Keep a copy on Dropbox or on your local computer. Better yet, keep multiple copies on different sources.
- Block access to the WordPress admin login by IP address – Only allow your IP address to access the WordPress backend, anyone trying to access WordPress admin functions from another IP will get a message that the page is forbidden. This requires you to create an .htaccess file in the /wp-admin folder where your WordPress files are hosted and then adding the following:
# Block wp-admin access
order deny,allow
allow from x.x.x.x <- Enter your IP Address here.
deny from all
You can find your IP address by typing “What is my IP Address” in a Google search.
Most ISPs will change your IP address occasionally, so if this happens you will be blocked from logging in. You will need to change the .htaccess file or delete it to gain access.
This is a short list of what I think are essential tasks to make your site more secure. There are many things you can do to lock down your site, but these will get you started and make your site fairly safe from hackers.