Is Your Website at Risk from Hackers? 8 Ways to Protect Your Blog
By Marcy Kennedy (@MarcyKennedy)
A hacked site can cause you days of downtime.
It can cost you money, both from lost income if you sell books through your site and from having to pay a web guru to fix the problem.
It can cause you stress as your regular readers send you messages telling you they’re receiving warnings about your site (and your site loses their trust).
It can cost you sleep as you worry about long-term consequences.
It can get you blacklisted by Google.
It can even cost you your entire website and the hours or years of work you’ve invested.
Your blog or website is at risk of being hacked simply because it exists. It doesn’t matter if you’re a big blogger (like Jeff Goins who got hacked in August) or you’re just starting out. Hackers don’t discriminate.
Anders Vinther, author of The WordPress Security Checklist, lists three reasons hackers attack even small sites: “the insertion of spam links in your content to boost SEO for other sites, through malware infections of your visitors computers (e.g., to steal their financial information), and redirecting your traffic to other sites.”
While no site is ever completely safe, you can do eight things today to significantly reduce your risk. Don’t think they’re worth the time? Go ask someone who’s been hacked and see what they think.
I’ve listed these tasks starting with the ones I think you’ll be able to do quickest and easiest and then moving to more difficult items.
(1) Choose a Secure Password
I know you might think I’m being baby basic here, but when I say “secure password,” I mean one that’s at least 10 characters long, with at least one uppercase letter and a symbol/number.
I also mean one that you don’t use anywhere else. Anywhere. If your Twitter account or your email gets hacked, you don’t want a hacker going over to your website to try the same password and finding out it works.
(2) Keep Your Site Version and Plugins Up-to-Date
I had no idea this was a big deal, but it makes sense if you think about it. The previous version of WordPress was replaced for a reason, either bugs, security weaknesses, or something else. Also, when WordPress releases an update, they tell you what they changed AND, by extension, tell hackers where the weaknesses in the old version are.
By updating to the newest version, you automatically make your site more secure. Updating is free. All it takes is a few clicks. Your site will be “down for maintenance” while it updates, so just don’t update right after you publish a new post.
Along with immediately updating your WordPress version, you need to keep your plugins up to date for the same reasons. Delete all plugins you’re not using.
(3) Keep Your Anti-Virus Software on Your Computer Up-to-Date
Did you know hackers could actually crack your website because you don’t have good anti-virus and malware protection on your computer? Certain malicious programs that hide on your computer track your keystrokes and transmit passwords to the bad guys.
(4) Don’t Use Admin As Your Login Name
If you have a WordPress website/blog, the default administrative username is “admin.”
When you keep this as your username, you’ve just taken away half your basic security system. Most hackers will try this first because so many people fail to change it. And that only leaves your password for them to crack.
Not only should you change your administrative account, but you should also delete the admin account. As long as it exists, your website is vulnerable.
Follow these steps:
- Log in using your “Admin” account.
- Click on “Users” in the left hand menu bar.
- When you’re on the “Users” page, you’ll see an “Add New” button. Click that. Fill in the information using anything other than your name (too obvious) or “admin” for the username. From the dropdown menu, select the “administrator” role. You always need to have an account with the administrator role.
- Log out of the “Admin” account and into your new account.
- Go back to the “Users” page and delete the old “Admin” account.
- This is extremely important. When WordPress asks you what you want to do with the pages and posts belonging to the old “Admin” account, you need to assign them to the new account you created or they’ll be deleted.
(5) Limit Login Attempts
You can use the Limit Login Attempts plugin or Login Lockdown. Either of these allows you to choose the number of login attempts allowed before it locks out that IP address.
Without a limit to the number of times someone can get your username or password wrong, a hacker could eventually crack your website through sheer persistence. A skilled hacker can use software to run multiple combinations until they finally hit on the right one.
Hint: Most plugins show a “Settings” or “Options” link right under their name on the plugins page. Neither of these did, but I found them under my Settings tab in my left hand side bar.
But what if I change my password frequently or have a terrible memory? Won’t I lock myself out?
You might. Your site won’t blow up if you do. You will be forced to wait the time period you decided before you can log in again.
I’ll tell you my secret. I have my username and password written down on a piece of paper and taped to the back of a nearby picture. I haven’t yet forgotten them, but if I did I could easily check.
