Protect Your WP Site From Hackers in 4 Steps

Protect Your WP Site From Hackers in 4 Steps

I generally write about typical SEO topics, but protecting your website from hackers is definitely the job of an SEO. If you hire someone to do “SEO work” and they leave your site totally exposed, then that’s the first clue you hired a half-ass SEO company or website designer. If your WordPress site is hacked, typically, you won’t even know it. The hackers will install dangerous scripts, or maybe just a ton of links to porn sites, but they will likely do it in a way that you would never immediately notice with the naked eye. (No pun intended.)

If your real estate or law firm website suddenly starts linking to pornography sites, does it make sense that it would hurt your SEO?

Worse, if they install malicious code on your site, Google will drop your site in the rankings and- if anyone finds you on page 10- warn your potential visitors, right in the SERPs. Take a look at this image:

This Site May Harm Your Computer

So yes, keeping your WordPress site safe from hackers is definitely an SEO / SEM company’s job, though few actually do it.

I will show you how to stop 99% of the hackers that try to invade your site with three free WordPress plugins. This will not stop a determined hacker, and we must remember that things are constantly changing, but for now, these three things will stop the typical brute force hackers.

(Almost) Foolproof Way to Protect WordPress From Hackers

We all like to think we are important. I think Dale Carnegie said that. However, unless you’re a political figure, or your site holds important data (like thousands of credit card numbers), it is highly unlikely that a “real hacker” would waste his or her time breaking into your website. Unless you have somehow managed to piss off a real hacker, then your WP site is dealing with “script kiddies” 99% of the time. A script kiddie is someone without any real hacking skills, that uses software to find vulnerabilities in your WordPress installation. You can be a script kiddie if you want. Just join some hacker forums or search Google. It’s not hard to be a junior hacker; any loser can do it. And, of course, the world has an endless supply of losers with nothing better to do.

In a 2005 Carnegie Mellon report prepared for the U.S. Department of Defense, script kiddies are defined as:

“The more immature but…dangerous exploiter of security lapses on the Internet. The typical script kiddy uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet—often randomly and with little regard or perhaps even understanding of the potentially harmful consequences.

Basically, they run a program that looks for certain weaknesses on random websites, and then they use “brute force” to “guess” your password. And all of this happens while the person sleeps, or more likely, goes off to high school after mommy packed a lunch.

1. Change your Admin User Name

Are you still using “admin” as a username in WordPress? Admin is the default WP username. If you are using “admin” to login to your site, or even if you are not, but the “admin” user exists on your site– you should know that’s the first username a hacker will try to use. Why give them your username in advance? Another dumb thing to do is to use your own name. For example, my name is Michael, so obviously, on this particular site, “Michael” would be a poor choice for a username.

A better username would be “Barbara,” since I don’t know anyone named Barbara.

Even better? Use something totally random. YD765DcfR would be a great username. Get it?

If hackers don’t know your WP username, they won’t be able to try different passwords until they get it right. You can’t enter a password without a username.

In your dashboard, go to “users” and look for a username “admin.” Is it there?

Now I’m not sure why, but WordPress lies and tells you that “usernames cannot be changed”. See the screenshot below:

wp-admin-user

Oh but WP usernames can be changed! There are two ways in fact.

wp pluginsA.) You could access your database through myPHPadmin and change it there. But if you are the average WP user, these instructions will likely be intimidating and I’m just going to skip over it. Furthermore, there is a much easier way. But if you want to do it the hard way, here is an article about changing it using your hosting company’s CPANEL.

B.) You can just change it using a plugin. I like this one, simply called- Admin Renamer Extended

You can install the plugin easily through your dashboard, just by searching for it: Dashboard >> Plugins >> Add New

Once it is installed and activated, you will find it in an unusual place – under “plugins”. (Normally, you would find a plugin’s settings under “Settings.”)

Just click the link and follow the instructions. Once you change your admin username, you will be immediately locked out. Just log back in using your new username and password. Personally, I would change all of my admin usernames, if I had a multi-author website, and just be sure to let your other users know that their logins have changed.

Once you change your username(s), deactivate and delete the plugin. Or keep it around, and deactivated, in case you want to change things up again in a month or two.

 

2. Change Your Login Page

Much like “admin” is the default username for WordPress, the default login page looks something like this: https://example.com/wp-login.php

Is your login page located in the default location?

We’ve already gotten rid of the default username, so let’s get rid of the default login page too.

For that, we just install a plugin called: Rename WP Login

I link to it for reference, but of course, I would just install this through my WP dashboard. Once you install and activate, you will be redirected to your permalink settings page and you will see this:

hacker-proof wp login

Again, don’t do something silly here and rename your login page to your own name. Pick a random phrase that you will remember, like “minions-love-bananas”, click save and you are ready to go!

Now if someone goes to my normal WP login page, they will get a 404 (page not found) error:

404-error

But my new login can be found at:

new-wp-login

Now that we’ve eliminated these two default methods of entry, we are going to kill thousands of script kiddie hacker attempts, but just in case, let’s also deploy a security plugin, so that we can block I.P. addresses that try to get in and monitor any hacking attempts on our site.

3. Install WordFence Security

In reality, you can protect your WordFence site without using plugins at all, but I wanted to write this tutorial for the average user. So far, we have already made our site pretty secure, just by doing the above two things. However, if we install WordFence and we configure it correctly, we will not only keep out 99% of the hackers, but we can also block them from coming back. (At least, until they run out of I.P. addresses or patience.)

