Your WordPress website is safe, right? Don’t be so sure!
While monitoring some of my own websites, as well as two of my clients’ websites, I discovered that WordPress websites seem to be under attack from hackers all the time!
The specific type of attack that I’m talking about, is hackers trying to break into the Admin area of WordPress sites using brute-force attacks, i.e. trying to guess your username and password.
Why Would Hackers Try To Break Into Your Website?
If hackers can get administrative access to your website, they can do anything they want. This includes deleting part or all of your website, or turning your website into a distributor of malware.
If hackers delete or deface your site, and you have a recent backup (which you should have anyway), you have no problem. You can simply restore your website.
If hackers turn your website into a distributor of malware, as is mostly the case, you could have a big problem on your hands. For one, search engines will flag your website as malicious and your traffic will disappear like fog in the sun!
So it is essential to protect Wordpress from hackers.
3 Steps To Protect WordPress From Hackers
If your Wordpress website was installed with all of the default values, hackers will have two of the three pieces of information that they need to break into your site. All they still need is your password, and they’re in!
Why make it so easy for them?
To make it much more difficult for hackers to break into the Admin area of your Wordpress site, we’re going to take 3 steps…
Step 1: Change The Default Admin Username
The default WordPress administrator username is… yes, you guessed it… admin. Hackers know this too. Step 1 to protect WordPress from hackers is to change this.
- Go to Users on the admin menu.
- Add a new user. Pick a username that is not easy to guess. Give this user the role of administrator.
- Log out of Wordpress and log back in with the new admin username.
- Delete the old admin username and assign any old posts or pages belonging to the old admin username, to the new username. (This assignment is part of the deletion process.)
Step 2: Set A Strong Password
The days of setting easy passwords, like dictionary words, are over. Don’t ever do that, especially not for important websites, like your bank’s website or your WordPress website’s admin area. Step 2 to protect WordPress from hackers is to set a strong password!
The Users section in WordPress, where you create or edit users, has a built-in tool to measure the strength of the passwords your create. Use that tool to make sure you create strong passwords.
A strong password will contain at least 10 characters, but ideally 12 or more characters. It should include uppercase and lowercase letters, at least one number, and at least one special character, like #, $, &, etc.
Step 3: Change The Default Admin Login Page URL
The default WordPress login page is called wp-login. And yes, hackers know that too. Step 3 to protect WordPress from hackers is to change this as well.
- Go to Plugins and click on Add New.
- In the search box, enter “rename wp-login.php” and click Search. Here’s the plugin’s page on WordPress.
- Install and activate the plugin.
- This plugin adds an section to the bottom of the Settings -> Permalinks page. Here you specify a new name for your Wordpress login page. Don’t stick with the default name, login. Pick another page name that would be difficult to guess.
There are other plugins that also allow you to change your WordPress login page URL, but I’ve had good results with this one.
If you taken these 3 simple steps to protect Wordpress from hackers, you have instantly made it at least 3 times more difficult for hackers to break into your WordPress admin area. It should go a long way towards saving you a lot of trouble.
PS. Have you had any problems with hackers, or have you taken any steps to protect your website? Let us know in the comments…