Over 20% of all websites run on Wordpress
. The source code of this content management system (CMS) is open. It is therefore not surprising that it is hugely rewarding for hackers to find flaws in the code: With one exploit it is often possible to exploit millions of websites.
You can prevent this. Below is a list of tips to secure your Wordpress. To prevent is better than to cure!
Install updates ASAP!!
We can not say it often enough: Keep your Wordpress installation up2date! When exploits are found, Wordpress releases an update. With a few clicks you can install it.
Don't forget to also update your plugins!
Change your username
By default, 'admin' is set as username. Hackers know this and try bruteforcing
to retrieve your password. We avoid this by using an extra passowrd popup for added security, but it remains advisable to choose a different username.
There is a plugin available that allows you to change the username in a simple manner.
- In the left menu, click on 'Plugins' and choose' New plugin.
- Enter 'username' in the search field and click Search Plugins.
- Click 'Install Now' under the plugin 'Username'. After installation, click on 'Activate'.
- Then in the left menu, click on Settings and then on the submenu 'Username'. Enter the desired new user name.
- Click "Click to check username if exists or not'. If a green text stating that the user is not in use, click the Save Changes button.
- You will now see the WordPress login screen, you can now log back in, this time with the new user.
Remove unused themes and plugins
Remove all themes and plugins that you are not using. They are all PHP files that are a potential risk.
Disabling them is not enough, the files still exist on the server and can be easily misused.
Install a security plugin
There are several plugins that can monitor the security of Wordpress. One of them is Brute Project. This plugin looks at the login attempts, and blocks an IP address when there have been too many failed logins.
Also install Wordfence. With Wordfence, you can scan all Wordpress-files to see which ones contain code that doesn't belong there. Run extended scans!
Add your website to Google Webmaster Tools
If you add your website to Google Webmaster Tools
, you receive a notification when malicious files are found. This could include viruses, or phishing pages found on your website. Through these notifications, you can act quickly and minimize the damage. It is also possible to submit a 'reconsider request' here, so your website is quickly available again through Google after cleaning up.
Despite these tips your website was hacked?