There’s nothing worse than waking up to find your WordPress site hacked. Well, maybe there are much worse things in life, but when it comes to managing a website, that’s about as bad as it gets. While there are ways to reclaim your hacked website, in this article I want to focus on how to prevent it from happening in the first place.
You may be surprised to find that anyone would want to hack your website. After all, it’s not like you’re the NSA or the Russian mafia (umm… are you?). Why would anyone want to break into your little ol’ blog and do damage? The answer is that a hack attempt goes deeper than your site. Hackers don’t necessarily want to shut down your blog, they’re after the much bigger fish: your server. If they can gain access to your server, they may be able to get into other servers and wreak havoc on a massive scale.
So what can you do to prevent the evildoers from getting in? Plenty.
Update, Update, Update
First and foremost, keeping your site updated is the easiest and least intensive thing you can do to keep out the hackers. Just like your smartphone or your computer, your WordPress site needs regular updating. In a WordPress website, there are three main areas that need to be updated:
- WordPress core (the software itself)
As a plugin or theme gets older, the code can become deprecated, which means that it’s not used anymore. Hackers can exploit outdated code and worm their way in behind the scenes — without even logging in to your site.
Updates are easy to do, and you won’t even have to guess. WordPress will tell you what needs to be updated right in your admin dashboard. There will be a red circle next to Updates to notify you.
Click Updates and you’ll be whisked away to the Updates screen. Updating is as simple as clicking a button. Like magic, you’re updated. You also have the option of setting automatic updates for plugins, and some web hosts will update WordPress core for you.
Use a Security Plugin
For an even stronger level of protection, you can install a free security plugin to prevent hackers from logging in to your site. I recommend WordFence. I use it on al of my sites, because it’s reliable and they offer a free version. You can find it in your WordPress admin by going to Plugins→ Add New and searching for WordFence. The plugin even allows you to set up two-factor authentication (2FA) for your users.
Back it up!
I can’t stress this enough. I have collected many horror stories — and rebuilt a few websites — where someone got hacked, but they didn’t have a backup. If your site is backed up and — Dolly Parton forbid — you get hacked, you’ll be able to restore your site in a jiffy. My go-to backup plugin is UpDraft Plus. This plugin is also free, and easy to set up. You can schedule automatic backups to go through email, or back up to your Google Drive, Dropbox, and more.
Your web host may also have a backup feature. Check with them to see how you can turn it on.
Usernames and Passwords
Do I really have to say it? You should shed your comfy “abc123” and “password” passwords right now. Sure, they’re convenient for you, but that means they’re also convenient for hackers. If you’re not using a password manager like 1Password, you really should. It will even generate random passwords for you that are hard for even bots to guess.
As for usernames, the first thing you should do with your WordPress site is create a new user that’s different from “Admin.” It’s literally the first thing hackers try to use to access your site.
You can use your name, but make sure you add something a little different to it. For example, if your site is called Heather’s Farm Sanctuary, guess what a hacker will try first? Yup. “heather.” Try something like heather_1985 or just something a little different. It helps.
Don’t Let Your WordPress Site Get Hacked
Nothing is guaranteed. If a hacker wants in, they’ll find a way. But taking these prevention steps makes the possibility of getting hacked extremely remote.