Imagine a group of thieves continually attempting to break into your house. First they jiggle the doorknob to see if you accidentally left it unlocked. Then they try every window to see if it can be pried open. If they do manage to get inside, they’ll try every single combination possible to disarm your security system before the alarm goes off. (Pretend there’s no timeout on your monitoring system, and they can just keep trying as much as they’d like.)
The equivalent of this is happening, continually, on every WordPress website out there on the internet. As you’re reading this, bots are attempting to gain access to the backend login for this website.
My intent isn’t to scare you away from WordPress (all systems have vulnerabilities, and it’s targeted by attackers because of its popularity). As a WordPress website owner, there are things you can do to keep things secure.
Don’t give out Administrator level accounts to your coworkers.
Admin accounts have all the power. If other people in your organization need to update the website, give them an Author or Editor level account instead. The fewer administrator-level accounts exist, the fewer there are to hack.
Do you have an account named “admin”? Setup a new admin account with another name.
This default Administrator account name (“admin”) is the most commonly hacked. You can setup a new administrator with a new name, and delete the old “admin” account.
Make sure your passwords are hard to guess.
Is your password something like “Name2015”? If you have a hard time remembering something like “N4m3xc$jk#21!”, use an inside joke phrase instead. For example, “Every1callsusPixelSt!”*
Maintain your WordPress installation and plugins.
This is a big one! If you’re not an advanced user and too timid to try updating things, budget for an hour’s maintenance every month from a reputable web development firm. They can ensure everything is up to date for you.
If your web host doesn’t offer a scheduled backup service, you can use a service such as VaultPress to keep backups in a secure spot. If you do get hacked, you can then easily roll back to a clean site.
If you’re an advanced user, you can install and configure a security plugin.
To date, I’ve played with iThemes security, All-In-One WP Security (my preferred plugin), and WordFence. All offer similar features and do their best to block bots from trying to sign in, access vulnerabilities in out-of-date plugins, etc. At the very least, you want to secure your login page and ensure your database prefix is not wp_. You can also password protect the wp-admin directory from your host’s control panel for an additional layer of security.
*Not actually our password, FYI.