You can find Wordfence here, or you can just install it through your dashboard of course.

Once you have it installed, or even if you already have it installed, go to your dashboard then Wordfence >> Options.

First, put in your email address so that you can get alerts. (If you don’t, the plugin is going to bother you every time you login.)

Moving down the page, under “Scans to Include” – check off every box except for “Enable High Sensitivity” scanning. You’ll get too many false positives and you’ll have to start taking Valium.

wordfence security scans

Next, moving down the page, you will see “Login Security Options.” I don’t ever forget my password, because I use encrypted software to store all of my passwords. I just cut and paste my ridiculously long password. There is really no excuse to forget your own password, so I set this up so that if a password is entered incorrectly twice, the user IP is blocked.

My settings look like the screenshot below. This means that if anyone (meaning an I.P. address) tries to login and fails after two tries, counted over the period of 24 hours, their I.P. address is blocked for 60 days. For normal websites though, it’s better to block the I.P. address for only 1 day. The reason for this is because many people could share the same I.P. and you could inadvertently block a whole university for 60 days, because one kid in the computer lab tried to hack your website. This isn’t something I particularly care about, because we have a long-term-client-based business, but if I had a retail store or I was selling something that “the masses” wanted, then I would only block the I.P. address for 1 day or less.

 

wp security options - anti hacker

You’ll also notice that anyone who tries to login with “admin” (if they somehow find my login page) or “michael” is immediately throttled. (I should also add: Michael, michaelgeorge, MichaelGeorge, etc.)

Finally, we need to block people with lots of 404 errors. If you keep your site tidy and free of broken links, then nobody should get a bunch of 404 errors.

Because if you followed my instructions in step 2, they can’t find your login page using traditional methods, so they are hitting random pages, trying to find your login page. WordFence blocks against that too.

In the section titled Firewall rules, set it up to look like mine. In my opinion, the default settings are too loose. Is yours set up at least as tight as this? If you’re not sure how to set them, my example is a good start. Again, you don’t want to go crazy here, because our biggest fear is blocking the wrong person. We don’t want to block the Googlebot or any other search engines. We have to find a nice mid-point, and I think that’s what I have here:

WP firewall rules

 

4. Stop SQL Injection Attacks

Wordfence currently does not stop a certain kind of attack called SQL injection attacks. There are plugins that do, my favorite is Bulletproof Security, but I think that plugin is way too bulky and confusing for the amateur to install and configure. Remember, I’m writing these posts for the person that can’t afford or just doesn’t want to hire an SEO company or a good developer. I am assuming, if you are reading all of this, two things: 1. You have a WP site, but you don’t know a lot about security and 2. You don’t want to pay an expert.

With that said, I would stick to Wordfence and install one more plugin to thwart SQL attacks – Injection Guard.

There is really no set-up for injection guard, it’s very easy.

  1. Install and activate Injection Guard
  2. Now go to admin menu -> settings -> IG Settings
  3. Click on save settings button.
  4. That’s it!

In conclusion, I just want to remind readers that no site is ever safe. In fact, even if you do all of these things and lock your WP up tight as a drum, you could get infected just because you are using shared hosting and the hacker finds a way into your hosting account, rather than your WP account. But for the average user, this will prevent 99% of the hacking attempts on your site.

If you are still worred, or you still get hacked even after following these steps, you can contact us for a security consultation.

 

Featured image courtesy of Ivan David Gomez Arce.

Share

Comments

  1. ginny lacey gorman Says: August 7, 2014 at 3:11 pm

    Wow, excellent WP security info here Michael and I think everyone needs to tune up their WP site tighter than ever.

  2. Excellent information and perfect timing!

  3. If you have WordFence, Clef, and Brute Protect installed, your website will basically be un-hackable to 99.9% of the hacking population. Most people that have the knowledge to get through those layers have better things to do with their time. Check out https://getclef.com

  4. We used WordFence on one of our sites are were locked out of it. When we tried to get assistance, we became frustrated. Imagine being able to see everything on the Internet EXCEPT the site you own and operate.

    It took us more than one week and hours of phone time to get things back to normal.

    • That’s a bummer! There would have been one really easy solution and it would have only taken you ten seconds: Login to your hosting account via FTP and delete the Wordfence plugin folder from inside your web root. Even if you didn’t want to FTP, you could also use your hosting control panel and delete the folder from there. It should have been a really quick fix. But let me take a wild guess: GoDaddy is your hosting company? Only with GoDaddy could you have that level of incompetence from customer service. Am I right?

      • We did delete the folder, but it wasn’t a fix. Before we deleted WordFence, we installed WordFence Assistant; it didn’t work either.

        Yes, GoDaddy is the host … My Internet Service Provider had to change my IP address in order regain access to the site.

        • Well that’s very strange. I don’t know how Wordfence could keep you out if you deleted Wordfence. To my knowledge, it doesn’t write to the .htaccess file, like other security plugins. But you bring up another point: You really should use a VPN (virtual private network) whenever you access the internet. It will also allow you to change IP addresses when you need to. It’s only about $12 per month. All you would have had to do is logout of your VPN service (which would have given you a different IP) and then login with your home IP. Or vice-versa. But you really should always use a VPN. I could park in front of your home with my laptop and take your passwords right out of the air without one. But that would have been another immediate fix- just change your IP yourself- and well worth the $12 per month. I’m in Phoenix right now, but I am using a Dallas I.P. address.

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php