Millions of websites are powered by WordPress software and there’s a reason for that. WordPress is the most developer-friendly content management system out there, so you can essentially do anything you want with it. Unfortunately, that has some downsides as well.
For example, if you don’t change your default configuration, hackers and some pesky users with too much curiousity immediately know where to log in to get into your admin area. In WordPress, you can just type in domain.com/wp-admin and it will take you right to the login screen. At that point, it’s all about trying to crack your password. The most common method hackers use is brute force, which allows them to test millions of login combinations in short amount of time.
Giving Hackers a Difficult Time
There’s a few different preventive measures you can take in order to minimize the risk of getting your website hacked.
Back Up Your Website Often
Obviously it depends on how often your website gets updated, but I would suggest at least a weekly backup. There’s many WordPress plugins that can help you with that, but my favorite is BackupBuddy. BackupBuddy will run you about $100, which you would happily pay to be able to restore your hacked website in 5 minutes.
If you’re looking for a free alternative, you are in luck! Ready! Backup is a free plugin that allows you to create automated backups, send them off to Dropbox or FTP, and restore them quickly. I haven’t tried it yet, but so far most reviews are positive.
Another option is UpdraftPlus. It has way more positive reviews than Ready! Backup plugin; however, it seems like the user interface is not as polished. Either way, you can’t beat free!
Limit Login Attempts
There is a nifty little WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours. Remember how I mentioned brute force attacks and trying millions of different login combinations? Well, with this plugin, brute force attacks would be much harder to pull off.
The hacker would need to have many different proxies because the plugin would keep banning that IP address after a certain number of failed login attempts.
All options are customizable in this plugin. You can select how many failed login attempts you will allow, how long they’re locked out, and how many lockouts it will take to issue a temporary IP ban.
Don’t Use “admin” as Your WordPress Username
Most hackers try to get your password by trying to bruteforce your admin username. If you change your username to something else, that will protect your website immediately.
If you have already installed your website and you chose “admin” as your username, don’t worry about it. There’s still a way to change it.
Create Another Admin User
The fastest way is to register another user and then give that user admin permission. Then you can login with that new admin username and proceed to delete the old “admin” username.
Change it through PHPMyAdmin
If you have many posts and pages assigned to your user and don’t want to re-assign them, you can change your username through PHPMyAdmin. First login to your cPanel and go into PHPMyAdmin. Select your WordPress database and go into wp_users table. Click Edit next to your “admin” user, and change the user_login field to whatever you want it to be.