(6) Hide Your Login Page
In a similar problem to using “admin” as your username, all WordPress sites have their login page located at www.yourdomainname.com/wp-admin. Easy to find if you’re a hacker.
One plugin I found recommended in a ProBlogger post is Hide Login. I’m still looking for a better rated option though, and if I find one, I’ll update this post to add it.
(7) Install Key Security Plug-Ins
Secure WordPress – If you understand technical gobbled-gook you can read all the details about this yourself, but the basic idea is that this plugin hides the meta-data for your blog (which is otherwise public). If they can get a hold of this meta-data, hackers can use it to compromise your blog.
WP Security Scan – This scan searches for vulnerabilities in your website and suggests ways to fix them.
Bulletproof Security – This plugin prevents sophisticated hacking attempts, as well as gives one-click htaccess protection and wp-config.php protection. You’ll read a lot of posts on “how to protect your blog from hackers” that tell you to protect those things, but they all involve complicated coding that most of us don’t know how to do. Bulletproof security does it for those of us who are coding-impaired. It has a lot of options and looks complicated at first, but it has an extensive help file and there are many videos online explaining it, so this is basically a case of adding elbow grease to figure out your settings.
(8) Back-Up Your Website
Backing up your website makes sure that if the worst happens and you are hacked, you don’t lose everything. You can restore back to a saved version before someone inserted malicious coding into your site.
Good plugins for this are WP Online Backup, WP DB Backup, and BackWPup. I probably wouldn’t have the skills to restore my site myself (because I don’t want to go fiddling with the files that make it run), but I would have what I needed to provide to a web guru to quickly and easily do it for me.
If your site becomes immensely popular and you have the money, you can also pay for a backup service called Vault Press (by the creators of WordPress). The basic plan costs $15/month.
Is There More I Can Do to Protect My Site?
I’ve given you the quick version here. I wanted you to have something you could do in an afternoon. I also wanted to give you something that almost anyone can do.
If you want to make your site even more secure, you can read Anders Vinther’s free WordPress Security Checklist that walks you through security procedures in detail. It involves more technical knowledge. (Some of it is beyond my skill level, but I wanted to provide it for those of you who are able and interested.) The author says it takes about five hours to complete. You can download the PDF version or walk through the interactive version on their website.
There is also a highly-rated plugin called Better WP Security that’s supposed to cover many of the concerns above, including hiding your meta-data, htaccess protection, renaming your login screen, restricting login attempts, and scanning for security vulnerabilities. However, I haven’t tried it yet because it makes significant coding changes to your website. Before installing it, it’s recommended you have a backup of your site made. This is one I’m saving for the future when I can work with a web guru to walk me through it.
Disclaimer: I am not a website designer. I’m an average writer just like you who’s trying to make her site more secure. I wrote this post to help. If you break your site, I am not legally responsible.
Do you know someone who had their site hacked? Have you taken any steps to protect your site?
Image Credit: Vangelis Thomaidis (from stock.xchange)
Sep 13, 2012 @ 11:57:31
Excellent post, Marcy!
I’ve got about 5 of the 8 covered.
I’ll be forwarding this post to my tech savvy web gal to take care of the rest.
After months of work to get my new site up, I’m not about to let it blow up in my face.:)
Sep 13, 2012 @ 15:18:04
I have to say that I’m a little envious. I lost my web person a few months back and so I’m going it alone for now 🙂
Sep 13, 2012 @ 13:52:50
This is such a great post! I would have never thought of hackers getting into my blog, and once I switch over to the paid version of WP I’ll definitely be putting in some of those plugins!
Sep 13, 2012 @ 16:53:04
I didn’t think about it either until the last few months when I heard of three people getting hacked. In two cases, their site was unusable until they got the problem solved. I decided I wanted to find ways to protect my site as best I can.
Sep 13, 2012 @ 14:00:23
Thanks for putting all of this together, Marcy. My husband is working on my official site, and I will be sending this to him. I’m sure he knows most of it, but it never hurts to double check.
Sep 13, 2012 @ 16:53:44
I’m sure he does, but if it were me, I’d be double checking too 🙂 Better safe than sorry, eh.
