There’s been a lot of press about WordPress sites under attack by hackers these last few months. Recently I myself was the receipient of several attacks as well. Luckily for me, I was aware of them because I got an email from Wordfence while they were happening! Thanks to my good friend Matt from Lukens Consulting who introduced me to Wordfence, I feel like I am well protected. There are always going to be hackers trying to get into your site…perhaps for malicious reasons, or perhaps to add spam or pay per click links to your site…but there are ways to stop them from getting in and protect your blog!
Have you seen this kind of traffic on your site?
Here are some steps you can take to protect your blog from hackers!
Delete the admin user. But BEFORE you do that, first create a user with a unique name who has admin rights. Then you can delete the admin user. The most common attacks seem to be “dictionary attacks” on the admin user (because they only have to come up with the password; the user name admin is already there for them). The hacker uses a program to continuously try a combination of letters and numbers. If you don’t have an admin user name, they can’t get in using this strategy.
Another tip: Pick a nondescript name for your own user name so that if they decide to try to get in that way, you aren’t giving them part of what they need!
Install the WordFence plugin / tighten up your settings. Recently I had a hacker try to get in to my blog all night long. WordPress allows an unlimited number of tries by default; with WordFence you can tighten up your security even more. See the security options Wordfence offers below! If you make it hard for a hacker, chances are he’ll move on to an easier target.
Another way hackers find their way in is through plugins that aren’t up to date. Wordfence alerts you via email as soon as a plugin has an update available!
Keep your eye on fake registrations / add comment control. When someone registers with an email that ends in .cn, .jp, .pl or other foreign email networks, watch them carefully. Consider whether their interest is valid or not. For my commenting system, I have to approve any new commenter. After the first time they are approved, they are able to comment freely. You still could get spam links if someone wrote a comment that looked like it was legitimate and you approved it, because that person would then have the ability to comment throughout your blog. However, if you’re like me and monitor your comments on a daily basis (all comments are emailed to me so nothing falls through the cracks), you’d see something like that right away and would have the chance to address it by deleting that person as a user or blocking them from your site. Here’s an example of comments that were not approved, and actually I didn’t even see, thanks to my Akismet plugin that stops most spam in its tracks!
Another tip: Occasionally a real comment will end up in spam. I check my spam folder periodically because I have had this happen with two people, neither of which are spammers. It doesn’t happen all that often though.
I hope you find this helpful in making your blog more secure! What’s your best tip to avoid hackers?