Five minutes to a more secure WordPress site
There are many great plugins and guides to improve your WordPress site’s security, but if you don’t have the time to dig into those, there are a few things you can do in just a few minutes that will help.
Keep WordPress and plugins up-to-date
If you’re using managed WordPress hosting or a good backup solution, this is trivial in most cases. If you’re not, it may take longer than five minutes to remedy, but it’s certainly worth it (because right now, you’re pretty much issuing a written invitation to hackers).
Would you rather pay a little money and have someone handle this all for you? There are folks who do that!
You are the weakest link
The easiest way for a hacker to get into an up-to-date WordPress site is to (automatically) try a bajillion combinations of usernames and passwords to try and guess yours.
If your username is “admin” (the default), you’ve just made it way easier to guess.
Similarly, if you use a password with your name in it, a sequence of predictable numbers (123456, anyone?!), or a word that’s in the dictionary (even if you cleverly replace the “i”s with “1”s and the “e”s with “3”s!), you’re prime pickings.
Fortunately, the solution is easy: don’t use “admin” for your username, and do use a strong password. (I highly recommend LastPass for both generating good passwords and helping you remember them!)
If you have other people who log in to your site (whether they’re contributors or tech folks), install the Enforce Strong Password plugin (so even if they change the password you give them, they’ll still be using something sturdy). And definitely give them their own logins and don’t just hand out your personal password willy-nilly.
Don’t hang around for hackers
The last simple step is to install the Limit Login Attempts plugin. This helps prevent hackers from even trying those bajillion combinations of login information (though it’s not a substitute for having a decent username and good password!). Once they try to log in a handful of times (and fail), it locks them out from trying again.
The specifics depend on your site, but if you want to lock your site down further, you have options. Here are some I’ve recommend to other site owners:
- Clef plugin
- Wordfence Security plugin
- iThemes Security plugin
- Sucuri monitoring and un-hacking service (especially if you’ve already been hacked!)
- Sucuri Web Application Firewall service