Alright, you have a WordPress website and you’re over the moon. Things go smoothly for about a week or so and you cannot be happier. One fine morning, you open your email to go through your daily tasks and come across one about a failed login attempt on your WordPress site. You ignore it thinking it was perhaps just you mistakenly having a typo with your password. But as the day progresses, you find a string of such emails one after another, in quick succession.
You freeze in your tracks. What exactly is happening, a voice inside your head wonders. And the gravity of it all finally dawns upon you. Your website is under attack, also commonly called a brute force attack. It is an attack on a website by someone trying to hack their way in through multiple attempts at guessing your site’s password. They’d try various permutations and combinations of passwords and catchphrases in the hope that one of them goes through and grant them your site’s access.
This is a very common occurrence with those having a WordPress website. It is indeed a scary place to be in, for surely you do not want these bad boys to gain access to a website you put your heart and soul in it. Thankfully there are some ways you can try to lessen the risks of a brute site attack.
As a WordPress development company in Mumbai, we know some tricks and we’ll discuss some of them below.
- Choose a good hosting provider: Many website owner may not think about this at all. A website hosting provider does not simply host your site’s file but also shoulders the responsibility of keeping the server secure from unwanted attacks. Always choose your hosting provider who is well-known, has a reputation to protect and takes necessary precautions to ensure that the sites they are hosting are kept secured to a reasonable extent.
- Choosing a strong username: A lot of website owners may not pay attention to this while creating their website. While you are installing WordPress, you’re presented with the option of naming your username. The default is admin – for all new WordPress installs. Can you imagine how easy it is for hackers to guess what the default username for a site is? Yeah, extremely easy! But we don’t want that. We want to throw a curveball and waste their time guessing our username. So, it is always a good practice to choose a username that is unique to you and hard to guess.
- Choose a strong password: This is pretty self-explanatory. If you are one of the simpletons and feel that keeping a password such as 123456 is easy to remember and thus a good enough password, wait for some time till you see your website taken down by those cunning hackers. As a website owner, you shouldn’t be gullible to have such a simple password. A strong password is a combination of alphabets, numbers and special characters.
There are many password generators online that you can make use of. Albeit they do a very good job, but since they are based on the algorithm, it is still possible to breach it. I thus prefer making my own password by first generating it using one of the tools and then changing it further to make it truly unique.
- Change the WordPress login URL: When you install WordPress, the default login URL to your website will be yoursitename.com/wp-admin
The ‘wp-admin’ suffix is the default for all WordPress login URLs. It is thus easier for site-scoopers to head over to the URL without missing a beat. But you want to be smarter than them and of course, do not want to make things easier. This is why I recommend changing the /wp-admin slug to something else (whatever you want in the world!) It could be /imnotlettingyouin or /keep guessing or anything else at all.
It is so much easier with the use of a few plugins. There’s one aptly named Change wp-admin login and the other one called iThemes Security (formerly known as Better WP Security). Both of these plugins work very well and you’ll do yourself a huge favor changing the default login URL.
- Update your WordPress version: WordPress is an open-source content management system and as such its code is out in the open for all to study. While this also means that a lot of data thieves and malicious hackers study to find a vulnerability to break into the system. While they are at it, the WordPress community is also a thriving one by good-hearted Samaritans who report such vulnerability in the code so that they are fixed as soon as possible.
This is the reason why with each WordPress version release, there’s security patches, enhancements to features and efforts to make it more robust. Updating your WordPress to the latest version means that you lessen the risk of being exposed to such vulnerabilities and possible hacking attempts.
Don’t forget to back-up your website first before updating WordPress. It is better to be safe than sorry later. As a web development company, we’ve seen many instances of sites breaking when some of our clients take things in their hands, update WordPress without taking a backup and regretting later.
- Keep your theme and plugins updated: Just like you need to keep up with the latest version of WordPress, it is also wiser to update your theme and plugins to their latest versions as well. You see, WordPress has hundreds and thousands of themes and plugins in its repository and they are constantly being updated to ensure that they are secure and do not provide a gateway for ill-intentioned people to breach your site.
- Choose a good Security plugin: I know what you must be thinking…another plugin? Yes, but this is absolutely a necessary one. As a webmaster, keeping your site secure should be your top priority, even if you have to install another plugin for it. There are some good ones out there such as WordFence, All in One WP Security, Sucuri and a lot more.
Many of these security plugins are extremely active in the backend and are always on their toes. Malware scanning, blocking malicious networks, keeping file changelogs, blacklist IPs, etc., are some of the many features that they have. Installing one is not an option, it is a must.
I hope these 7 points serve a good reference guide for you to take your website security seriously and work towards strengthening it further.