If you are using WordPress to create your sites then you need to address security at some point.
It doesn’t matter how small your site is, you are still at risk.
When it comes to WordPress security, size definitely doesn’t matter.
Why Would Anyone Be Interested In My Site?
Good question. The problem is that most of us can’t think like someone who would willingly hack into a site so we can’t understand their motives.
Imagine for a moment that your site is successful. I’m not talking Amazon successful, I mean you make, say, a few hundred dollars a month through affiliate links.
You’ve done all the hard work of setting up the site, publicising it, maybe you’ve done SEO work or possibly paid for an SEO service.
And now your hard work is finally paying off as visitors click on your affiliate link and you earn commission on that sale.
That’s a pretty sweet deal isn’t it?
Now imagine that someone replaced your affiliate links with their own. They haven’t put in all the effort you have, all the hours and money, yet they are profiting from your work.
Hmm, that’s a pretty poor show!
There are many worse reasons why someone might want access to your site. If a hacker was using your site for illegal activities, who’s door do you think the authorities will come knocking on first?
“Sorry Officer, I have no idea how those pirate video files ended up on my site.”
Listen Everyone, We Are Moving To Defcon 1
Before you lock yourself in to your panic room, I have exaggerated to make a point but these issues are not rare enough you can ignore them.
Thankfully, there is one thing you can do to prevent the majority of hacking attempts.
No, it’s not to install a security plugin. You can install a security plugin such as WordFence but it will not have as big an impact on your site’s security as this one piece of advice.
The majority of security plugins monitor for suspicious activity but they can only prohibit this activity at a basic level such as block an IP address.
Are You Ever Going To Tell Me What It Is, I Could Be Being Hacked Whilst You Drone On!
If you are setting up a new WP site, do not call the admin user ‘ADMIN.’
If you have an existing site with a user called ‘admin,’ create a new user with administrator rights and a different name. Then delete the ‘admin’ user.
Make the name of the admin user as hard to guess as the password!
That Sounds Too Simple
It is simple but extremely effective.
If you doubt me, install a security plugin such as WordFence and review the history of logins. You will see plenty of entries like this:
An unknown location at IP XX.XX.XXX.XX attempted a failed login using an invalid username “Admin”.
So I’ve Changed the Admin User and My Site Is Secure Now
Not so fast. You are now protected against the most common type of attack on a WP site but you are not totally in the clear.
The sad fact is that if a genuine hacker wants to get into your site, you can only delay them or slow them down.
Installing a plugin that monitors suspicious activity will help but it will not necessarily stop it.
There are many more detailed (and sometimes confusing) articles on the internet about WordPress security. A Google search will find them for you.
I have only explained how to protect yourself from the most common type of brute force attack.
People’s sites being hacked is still a rare occurrence but it pays to be vigilant. Perform these two simple steps to reduce the risk to your sites:
- Change the name of the admin user to anything other than ‘admin’
- Install a security plugin to monitor suspicious activity