Sep 13, 2012 @ 14:02:36
Fantastic post with invaluable resources, Marcy. I’m bookmarking it pronto, and already changed my password, thanks to you. I had no idea WP could be backed up—one day, I’ll probably do that.
Thanks for helping us keep our blogs safe and sound!
Sep 13, 2012 @ 14:36:21
Thanks for this, Marcy. As you know, my site has been hacked twice in the past few weeks. I never expected a hacker to care about my site, but ….wish I’d known all this stuff last month!
Sep 13, 2012 @ 14:52:11
Great post. I would add to do your homework before choosing a host if you decide to go self-hosted WordPress. All the security measures in the world won’t help if your host is hacked. My host was hacked three times in six months – no longer my host. GoDaddy was hacked last week shutting down thousands of sites. No host is bulletproof – but some put effort into protecting you while others don’t.
Sep 13, 2012 @ 15:16:11
This couldn’t be more true. A couple of things I’ve learned to look for are a host who provides a secure FTP connection (which if I understand correctly means that your information is transmitted in encrypted form between your site and your host just in case anyone is “listening in”) and to have it so that major changes to your site (like adding or deleting plugins) requires a password. When I first noticed that my host required a password for adding plugins, I found it kind of annoying, but now I’m grateful.
Sep 13, 2012 @ 15:34:29
Thanks so much for this breakdown, Marcy! I am working on my website and I was worried about this problem, but didn’t know what to do about it. Your post is very timely. I’m going to print it out and go through it step by step.
Thanks again!
Sep 13, 2012 @ 19:24:47
Invaluable advice, Marcy. Most of this requires no tech savvy at all. You just need to find the right plugins. And if you don’t know how to do something, there are tutorials for everything online.
The first four and nr 8 I have covered already but I will look into the 3 other tips.
Sep 13, 2012 @ 20:13:49
Thanks so much for this list Marcy! I’m going to go over with my tech guy (aka hubby). 🙂
Sep 14, 2012 @ 00:03:57
Any more advice for those who use Blogger (besides the obvious: switch to WordPress)?
Sep 27, 2012 @ 00:36:08
I wish I could help, but unfortunately, I don’t know enough about Blogger since I’ve never used it. If Blogger has add-ons the way WordPress does, you could look for ones that serve similar functions.
Otherwise, you’ll have to depend on a strong password and hard-to-guess username.
Sep 27, 2012 @ 00:42:56
Heather Wright-Porto is a designer and an expert when it comes to issues with blogger. You can find her website at http://www.blogsbyheather.com.
Hope that helps.
Sep 14, 2012 @ 00:06:33
Great tips. It’s scary to think about our blogs getting hacked but it’s best to be prepared for the worst.
Sep 14, 2012 @ 01:42:38
I’m going to check on some of these. thx Marcy
Sep 14, 2012 @ 03:36:28
Thanks Marcy. Good advice. There are so many plugins that claim to do something good, but really knowing which ones are worth the effort is impossible without someone else having tried them first!
Cheers 🙂
Sep 14, 2012 @ 21:39:52
You put a lot of work into this post Marcy. Thank you so much! I need to put this great information to good use. This was so timely.
Btw, how are you? I need to send over an email. 🙂
Sep 15, 2012 @ 00:28:22
I’ve got this page bookmarked for when I make the big switch. My son told me the other day that blogs are the number one hacked sites on the web. I immediately changed my password to something hard to hack. Thanks for the great information!
Sep 15, 2012 @ 08:45:39
Thanks, Marcy! I just changed my password, but couldn’t find how to limit log-in attempts (might not be an option for a wordpress.com site). The rest…I feel a panic attack coming on…kidding. But I wish I knew more about this stuff. Time to learn though. 🙂
Sep 15, 2012 @ 12:10:21
Do these plug-ins work if you just use WordPress.com rather than self hosting? I have to admit I don’t really understand plug-ins.
Sep 15, 2012 @ 12:43:04
Unfortunately, some of this won’t be possible on a WP.com site. You aren’t able to make a free hosting site as secure as you could make a paid hosting site because there are certain things you’re just not allowed to change on a free site.
Jan 14, 2013 @ 02:31:50
I just hopped over from Jennette Marie Powell’s blog. I’m so glad she posted the link to this post. I just bookmarked it. I have a Blogspot blog but am starting a WP blog, too. This info will be super helpful. Thanks, Marcy!