WordPress is awesome! I love it’s flexibility and usability! We use it time and time again to provide our clients’ with websites they can easily maintain. With 68 million and counting websites using WordPress (.com or .org) in some way, hackers out there do target WordPress websites. Such attacks can crash your site, or even worse, put malware on your site damaging your reputation with Google and attacking your clients!
This is the default user account. Why is this bad? Hackers know this is a default username for WordPress websites. So, they can try and guess your password for this account. If you use this account, log into your WP-Admin area and create you a new user with administrator access and a strong password, then logout. Log back into your WP-Admin with the new user, and change the admin user role to “— No role for this site —”.
This action disables the admin user account from accessing your WP-Admin area. You now have your own unique and harder to guess username. Simple, but you would be surprised how many people still use the admin user account!
Read about the plugins before you install them. Check out the support link on them and see what other people have experienced with that plugin. I remember last year a couple of plugins and themes used a script called timthumb.php. It generated images on the fly for the website. It worked good, but there was a vulnerability in the script that hackers used to add in their own scripts to your website. BADDDD!!!
“Slow down…learn about the plugin before installing just anyone’s code on your WordPress website.”
In the past, I have used Audit Trail, but are others out there like WP Security Audit Log. These trackers allow you to review site logs, if your site gets hacked, or content is changed without you knowing it. So, then you can see information about what account the hacker is using and what they changed. This makes recovery from an attack less painful and allows you to take better security precautions in the future.
Hackers are looking to add their own code to your site so they can put malware and viruses on your pages that will infect you and your website visitors’ computers. This code area on a WordPress site is in the WP-Admin file editing area. So, I recommend disabling file editing to help secure your site from hackers. You can disable file editing back make a simple line of code change to your wp-config file.
define('DISALLOW_FILE_EDIT', true);
This simple change will keep hackers from being able to add in their own code to your website.
What I mean by this, is block all other computers on the internet from accessing your WP-Admin area. Hardening WordPress talks about securing wp-Admin with a Basic Auth password protection, so it like double authentication. What I’m referring too, is to deny access to the wp-Admin from all internet addresses except your own. Adding this line of code (with your updated IP Address in it) to the .htaccess file in the wp-admin folder will protect you.
Order Deny,Allow Deny from all Allow from xx.xx.xx.xx
This will only allow your internet’s IP address to access the wp-admin area.