Millions of websites are powered by WordPress software and there’s a reason for that. WordPress is the most developer-friendly content management system out there, so you can essentially do anything you want with it. Unfortunately, that has some downsides as well.
For example, if you don’t change your default configuration, hackers and some pesky users with too much curiousity immediately know where to log in to get into your admin area. In WordPress, you can just type in domain.com/wp-admin and it will take you right to the login screen. At that point, it’s all about trying to crack your password. The most common method hackers use is brute force, which allows them to test millions of login combinations in a short amount of time.
Do not use defaults
Do not use the default username and password you are given for both your hosting account and for your website content management system. Change your username and password as soon as you have purchased your package and installed WordPress.
Change your details even if the hosting company allowed you to enter your own details when you signed up (i.e. your username and password were not a defaults) because you cannot be sure how secure the hosting company’s servers are or who else has access to the information you entered into the system.
Have a long password and change it every 72 days
The password you choose should be over 8 characters long. It should be a mix of letters and numbers and should not feature any words. It should be a random mix of numbers and letters. Do not write your password onto anything electronic except for the small encrypted password box on your WordPress system. If you cannot remember your password because you are not Stephan Hawking, then write it down on a notepad that you store somewhere safe in your home.
Change it every 72 days because it makes a hacker’s life a little more difficult. It means the hacker has to start from square one again if he or she has a brute force program running on your website.
Use secure hosting
This should go without saying, but you should find a host that puts security as a top priority. Many free hosting packages cannot afford to spend a lot of money on security, though that doesn’t automatically mean a big and expensive company spends a lot of money on security either.
It is up to you to find a hosting package that takes security very seriously because gaining access to your website via your servers is the ultimate backdoor pass. Done correctly, by getting into your website via hacking a server, the hacker may be able to overcome almost all of your security measures with ease.
Back up your website
Let’s not forget that if someone is motivated enough to get into your website, then that person is going to do it. A 15yr old hacked NASA, a 16yr old London boy Richard Pryce hacked American military systems and was noted as the biggest threat to US security at that current time, and Gary McKinnon managed to hack the USA’s most secure military computers that include Area 51. So, if you think your plugins and security protocols are a match for hackers, then think again.
Your best defense is to backup your website and if you are hacked you can wipe the slate clean, restart your security, change all your access passwords, improve your passwords, and re-upload your website data all within one day. Manually back up your website unless your hosting company offers the service for free and doesn’t charge for the extra space the backups take up. You only need the last 2 versions of your website. Do not keep all your backup copies as they will take up space on your servers, which is space you are probably paying for.
Keep things up to date
This goes for all your technology, software, and accounts. Keep up to date with WordPress updates, and if your security plugins come with free updates you should update as soon as they are released. Do not stick with old versions of WordPress because the longer a WordPress version exists, then the higher the chances are that hackers have found a way to break into it.