Website security should be a main concern for every webmaster and blogger.
As WordPress is one of the most used website CMSs — with 18, 803, 738 WordPress.com sites and counting — its prevalence also make it a double edged sword. Unfortunately, this ever-popular, information-rich database is a main target for website attacks. Malicious hackers aim for WP sites in order to steal sensitive information. If your website gets a lot of traffic and links, they may redirect everything for their own gain.
In order to help protect your site from attack, the following article will outline the important steps you should take to ensure your website is safe from hackers. Plus, we’ll add a little hacker profile at the end of each step to give you a glimpse of computer history’s most notorious hackers.
1. Keep Your CMS Installation Up-To-Date
WordPress tells you when there is a new version of WP available for download by placing a message at the top left corner of your Dashboard. Do it. It’s an easy, automatic upgrade that will help protect your data. Just remember not to close your browser or navigate away from the page after while WP performs the instillation.
Robert Tappan Morris. He created the Morris Worm, the first worm to ever be unleashed on the Internet in 1986. The worm infected an estimated 6,000 university and military computers. Morris was sentenced to 3 years probation, 400 hours of community service and fined $10,500. He is now a tenured professor at the MIT Computer Science & Artificial Intelligence Lab.
2. Keep Your Plugins Upgraded
WP also alerts you when your plugins need an upgrade. Plugins are updated much more often that WP itself but the process is just as simple. You’ll find a red circle with a number beside the “Plugins” tab in your Dashboard. Click it and install. Note that some plugins may not support the more recent version of WordPress so they may not be safe to use anymore.
Tim Berners-Lee. He created the World Wide Web, but while a student at Oxford University he was caught hacking access to the school’s computers and subsequently banned from using them.
3. Avoid Common Database Prefixes
A database prefix is used to manage all the data in a database and prevent the data bits from interfering with one another. When you first install WordPress, by default it creates a database with all of the tables prefixed with “wp_”.
Leaving them like this, which lurking hackers assume amateur users will do, greatly increases your chances of attack, as automated scripts aim directly for these default table names during their attacks.The best way to protect your site’s database is to change the default table prefix and avoid using common database prefixes. Like creating a strong password, your database prefix should be random and obscure so that hackers can’t guess it.
Adrian Lamo. Famous for breaking into the systems of huge organizations like Yahoo!, Bank of America, Microsoft and The New York Times, he got into big trouble when he broke into NYT’s intranet. Lamo was ordered to pay $65,000 in restitution and sentenced to 6 months home confinement and 2 years probation.
4. Create a Custom Admin Login Name
By keeping the default ‘admin’ username, hackers have one less piece of information to uncover in order to hack into your site. By using a unique nickname that no one else knows you make it twice as hard for rogue hackers to guess your username and password. If you have already set up your username as ‘admin’ then you need to create a second admin user and log in using the second admin account to change your main admin login information. Alternatively you can go to phpMyAdmin and change the WP-users table directly.
Albert Gonzalez. He was a former informant for the US Secret Service, helping them bring down criminal hackers, until they discovered he was actually helping out the criminals! From 2005-2007, he was providing them information on ongoing investigations. In that time, he resold more than 170 million credit cards and ATM numbers on top of social security numbers, birth certificates…
5. Use .HTACCESS
.htaccess is a configuration file which contains instructions for handling requests such as redirections, frequent errors, setting passwords and preventing directory browsing or the hot-linking of images from your website.
The .htaccess file works for sites hosted on Apache servers on both Linux/Unix and Windows operating system.
David Smith. He developed and unleashed the Melissa virus in 1999. The virus infected more than 1 million personal computers and flooded corporate networks with email messages forcing big corporations like Microsoft and Intel Corp. to shut down their email systems. Smith was sentenced to 20 months in prison and ordered to pay $5,000 in fines.
Get in the habit of backing up your site frequently. Some hosts provide one click backups which allow you to download the entire site including any databases, mailing lists, emails, logs, etc. in .zip or .tar.gz format.
If your hosting provider does not provide one click backup, then you must backup your files using an ftp client or using phpMyAdmin (same place you can change your admin username).
Jeffrey Lee Parson. He was an 18 year old high school student from Minnesota who was responsible for spreading a variant of the Blaster computer worm. The program was part of a DoS attack against computers using the Microsoft Windows operating system. He was sentenced to 18 months in prison in 2005.
6. Avoid Free Themes if you’re Unfamiliar with Basic HTML and PHP editing
Search for free WP themes and prepare to be inundated with spammy search results. A legitimate site offering free WP themes will NOT have the word WordPress in it, as it is trademarked.
Hackers can easily code a website theme so that when you install it, it executes commands that enable them to access your site. Hackers often use Base64 to hide malicious code. It is used to translate binary data that includes nonprintable characters in a printable format to be able to transmit this data with text-based protocols such as SMTP (email) or HTTP (Web).
Some recommended sites for Free Themes, (courtesy of a solid WP Themes safety article by Siobhan Ambrose):
Gary Mckinnon. He hacked the computers of NASA, the US Army, the US Navy, the Department of Defense and the US Air Force. Authorities claim his actions cost an estimated $800,000 in damage. McKinnon denied causing any damage, arguing that, in his quest for UFO-related material, he accessed open, unsecured machines with no passwords and no firewalls and that he left countless notes pointing out their many security failings.
7. Use Strong passwords
Random.org is a great site to help you generate random, strong passwords. Passwords are transmitted to your browser securely, via SSL and are not stored on the site’s server.
Kevin Poulsen. Now the senior editor for Wired news, in his past, Poulsen was known as the “Hannibal Lecter of computer crime” with a specialty in hacking telephones. He was on the FBI’s radar after they discovered he was hacking into federal computers for wiretap information. His photo later came up on the show Unsolved Mysteries, but the 1-800 phone lines for the program suspiciously crashed. Eventually, Poulsen was captured in a supermarket and served a sentence of five years.
Follow these steps and your website will be a repellent to malicious hackers!