Is Your Website at Risk from Hackers? 8 Ways to Protect Your Blog

Protecting Your Blog from HackersBy Marcy Kennedy (@MarcyKennedy)

A hacked site can cause you days of downtime.

It can cost you money, both from lost income if you sell books through your site and from having to pay a web guru to fix the problem.

It can cause you stress as your regular readers send you messages telling you they’re receiving warnings about your site (and your site loses their trust).

It can cost you sleep as you worry about long-term consequences.

It can get you blacklisted by Google.

It can even cost you your entire website and the hours or years of work you’ve invested.

Your blog or website is at risk of being hacked simply because it exists. It doesn’t matter if you’re a big blogger (like Jeff Goins who got hacked in August) or you’re just starting out. Hackers don’t discriminate.

Anders Vinther, author of The WordPress Security Checklist, lists three reasons hackers attack even small sites: “the insertion of spam links in your content to boost SEO for other sites, through malware infections of your visitors computers (e.g., to steal their financial information), and redirecting your traffic to other sites.”

While no site is ever completely safe, you can do eight things today to significantly reduce your risk. Don’t think they’re worth the time? Go ask someone who’s been hacked and see what they think.

I’ve listed these tasks starting with the ones I think you’ll be able to do quickest and easiest and then moving to more difficult items.

(1) Choose a Secure Password

I know you might think I’m being baby basic here, but when I say “secure password,” I mean one that’s at least 10 characters long, with at least one uppercase letter and a symbol/number.

I also mean one that you don’t use anywhere else. Anywhere. If your Twitter account or your email gets hacked, you don’t want a hacker going over to your website to try the same password and finding out it works.

(2) Keep Your Site Version and Plugins Up-to-Date

I had no idea this was a big deal, but it makes sense if you think about it. The previous version of WordPress was replaced for a reason, either bugs, security weaknesses, or something else. Also, when WordPress releases an update, they tell you what they changed AND, by extension, tell hackers where the weaknesses in the old version are.

By updating to the newest version, you automatically make your site more secure. Updating is free. All it takes is a few clicks. Your site will be “down for maintenance” while it updates, so just don’t update right after you publish a new post.

Along with immediately updating your WordPress version, you need to keep your plugins up to date for the same reasons. Delete all plugins you’re not using.

(3) Keep Your Anti-Virus Software on Your Computer Up-to-Date

Did you know hackers could actually crack your website because you don’t have good anti-virus and malware protection on your computer? Certain malicious programs that hide on your computer track your keystrokes and transmit passwords to the bad guys.

(4) Don’t Use Admin As Your Login Name

If you have a WordPress website/blog, the default administrative username is “admin.”

When you keep this as your username, you’ve just taken away half your basic security system. Most hackers will try this first because so many people fail to change it. And that only leaves your password for them to crack.

Not only should you change your administrative account, but you should also delete the admin account. As long as it exists, your website is vulnerable.

Follow these steps:

  1. Log in using your “Admin” account.
  2. Click on “Users” in the left hand menu bar.
  3. When you’re on the “Users” page, you’ll see an “Add New” button. Click that. Fill in the information using anything other than your name (too obvious) or “admin” for the username. From the dropdown menu, select the “administrator” role. You always need to have an account with the administrator role.
  4. Log out of the “Admin” account and into your new account.
  5. Go back to the “Users” page and delete the old “Admin” account.
  6. This is extremely important. When WordPress asks you what you want to do with the pages and posts belonging to the old “Admin” account, you need to assign them to the new account you created or they’ll be deleted.

(5) Limit Login Attempts

You can use the Limit Login Attempts plugin or Login Lockdown. Either of these allows you to choose the number of login attempts allowed before it locks out that IP address.

Without a limit to the number of times someone can get your username or password wrong, a hacker could eventually crack your website through sheer persistence. A skilled hacker can use software to run multiple combinations until they finally hit on the right one.

Hint: Most plugins show a “Settings” or “Options” link right under their name on the plugins page. Neither of these did, but I found them under my Settings tab in my left hand side bar.

But what if I change my password frequently or have a terrible memory? Won’t I lock myself out?

You might. Your site won’t blow up if you do. You will be forced to wait the time period you decided before you can log in again.

I’ll tell you my secret. I have my username and password written down on a piece of paper and taped to the back of a nearby picture. I haven’t yet forgotten them, but if I did I could easily check.

(6) Hide Your Login Page

In a similar problem to using “admin” as your username, all WordPress sites have their login page located at Easy to find if you’re a hacker.

One plugin I found recommended in a ProBlogger post is Hide Login. I’m still looking for a better rated option though, and if I find one, I’ll update this post to add it.

(7) Install Key Security Plug-Ins

Secure WordPress – If you understand technical gobbled-gook you can read all the details about this yourself, but the basic idea is that this plugin hides the meta-data for your blog (which is otherwise public). If they can get a hold of this meta-data, hackers can use it to compromise your blog.

WP Security Scan – This scan searches for vulnerabilities in your website and suggests ways to fix them.

Bulletproof Security – This plugin prevents sophisticated hacking attempts, as well as gives one-click htaccess protection and wp-config.php protection. You’ll read a lot of posts on “how to protect your blog from hackers” that tell you to protect those things, but they all involve complicated coding that most of us don’t know how to do. Bulletproof security does it for those of us who are coding-impaired. It has a lot of options and looks complicated at first, but it has an extensive help file and there are many videos online explaining it, so this is basically a case of adding elbow grease to figure out your settings.

(8) Back-Up Your Website

Backing up your website makes sure that if the worst happens and you are hacked, you don’t lose everything. You can restore back to a saved version before someone inserted malicious coding into your site.

Good plugins for this are WP Online Backup, WP DB Backup, and BackWPup. I probably wouldn’t have the skills to restore my site myself (because I don’t want to go fiddling with the files that make it run), but I would have what I needed to provide to a web guru to quickly and easily do it for me.

If your site becomes immensely popular and you have the money, you can also pay for a backup service called Vault Press (by the creators of WordPress). The basic plan costs $15/month.

Is There More I Can Do to Protect My Site?

I’ve given you the quick version here. I wanted you to have something you could do in an afternoon. I also wanted to give you something that almost anyone can do.

If you want to make your site even more secure, you can read Anders Vinther’s free WordPress Security Checklist that walks you through security procedures in detail. It involves more technical knowledge. (Some of it is beyond my skill level, but I wanted to provide it for those of you who are able and interested.) The author says it takes about five hours to complete. You can download the PDF version or walk through the interactive version on their website.

There is also a highly-rated plugin called Better WP Security that’s supposed to cover many of the concerns above, including hiding your meta-data, htaccess protection, renaming your login screen, restricting login attempts, and scanning for security vulnerabilities. However, I haven’t tried it yet because it makes significant coding changes to your website. Before installing it, it’s recommended you have a backup of your site made. This is one I’m saving for the future when I can work with a web guru to walk me through it.

Disclaimer: I am not a website designer. I’m an average writer just like you who’s trying to make her site more secure. I wrote this post to help. If you break your site, I am not legally responsible.

Do you know someone who had their site hacked? Have you taken any steps to protect your site?

Image Credit: Vangelis Thomaidis (from stock.xchange)

Enter your email address to follow this blog: