WordPress Security – Part 1

Someone is always trying to hack your WordPress website
Table of Contents
    Add a header to begin generating the table of contents

    Not a week goes by without some company making the headlines because their system has been compromised. There’s always a big name in the news: Equifax, Target, Sony, Harbor Freight, etc. But, what you don’t see reported are the other 29,997 sites that are hacked every day (via Forbes).

    [Tweet “FACT: If you put something up on the Internet, someone is trying to get into it.”]

    But, There’s Nothing Valuable On My Website

    Hmm… if that’s true, maybe we need to have a chat about your website. Seriously though, it doesn’t matter if it is your holiday letter or a 1-page website for a community event. If it is on the Internet, someone, somewhere is trying to get into it. This isn’t because your holiday letter contains state secrets or the community event website has credit card numbers.

    Oh, and let’s be clear. It actually isn’t someone attacking your site. It is a bot. That’s right, a person wearing a hoodie in a basement in front of a wall of screens is just the visual that TV shows use. Hackers are smart and lazy, they get bots to do their work. Most hacks are a hack of convenience, meaning that a bot came along, saw that your site was vulnerable, put it on a list and at some point an attack is launched against that list of sites. It’s nothing personal, plus…

    Hackers don’t give a crap about the content of your site.

    This is what most people don’t understand. Hackers aren’t after what you have. Hackers want to either use your site to distribute their malware or they want to use your hosting account as a minion when trying to hack into bigger targets. Either way, this is BAD for you and the people that visit your website.

    Protect Your Time, Money, Visitors & Sanity

    If your site gets hacked, not only is it a huge pain in the a$$, but it can bite you in the wallet. Hopefully you have a backup and can quickly restore and be on your way. If not, stop right now and go make one. Seriously!!! It is that important that I demand you immediately quit reading this and go do it. I’ll wait.

    So you have a backup now, right? You may keep reading…

    If your site gets hacked, you could be faced with hours of trying to find and remove the problem code or paying someone to do it for you. While you may eventually get it resolved, it is likely that you’ve lost sales, infected customers and potential customers with malware and have been tearing your hair out to get everything fixed.

    The best way to avoid the nightmare scenario of being hacked is to take steps to protect your site. This is the first in a series of 4 articles where WordPress Security is the focus. This article will concentrate on the single most important thing you ABSOLUTELY HAVE to do if you have a WordPress site.

    The Single Most Important Security Function

    Besides standard WordPress site hygiene, having a backup and regular maintenance (the topic of the next post in this series), the single most important thing you MUST do is limit login attempts to your WordPress Dashboard. Of course you are using a strong password for your site – at least 10 characters, no dictionary words, upper & lowercase letters, numbers and special characters. Right? RIGHT? Well, let’s just say you are.

    [Tweet “Even a strong password can be broken with enough tries.”]

    A weak password can be broken pretty fast these days, with not too many attempts. This is why limiting login attempts is so important. This functionality only permits a few tries before it prevents the user from trying any more passwords. Thus blocking the easiest exploit to gaining access to your site.

    How to Limit Logins on Your WordPress Site

    Limiting login attempts is one function of comprehensive WordPress security plugins like iThemes Security. We’ll be talking more about that particular plugin during this Security Series. However, if that seems intimidating and you just want a plugin to do this one function, check out Login LockDown. Limit Login Attempts used to be the standard go-to plugin for this, but it hasn’t been updated in 3 years. I typically don’t recommend using plugins that haven’t been updated at least in the last 6 months.

    To Install Login LockDown

    On your WordPress Dashboard go to Plugins > Add New. Type “Login LockDown” in the search bar in the top right-hand corner. When the search results come up, click “Install” for the Login LockDown plugin. Once it is installed, click the button to activate the plugin. That’s it! By default, it locks out a user for 1 hour after 3 failed login attempts in 5 minutes. You can change this settings via the Options Panel.

    Install Login Lockdown WordPress Plugin

    Search for Login LockDown, then click to install

    NOTE: Just limiting logins will NOT fully protect your WordPress website. It is just one step. The next step is ensuring your site stays up-to-date.

    Easy, right? So, now go change your password to a stronger one and install the plugin. While this one thing won’t fully secure your site, at least you are no longer leaving out the welcome mat for hooligans.

    High-er Help Book Now Available

    Get your guide to maximizing the value of experts and shortcutting your path to growth, improvement & capacity.