Web security continues to be a growing priority in any industry. As technology evolves, so does the knowledge of hackers.
As a beginner blogger, you may feel like you have no data worth hacking – but that is almost never the case.
Someone gaining access to your WordPress admin account is given back-door access to your entire website – not to mention now having access to your email address, and possibly a password that you may have used for your bank login.
As your website grows and starts earning money, people may want to take you down.
Don’t let it happen to you. Start off in a secure place so you’re always protected!
Don’t Use a Generic Username
Many WordPress installers set the default username to “admin,” making it the first thing someone will guess.
Your username is one half of your login credentials. If your username is “admin,” then a hacker already has half of what they need to access your account.
If you haven’t installed WordPress yet, change the username if your installer lets you.
Avoid using anything generic such as your website name or your own name. Think of your username like a second password – you want it to be hard to guess.
If you have already installed WordPress and have a username of “admin,” you may have already noticed that WordPress does not allow you to simply change your username.
All hope is not lost.
Create a new Administrator user by going to Users > Add New in your Admin Dashboard. Make sure to assign the new user the Administrator role.
Here is your second chance – create a strong username and password!
You will not be able to use the same email address as your “admin” user, but you can change it later.
Now that it’s created login with your new account, and navigate to Users > All Users. Hover over your old, unsecure, account and click Delete.
If you posted any content from the old account, WordPress will prompt you for what to do with that content. Make sure to select “Attribute all content to:” and select your new account.
At this point, you can change your email address back to the one you wanted it to be.
Backup Your WordPress Site (free plugin)
Backing up your entire site is something you should be in the habit of from the very beginning.
There are many things that can go wrong with any website. If your website gets hacked, an issue arises when updating a plugin, a server crashes… Any of these can mean your entire website is completely GONE.
A great simple (and free!) plugin to backup your WordPress site is UpdraftPlus. Their Premium tool has a lot of amazing features, but their free tool includes basics backups to remote locations (including Dropbox or Google Drive), which is the bare minimum you need.
Change the Standard Login Page (free plugin)
You can easily find the login page for most WordPress websites. If yourdomain.ca is running on WordPress, you can most likely go to yourdomain.ca/wp-admin to access their admin login page.
Now, just because people can access your admin login page, doesn’t mean they can get into your account. They do still need to gain access to your login credentials.
Changing where your login page can be found is just one more added layer to keep your administrative panel secure!
To change your login page, you can use the free WPS Hide Login plugin.
I recommend changing your login URL to something hard to guess, like another password.
Instead of switching to yourdomain.ca/mylogin try something like yourdomain.ca/friedappletini/
Just make sure to remember what you change it to, as it can be challenging to recover if you’re new to cPanel and MySQL (tech stuff…).
If you do lose your login page, and you used an installer via cPanel to install WordPress, you may be able to login to your cPanel and turn off the WPS Hide Login plugin from there. This will revert your login page back to the default.
Alternatively, you can access your website files (either through cPanel > File Manager, or via FTP) and navigate to wp-content > plugins and delete the “wps-hide-login” folder.
Install Themes & Plugins from Reliable Sources
Themes & Plugins can drastically improve the functionality of your blog or WordPress site, and are basically required.
The risk here, is that they modify and have access to files on your website. If you install something malicious, it’s very similar to downloading a virus to your computer.
Personally, I only ever install plugins from within my WordPress Dashboard!
Most reputable plugins will have a website where you can download the plugin to install on your WordPress site, however they should always be available in the WordPress repository, too!
This means, navigating to Plugins > Add New and searching for the plugin there. Not only does this mean WordPress is vouching for the security of this plugin, but it’s also so much easier to install this way.
As for Themes, I only every install free themes from the WordPress Dashboard, too. There are so many free themes available online. Even if the theme developer has good intentions, there may be some security flaws or bugs in the code that the developer hadn’t thought about.
WordPress maintains a stringent review policy for themes they add to their repository, so you know you can trust them!
As for premium (paid) themes, they are often not available through this method. For these, make sure you are using a reputable library before paying for a theme.
Keep Themes & Plugins Up to Date
As mentioned above, Themes & Plugins have some serious access to your website, and outdated tools can allow hackers an entryway to your backend!
Updates to Themes & Plugins often include patches and bug fixes.
WordPress is pretty good at bringing your attention to when updates are available.
Click on the Updates link to see what is available to update. Simply check the boxes and click Update to mass-update your themes or plugins.
Your blog will go into “Maintenance Mode” while everything updates, meaning it won’t be publicly available. But don’t worry, it shouldn’t take more than a minute or two.
Two-Factor Authentication (free plugin)
Okay, I’ll admit – I’ve always found two factor authentication (2FA) to be a pain in the butt. It makes your login so much more secure, so I do actually use it.
If you have any kind of 2FA associated with your login, it means a hacker now needs access to your username, your password, and which ever device or other account you are using for 2FA.
The free miniOrange 2-Factor plugin allows you to set up any of the following options for two-factor authentication:
- Google Authenticator
- Security Questions
- SMS Text Message
- miniOrange Authentication App
- miniOrange App Push Notification
Any of these methods add security to your login, but my recommendation is to use something that requires another device (such as Google Authenticator, SMS or the miniOrange app options).