Just last month, hackers gained access to 90,000 WordPress accounts. At first, users assumed they had actually infiltrated the servers themselves—a devastating scenario for a server as huge as WordPress. However, as the botnet attack began to die down and new information came to light, it became clear that these were Brute Force Attacks that preyed on the weaknesses of users—not WordPress. Read on to find out how you can take some simple steps to prevent from becoming the next botnet victim.
1. Your password needs character
Your password should be as strong as your content. Seriously, it needs to be ironclad. It may be obvious, 21st-century logic is to make all of your passwords as tough as nails, but tell that to the thousands of hacked users—most of which had matching usernames and passwords. And while it might seem easy to have a couple variations of the same password for all of your accounts, hackers are smarter than that (here’s a list of all the passwords they figured out). Besides, variety is the spice of life.
WordPress has your back: Like most sites, WordPress has that little password strength barometer to let you know you’ve crafted something secure. Here’s a fun game: Once you’ve got the “strong” rating on your password, delete it and come up with something even harder.
Must Read: How to Safely Upgrade Your WordPress Blog
2. Be yourself
Never use the default admin as your username—it’s exactly what the hackers are expecting. Once someone knows your username, they’re halfway to discovering your full login, so don’t make it easier for them. If you currently use admin as your username:
- Create a new and uniqueaccount name with administrator privileges.
- Log out, then log in with your new uniquely named account.
- Delete the admin account.
WordPress has your back: This can all be taken care of—and is encouraged—during the initial setup phase.
3. Keep it fresh
That is, update as often as you can. Most of the time, those annoying updates from WordPress are actually bug fixes—the kind that could mean the difference between your subscribers hearing about your delicious bacon pizza or how a Nigerian prince made you rich beyond your wildest dreams by clicking here.
WordPress has your back: Update everything. The handy WordPress interface allows you to monitor your plugins, themes, and software to ensure it’s all up to snuff. You just have to check in on it.
4. Know your roots
wp-config.php is a file stored by default on the WordPress server, and contains some pretty sensitive information—including your username and password. The best way to keep this file out of unwanted hands is by moving it from the online directory and into a local one.
If your file is located here:
Then you need to move it here:
This moves it one directory above the WordPress root directory, making it almost impossible for anyone to access this very sensitive file.
WordPress has your back: This can all be done in WordPress, no plugins needed.
5. Themes that scheme
Free themes can contain harmful embedded code that puts out a beacon for intruders. Do some research on the sources of your flashy themes before throwing them on the WordPress server, because they can contain some malicious stuff. Also be wary of any website broadcasting free themes. Free is never free—that’s just how it goes in the World Wild West.
WordPress has your back: Use the WordPress TAC (Theme Authenticity Checker) plugin on any questionable themes, and it’ll sniff out those nasty embeds. If a bright pink “alert” message comes up, that’s when you emphatically press a single finger to the keyboard and erase it forever.
6. Plugins prevent muggin’s
As you probably know, navigating the world of plugins isn’t as intuitive as creating a post—but it’s not rocket science, either. Taking the time to learn how important security plugins work with WordPress is important if you really want to secure your account. Start with Better WP Security, a great free plugin that builds a wall around your password, hides vulnerable areas of your site, and generally keeps you SSL-fortified. Learn exactly how to install it by watching this video.
WordPress has your back: Play it safe, and only download your plugins from WordPress.org—like the Limit Login Attempts plugin that locks out multiple failed login attempts.
7. Make the most of your Yoast
Yoast is a reliable plugin that optimizes your site’s SEO (among many other handy tools). With millions of downloads, a Sucuri-safe certification, and the most comprehensive SEO options available, this is a great tool for both optimization and security. Just be sure to go through each tab thoroughly to the find the right balance.
Hint: While it might sound counter-intuitive, uncheck the “Disable the Advanced part of the WordPress SEO meta box” under the General settings tab. This enables the noindex, canonical, and 301 setting per-post, making it harder for hackers to go through your history.
WordPress has your back: The founder of Yoast is actually a former WordPress developer. That’s a pretty reliable source—not just for the security of this plugin, but for functionality, too.
Was your account one of the 90,000 that got hacked? Share your story in the comments or tell us some other tips you’ve found for preventing attacks.