For anyone involved in digital marketing at any level, the greatest nightmare is to have an online property of yours hacked but how can you protect your blog or your newly developed website from getting hacked?. It’s also the common fear of webmasters. Well, that fear is the beginning of wisdom.
Only last year, the world watched as Sony Pictures went on an uncontrollable, downward spiral as hackers dealt them one terrible blow after the next. Five unreleased movies were dumped online for all to have (along with all its financial implications). Sensitive information was disseminated that embarrassed top executives, big players in Hollywood and business partners. And so it went on and on till the Presidency of the US had to step in.
Just January this year, the Nigerian Defense Headquarters’ website was hacked into and the front-end defaced.
Truth is, hacking is actually more common than it seems. Hacking websites have become common-place amongst black hats and even white hats for a long time. It has also become so easy that even greenhorns access blogs or website with ease and deface it “just because they can”. Now, smart webmasters, go as far as paying experts to do what is called “Penetration Testing” just to measure a site’s security level.
Today, I’ll show you some steps to take to help you safe-guard your WordPress site.
How to Protect Your Blog From Hacker in 8 Steps
For a while now, WordPress has been a target of numerous hackers.This is because just like Windows is the most used operating system, it is also the most used blogging platform.
Also, it’s easy to hack a WordPress site.
So you just obtained a domain, installed WordPress, got a fancy theme, a few plugins and started publishing and you feel quite safe?
Don’t be. WordPress has lots of loop holes. We call them vulnerabilities
GET SECURE HOSTING
The first tip to having a safe blog is to use a secure hosting. Most hacked WordPress sites result from flaws in its hosting.
So don’t go for that cheap hosting. Look for one with a long standing record for security measures.
UPDATE YOUR PLUG-INS
WordPress, itself, isn’t responsible for creating most of its plugins. They are made by independent developers. These developers’ plugin may have exploits – 80% do, exploits not even known to them. But as time goes on, they realize this, and create updates to patch these exploits – so how often do you update your plugins?
Well if you don’t, now is the best time to start.
YOUR ADMIN LOG-IN
Its common knowledge that most WordPress blogs have a user account “admin” but what are the other accounts? Do you do all the work with the admin account?
If yes, now is a good time to stop.
It is wiser to use the default admin account to arrange plugins, style the blog, create pages and other master activities.
Create other user accounts, with fewer privileges – in fact only posting and moderation privileges. If possible, by all means, do not use “admin” in any username. Then it will be difficult for a potential hacker to determine which of the usernames has the admin privilege.
The average Nigerian thinks lazily – no offense. I happen to have been exposed to a lot of passwords in my line of work – It amazes me that the average joe’s password is God123, ilovejesus, wwwwww etc.
In as much as the first password (God123) looks cheesy – it’s actually the most intelligent of the three because it has a combination of alphanumeric characters.
Let me tell you how hackers brute-force WordPress usernames for their passwords. It’s called a dictionary attack. The dictionary itself is a basic .txt document which has numerous words – in fact; it has all the words in a dictionary including lists of popular internet used passwords (more reason why your password should not be popular). It gets even better- the wordlist has numbers 0 – 999999999.
So what does it do?
Like a combination lock, it tries every alphabet (word) and number against the username until the account cracks.
I should add that some newly updated wordlist even have Yoruba, Igbo names.
Ease of cracking by hackers depends on how good your password is. It may take a week, it may take a month. Or it may take forever- depending on how complicated your password is.
So ensure you keep your passwords as complicated as possible.
HIDE YOUR USERNAME FROM THE AUTHOR URL
This is another way hackers get a username.
The default setting for the author archive page is to display the username along with it. So if your username is kofoworola – the url becomes http://yoursite.com/author/kofoworola. Thereby, exposing your username.
This isn’t ideal for the same reasons as the “Admin” I spoke of earlier. so ensure you disable this.
There is a plugin called “limit login attempts”. As the name implies, its purpose is to limit the number of attempted log-ins.
When a hacker repeatedly tries to brute-force a username into logging in, it stops the person. It also bans the IP address of whoever is trying to login without the correct password.
Although there are many ways around this for a hacker (like using dynamic IP addresses) this will help as an additional precaution.
AVOID FREE THEMES LIKE PLAGUE
Like I said, WordPress has numerous developers. If a theme/plug-in isn’t by a reputable developer – ditch it.
You should be concerned about the quality of the theme you use. Go to the developer’s page, see how long the plugin/theme was developed and updated, check other users’ reviews of the same theme/plugin before using it.
More importantly, free themes easily have what we call base 64 encoding which makes you blog easily open to spam links as well as well as other vulnerabilities.
ALWAYS BACKUP YOUR BLOG
Well, we can never be too careful. I cannot overemphasize the importance of keeping backups for your blog. It is the best security measure at your disposal- So use it. Google “WordPress Backup to Dropbox” and see how it backs up your WordPress blog to your Dropbox regularly. In a case where the unexpected occurs, it will come handy in restoring your blog to its former grandeur!