Let me start by saying that no site is completely secure, and these three steps won’t drop a 12 inch wall of steel around your website, but they will help your website hide from potential hackers, and if they can’t find you, they can’t hurt you. I also believe that hackers are generally lazy and will most likely bypass your site and go after the millions of other sites that are more vulnerable.
A large number of potential hacks start with little robot programs that get release on the internet searching for WordPress websites, then proceed to try and guess the login credentials. I can attest to this very practice as each night between say 12 and 5 in the morning, our site gets probed by dozens of foreign IP addresses coming out of Europe and Asia. Then I implemented these few strategies and it all suddenly stopped… poof!
So here they are:
1) Change your Login Page Name (URL).
The robots are programmed to access www.yoursite.com/wp-admin. If you rename the login page, the robots receive a 404 message and move on to someone elses website.
How to: Install the Plugin “Rename wp-login.php” then access Settings>Permalinks> and update the “login url” to anything you want. Just be sure to write it down and tell anyone who normally logs into your site where to find it.
2) Change your User ID from something other than “ADMIN”.
Many setup utilities assign “Admin” as the default user name when a website is initially being created. Chances are good that yours has an “Admin” user. The hacker robots know this and have been programmed to try “Username = Admin”. If they find “Admin” works, they have successfully cracked 50% of your login credentials.
How to: If you have a separate login and no one else used the “Admin” credentials, simply delete the user. If you or others currently use “Admin” you will want to create a new user with a unique ID, test that you can successfully login with this new ID, then (and only then) delete the “Admin” user.
3) Make your Password difficult and completely unique
We all hate this one, because it is soooo hard to remember everly unique password for every other account we own, but your website is 5 times more likely to get hacked than any of your other accounts and probably 100 times more difficult to clean up and recover from.
How to: Access your User profile and simply update with a password that uses letters, numbers, capitals and special characters (%&$#!). I would highly suggest that you begin using a Password Vault which basically stores all of your passwords in the cloud under the protection of one super secret password. You then login once (to your vault), and LastPass automatically fills in your other logins as you visit those sites/accounts. We use “LastPass” (free version) and have been very, very happy.
If you own a website that is optimized so it can be found by your customers, then you are probably more likely to have hackers notice you as well. These simple tricks are just phase one of a much more robust security plan we offer. If you would like more information on WordPress Security (Click Here).