Since we design our web themes specifically with bloggers in mind, I frequent a lot of sites ABOUT blogging. I read a lot of great posts about content creation, social media and even DIY design tips. The topic that seems to get the least attention should probably get the most: how to protect your WordPress.org site.
In this post, we’re going to break down WHY you need to protect your site and some measures that ANYONE can take to protect their site from hackers and bot attacks.
Not too long ago, one of my full service, site install clients contacted me because her web host was getting ready to shut down her site because she’d gone over her monthly allotted “executions”.
The site owner was bewildered. Her site is pretty darn popular but she bought a larger hosting package to make sure she had plenty of monthly page visits. But sure enough, she checked her site stats and her site had seen a massive traffic spike the day before; 3 times the traffic she usually gets in a month in one day.
Her host sent her an email filled with steps she could take to fix the problem. To her, it was all a bunch of mumbo jumbo. So, she contact me.
What the heck happened?
The site owner was the victim of a malicious bot attack. An automated program was set to access her site over and over, specifically her admin login page. The bog was trying to “guess” her admin login and password using a Brute Force attack. We had already set up a plugin that sent her email notifications any time someone tried to log into her site, whether they failed or succeeded, so we knew her site hadn’t been accessed. But the bot had burned through her “executions” for the month. (At her host, executions are roughly equivalent to page visits).
Once bots gain access to a site, their goals can be a number of things. If you run a shop and store secure customer info (we don’t by the way – all our customer info is stored by our Cart vendor with powerful encryption – we recommend never storing customer or visitor info in your site databases if you can avoid it), they might gain access to credit card numbers. Or they might use your server to send their own SPAM mail.Whatever the hacker’s goal, you know it’s not good. But there are some simple, free plugins that can help. All you need to do is install and setup. Nothing can promise you 100% protection. Hackers learn new tricks all the time. But at least you’ll know you have roadblocks in place to prevent the most common types of attacks. So, follow the steps below to protect your site!
Update, update, update!
The first and foremost way to keep your WordPress site safe is to keep your site updated. This includes WordPress core, themes and plugins.WordPress provides lovely automatic update notices. You can even activate automatic update installation (although a lot of people don’t recommend this – check out this article to learn more). Or there are services like WP Maintainer that will make sure your site stays up-to-date (although they can be quite spendy).
The bottom line is, pay attention to that update icon in the top of your admin toolbar, the one that looks like two arrows going around in a circle.
When it comes to plugins, especially free ones, make sure you’re using ones that are updated regularly and recently. If a plugin hasn’t been updated in 2 years (the WordPress repository will warn you), avoid it. And don’t forget to deactivate and delete any plugins you’re not actively using. Don’t leave hackers an open back door to your site!
When it comes to themes, look for theme shops that offer free upgrades with in-dashboard update notices and update processes. (We do!)
Protect with plugins
The name of this plugin pretty much says it all. It limits the number of times someone can try to login to your site. Easy to setup up and great for helping prevent Brute Force Attacks. There are other plugins similar to this one but this one is the most updated and most used.
This is really the only plugin we’ve find of it’s kind but it’s a good one for sure. You can achieve the same thing by editing your .htpaccess file on your root folder on your server, but this is just plain easier. Install, activate, protect from common bad bots known to crawl sites.
For an antivirus program on steroids, check out the WP Antivirus Site Protection plugin.
Another great way to prevent Brute Force attacks is to “hide” your login page. WordPress comes with a standard login page address that hackers don’t even have to guess at. This simple plugin helps you change your login page address to something less predictable. Make sure you write down your new login page address!
So, have you ever been hacked or SPAMMED? Feel free to share your experiences and any tips to help other bloggers prevent/fix this kind of issue.