How To Secure WordPress
Learning how to secure WordPress is just one of those lessons that new bloggers have to learn the hard way after they have suffered a malicious attack. Just yesterday, this very blog was attacked, and I learned the hard way that I was going to have to work harder to secure WordPress.
Before I lead into the precautions that I have put into place to hopefully prevent future attacks and to secure WordPress, I would first like to share my experience of what happened yesterday, so that hopefully, new bloggers will be able to recognize the signs of an attack. When a hacker breaks in, it happens fast and they can cause a lot of damage depending on their intentions. You have to be prepared and react right away.
Secure WordPress or be attacked!
Like many other bloggers, I use WordPress as my blogging platform for Marketing Methods Online. I was logged in yesterday just like any other day and all of the sudden, I received an email that went straight to my spam folder. This email was from a website security company, alerting me that my WordPress site had been hacked. The email explained that they were an Internet security company that represented Yahoo as their client. The email further explained that a criminal had placed a fake Yahoo Mail log-in page for the purpose of credit card fraud and identity theft on my server.
At first I was skeptical, so I called the phone number that they listed in the email so that I could check out the legitimacy of this email. After talking with the gentleman, I was confident that my website had been hacked. I then received emails from HostGator, my website hosting company, also alerting me of malicious activity.
Then, out of nowhere, I was pushed out of the back-end of my own site. The hacker took the time to go into my profile page and change my password, locking me out. I was freaking out, and my only thought was that this hacker now had the capability to do anything, including deleting all of my content and posts. That would be a very very bad day!
I called HostGator right away. Thank goodness, they were very helpful, and within minutes, they had pushed the hacker out of my site, regenerated passwords for all users, and deleted the malicious files off of my server before the search engines had the time to crawl my site and notice the malicious links and landing pages that the hacker had placed, preventing the search engines from blacklisting my site.
Fortunately, other than placing some fake landing pages that looked just like a legitimate Yahoo Mail log-in page, that was the extent of the damage. I was lucky! But now I realize the importance of learning how to secure WordPress to prevent future attacks.
Plugins that I now use to secure my site…
When you look around the web for learning how to secure WordPress, one of the tips that you’ll notice is ensuring that your version of WordPress and all plugins are up-to-date with the latest versions. However, since I regularly update WordPress when new updates are available and the same with plugins, I knew that this was not my problem. I still don’t know exactly how the hacker got in, but I have installed three plugins that I am hoping will do the trick to secure WordPress from malicious activity in the future. These include:
1. Limit Login Attempts:
Now, I already had this plugin installed prior to my attack, so this plugin will not secure WordPress by itself. But I believe that it helps.
Without this plugin or others that are similar, your WordPress log-in page will allow potential hackers unlimited attempts to log into your site, which means that eventually, they might get lucky! There are different settings available, but I have this plugin set up to lock out a hacker after 4 attempts for a period of 60 minutes. If they persist on trying after 60 minutes, this plugin will lock them out for 24 hours after they have been locked out the second time.
Like I said, this plugin will not secure WordPress by itself, but it should deter obvious attacks on your WordPress site.
After yesterday’s attack, I installed two more plugins to help me secure WordPress:
2. WordPress Firewall 2
This plugin is a security firewall that provides just a little bit more protection in your effort to secure WordPress. It prevents the following types of attacks:
- Directory Traversal
- SQL Injection
- WordPress-Specific SQL Injection
- Executable File Upload
- Field Truncation
- Remote File Execution
Since I am not a techie, this is the best explanation that I can provide on this WordPress plugin. But I have read good reviews on this plugin, and hope that it will help to do the trick to secure WordPress.
3. Secure WordPress
This plugin beefs up the security of your WordPress installation by removing error information on log-in pages, adds index.html to plugin directories, hides the WordPress version and much more to help you secure WordPress.
Now keep in mind that I have just installed these last two plugins today in order to secure WordPress, so only time will tell if this combinition of plugins will work for future hacker attacks.
If you are a new blogger, this information should go a long way to help you secure WordPress. For experienced bloggers, how do you secure WordPress? Please provide your thoughts below!
Category: Blogging Tips, WordPress
Thank you for sharing your experience. As a ner WP user, you opened my eye to an important aspect that I haven’t thought before.
Thanks for the tips!
Thank you Ufuk!