Brute force attacks on your WordPress site is something you don’t really need to experience or even worry yourself about, especially when all you really want to do is focus on creating content, promoting your blog and growing your business online.
But unfortunately this happens everyday with WordPress site owners. Thousands of WordPress sites get hacked into everyday, just don’t wait for the day to come when yours could get attacked too.
So what can you do to prevent brute force attacks or hacks on your WordPress website or blog, either now or later down the line?
Below I’ve compiled a list of 20 tips and tools to help you protect your WordPress site! Scroll down and consider implementing a few on your site and enjoy the peace of mind of a secured website always peeps.
- Secure your computer! – Yes you heard right, security starts right at home! Make sure you’re running some kind of internet security, and that your passwords to various online accounts, including your WordPress sites aren’t written down and stored on your hard drive without protection. Also saving username and passwords in email accounts or in Evernote is not a good idea.
- Change the wp-login URL of your WordPress site – Using the default wp-login.php is all well and good, but the problem is that a lot of brute force attacks happen right there. Spammy, bot brute login attempts can be easily reduced if not eliminated by simply changing the URL structure of the login page. Use the Rename wp-login.php plugin to achieve this.
- Disable new user registration on your WordPress site – If you’re not accepting guest posts or don’t want anyone to register to your WordPress site, simply make sure that they cannot register by going to Settings > General. When you create a new WordPress installation this feature is automatically turned off in any case, but it never hurts to double check.
- Use a well coded WordPress theme – Many free or poorly coded WordPress themes is OK to use when you’re just starting out or experimenting with your site, but in time you might want to upgrade to a premium theme like Genesis or Thrive. Sure they cost a little bit of money but they’re premium themes for a good reason.
- Avoid cramming your site with too many plugins – Limit the number of plugins you install on your site, also make sure that any plugins you do have installed is regularly updated. I personally love using premium plugins when ever possible, and free quality plugins that are maintained frequently by reputable developers, such as Yoast SEO, Blubrry PowerPress and Disqus.
- Install WordFence – WordFence is a complete and affordable solution (if you decide to go premium) to WordPress website security. I use this plugin on all of my WP sites (the free version). I actually use the premium version for this site. Click here to witness real-time attacks on WordPress sites and how WordFence works to block these attacks.
- Have a back up plan! – Perhaps this should be at the top of the list. In any case, you should always have a back up plan, just in case the worst should ever happen. I use BlogVault to backup this blog daily, it’s not a free service but should the worst ever to happen, I can get my site up and running again in no time at all. If you are or you’re thinking of using free backup solutions, the problem with a lot of free backup plugins and services is that you can backup your site, but you can’t really do anything with the backup files themselves. That’s why a premium all-in-one backup and restore service is always recommended.
- Always update to the latest version of WordPress when prompted – Self explanatory stuff really. If you don’t think that updating the latest version of WordPress is important, then just read this post. You’ll soon change your mind.
- Block IP’s – For persistent login attempts and failures, consider blocking those culprit IP’s in your web host c-panel. You can do this by going to your cpanel and accessing security > IP deny manager folder. You can track IP’s in WordFence or another plugin called Limit Login Attempts, though this plugin is no longer maintained sadly.
- Use a reliable web host – When I say reliable I don’t mean “cheap as chips” web host, I mean a web host that has a track record for being safe and secure, like SiteGround.
- Avoid installing too many dodgy scripts or codes in your site (or on your server) – Often users will install many scripts and custom codes to avoid having to use plugins, or to add extra functionality to their sites. Not just on their actual website but also their server as well. If you’re going to add codes and scripts to your WordPress site, keep them to a minimum, and always ensure they’re from a credible source.
- Keep yourself informed and updated – Knowledge is power folks, so instead of waiting for something to happen and then panic about it, educate yourself and learn what you can do in advance to prevent any types of brute force attacks in the future. The fact that you’re reading this post is a sign that you are serious about preventing brute force attacks on your WordPress site.
- Avoid using username “admin” – When manually adding new admins to your site (should you ever need to), avoid using the username “admin”. If you’re currently using the name “admin” for your site then consider changing it. To change it is very simple, simply create a new admin account with a different username and email. Then transfer all the posts and pages over to the new admin account from your old admin account (done when deleting your old admin name). You’ll need to delete the old admin account, using the new admin username account you created for yourself.
- Create stronger passwords – The password generator inside your WordPress profile is a must-use feature. In addition to using stronger passwords, make it a habit to change them every few months.
- Use one contributor account for all guest posts – Now this is something that not a lot of bloggers will want to do. However, creating a single contributor account for all guest posts will not only save you time having to keep track of many accounts, but can also save some space on your database and decrease the chance of having an account hacked into. When ever I publish a guest post on any of my blogs, I always use one single guest post account and add the user bio of the guest author, at the bottom of the blog post.
So there you go peeps, follow a few of these tips and ideas, or use some of the tools I mentioned above and you’ll have a safe and secure WordPress website.
What are you doing to keep your WordPress website safe?
I’d love to hear some of your thoughts. How much do you value your business? How safe is your WordPress site? Are you using any of the tips or tools I’ve mentioned in this post? Leave me a comment below as always.
Happy blogging and stay safe – Fabrizio Van Marciano.