A friend sent me a link to his website today and I noticed something which I had missed before. He was making a classic security mistake on his WordPress site. I mentioned this to him but I thought that you and others might also find it useful so that you avoid a classic pitfall that can cause your site to be much more hackable. It all revolves around how to set up your WordPress administrative account for security.
The easiest way to be hacked
The easiest way to have your WordPress site hacked is via a brute force attack. This is where someone keeps trying different passwords on your account till one works. As a computer is doing this, it can keep trying indefinitely and with a perfect memory of failed attempts. With enough time it will hack your accounts, but there are certain things you can do that will make this much quicker or far harder.
Don’t use admin as your admin username (and don’t use your first name either)
One of the easiest steps you can use is to not have an administrative account which is either “admin” or your name. This is easily findable information and seeing as you need to have the right username for a brute force attack, if you use the default (admin) then you are giving hackers a big helping hand. By setting a different admin username, one that isn’t as easily guessable, you dramatically increase the amount of computations that a hacker has to go through to hack your WordPress site. So your first step in basic WordPress security is to set your admin profile to have a username that isn’t guessable.
But what if I already have set up the default admin account?
If you have already set up an account with an administrative account with the user name “admin” then you can’t change the username for that account. However, you can set up a new administrative account with a harder to guess username. Once you’ve done this, you can either delete the “admin” account or even better, turn it into a “subscriber” account. This will give someone no access to anything useful on your account but they will see that there is an “admin” account and waste their time and energy trying to hack that account.
Fill in your administrator user profile
The next important step is to fill in your administrator user account so that you can hide this more difficult to guess username. To do this, go to the WordPress dashboard, click on user, then click on my user profile (alternatively click on user profile and select the administrative account). Next fill in the first and last name of the user (as well as any other useful information you want to include like social media profile) and then click on how you want the user info to appear. Make sure you hide the username but instead use the users first and last name (or a nickname)
This will make a hacker attempt to use your other contact information such as your first name, your first name and last name together, your last name and then your first name. Plus it also will provide more interesting formation about you below your blog posts (as long as your theme supports this) and so make your content look more professional.
Activate loginizer or a similar plugin
There are a few tools that can also help prevent brut force attacks by limiting the number of attempts at logging in when they look suspicious. Some will automatically prevent login attempts on a certain account after 3 failed attempts, others like loginizer, add in more advanced features like
- two factor authentication
- IP blacklisting
- IP whitelisting
And more. These can help prevent brute force attacks as well.
Finally, Jetpack also now has built in Bruteforce protection in addition to other features.
Use a tough to crack password
A tough to crack password is another very important step in protecting your site from being hacked. Tough to crack usually also coincides with tough to remember though which makes it harder to set up effectively. Still, if you want to really secure your site, the password matters. A password manager app can help you create tough to break passwords and remember them. There is a security risk of creating a “honey pot” for hackers with all your passwords, so that is a factor to consider against them.
Advice on passwords
Ultimately, an extremely good password should be very long, made up of complete gibberish with letters (upper and lower case), numbers and symbols. as I mentioned previously, this usually makes them very difficult to remember. There are a couple of ways to get round these issues though. The first is to use the approach of thinking of a sentence and then use the first letter of each word in the sentence for your password (Songs can be similarly adapted). These are easier to remember but very difficult to guess. If you want some more ideas, check out this article on the guardian.
Back up regularly
This should radically reduce the likelihood of you getting hacked, that doesn’t mean you are 100% protected. There are other factors that can leave your vulnerable and brut force attacks can still occur. So you should always make sure that you have a backup of your site which you can restore from.
If you’ve set up a better administrative profile, with a good password and got yourself a good plugin to block brute force attacks, then you’ve done a great deal to increase the security of your WordPress site. Admittedly, issues like using a bad plugin, theme or simply having someone else on your server do something stupid can all lead to you still getting hacked, but with the backup, at least you can quickly restore.