Personally, I don’t think it’s possible to be completely hacker-proof, but with some simple steps, you can make your WordPress website or blog much less of a target and hopefully, the wily hacker will go somewhere else to easier targets.

If you use WordPress for your blog or your entire website, please read on.

I have several clients that we’ve built a website for them on self-hosted WordPress (not the hosted version). I love WordPress. It’s easy to set up, easy to modify, and unfortunately, easy to hack. I read somewhere that 57% of the websites in the world are built on WordPress. Because the core of WordPress is vulnerable, hackers like to try to break into them, and often succeed. One client got hacked (before I knew them) and if someone searched the company name in Google, clicking the link from Google (only) sent them off to Russian porn sites. Otherwise the site functioned normally. Yikes.

I had two WordPress sites that got “brute force” attacked a few weeks ago. That means that the hackers unleashed a torrent of computers to beat on the front door of the site. The goal was either to crack the admin user id and/or take the site down. If they were able to crack the admin user id, they can take over the site, install malware, deface the site, or a host of other things.

One of the sites was a church website, which often is a super easy target because they’re set up by volunteers who don’t necessarily know what they’re doing. Fortunately, I had put some basic security in, which slowed the hackers down long enough that the hosting company noticed it and shut down the attack.

Before reading on, please check your WordPress site. Right now.

Do you have an active admin user id (one called “admin”)? If so, get rid of it right now. Create a second admin id named something different (admin-17209 or something hard to guess). Then log in with that user id, and delete the old one. This is the most fundamental mistake that most people make – they leave the admin user id active, and it’s easy pickin’s for the hackers. Never post blog posts from your admin id either. Create an Editor-level id to post from (so you don’t expose your admin credentials).

Hacker Proof WordPress Plug-in

In the aftermath of both these sites getting brute forced (neither was compromised by the way), I did quite a bit of research. I found the following plug-in, iThemes Security Pro. It’s got a ton of 5 star reviews. I made sure I had a full backup of one of the sites, held my breath and installed the plug-in. It was surprisingly easy to set up, and locked things down tight. I had done a reasonable job of getting the site secure before this, and the plug-in confirmed my settings were proper. However, there were many more settings that they changed to make it even better protected.

The first thing is that they remove the front door – the main login screen. They rename it to something else (you pick what it is), and this removes a huge target. If hackers can’t find the front door, it’s a hell of a lot harder to kick the door in. Instead, they move the door around to the side, make it hidden, and build a moat of hungry crocodiles around your site.

This is now standard practice for me to set this up on all my WordPress sites. Just last night, I got some warning e-mails from a brand new site we just launched last week. Someone in France was trying to access some files they shouldn’t have access to. The plug-in locked them out for 15 minutes and sent me a note. After two more lock-outs, I just went into the site and blacklisted them forever. *Poof* Gone.

Comment Spam Drives Me Insane

We’ve been getting more and more comment spam on all our WordPress sites too. We have Akismet installed. We have Captcha tools installed. The comment spam just keeps coming in floods, and it’s a huge time suck to weed through it all and flush it down the toilet. I discovered another plug-in that has cut the spam comments to ZERO. Not one has gotten through, and yet, people can still leave comments just like normal. It’s a super easy plug-in that works like a charm: WP SpamFree Anti-Spam plugin. I sure like the silence.

A Last Word About Security

Old versions of WordPress and plug-ins have holes. ALWAYS keep your website up to the latest version of WordPress. Hackers know this. If you’re on an old version of WordPress, upgrade all your plug-ins and then upgrade WordPress.

ALWAYS make sure you have a full backup of your website before you do anything, in case something pukes in the upgrade process. If you use a backup software that can do a scheduled backup, even better. I recommend doing a database backup every night, and a full (file and database) backup once a week, say on Saturday night. And do a manual backup just before doing any surgery on your site, just in case.

I’m a huge fan of BackupBuddy, also by iThemes. I make sure that the files are backed up to my Amazon S3 storage (off the local server), in case the whole server goes down or the hosting company goes belly up. I can ALWAYS pull a copy from Amazon and get the site back up somewhere else, even if it’s been hacked. Keep at least 5 previous copies of your backups so you can go back to the last known good version.

This is all just to make your website a harder (not impossible) target, and give you an insurance policy (backups) so you can get back to normal without too much effort. A local organization that I work with as a volunteer recently got hacked. Their site was down for nearly a week while they tried to piece the site back together (they didn’t have a backup). Don’t let that happen to you. It’s expensive and time consuming.

Good luck in keeping the wily hacker at bay. Let me know below how you did.