The best way to avoid being the victim of hacking is to avoid ways hackers get to you in the first place. This means following WordPress site management best practices. Some of the most common WordPress Security Issues are simply caused by bad habits and are easily fixed.
So here is a more in depth discussion of the bad habits, and 3 simple security tips to avoid them.
Bad Habit #1: Working with the default admin account
WordPress has been great about fixing this problem with its installation process. Originally, the WP installation process created an account called “admin” as the default administrator account. It was up to users to create a new admin account and delete the default one; a process that most people never thought of – until they were the victim of malicious hacking.
Now the WP install process allows you to create the username for this first administrator account. Yet, even with that, I run into people all the time that use “admin” or “administrator” for their admin login.
WordPress powers a third of the entire Internet. That makes it an obvious target for hackers. Hackers like to employ simple methods to gain site access. The simplest method is known as “Brute Force,” which means they try login combinations until they find something that works.
Even the dumbest hacker knows to try “admin” and “administrator” as their first go-to series of tests for username.
WordPress Security Tip #1: DO NOT use admin or administrator as your admin account username.
If you are using admin (or a any derivative thereof), do the following:
- Create a new admin account with some other name (preferably something uncommon).
- Set this new account as an administrator.
- Transfer all of original admin’s posts and data to the new account.
Bad Habit #2: Insecure passwords and/or no password policy
This is common among WordPress security issues, since many people use poorly constructed and simple passwords.
A key defense against getting hacked is to maintain strong passwords. WordPress has come a long way in this area, adding a password strength meter to show how strong your password is.
Unfortunately, as a paraphrase of an old cliche: You can lead a person to create a strong password, but you can’t make him change it.
I still run into people that use “password” or something simple as their password for the administrator account. Do a google search for “list of common passwords” and see what comes up. If you are using anything even remotely close to something on any of those lists, your site may as well be flashing a neon sign that says, “Hack me!”
WordPress Security Tip #2: Use a complex password
Complex passwords consist of upper AND lowercase letters, numbers, and special characters. Try to avoiding using words if at all possible. At the bare minimum create a complex password following these rules. To take it a step further, don’t reuse passwords, don’t use the same password as you do on other sites, and change your password on a regular schedule. Establish a formal password generation and use policy for yourself and stick to it.
If things become complicated, there are many good password generators and password storage applications available.
There is some very good information on avoiding brute force attacks through good username and password policies available in the WordPress Codex. This is highly recommended reading.
Bad Habit #3: Not maintaining backups
This is one of those WordPress security issues that is a bad habit capable of taking down your business. And if you are vulnerable to hacking as a result of the previous two bad habits, not having a clean backup could destroy you – or at least make getting your site back online a total nightmare.
What would you do if your site was hacked (and defaced), or you contracted some sort of malicious code in your system or database? Do you have a clean copy of your site?
WordPress Security Tip #3: Maintain a schedule of regular backups of both your database and your site files
Keep offline copies of your entire site, and better yet, utilize some type of version control software that will allow you to roll back to a clean state should your site become the victim of hacking.
Be sure to check out these 5 WordPress site management bad habits you should avoid and best practices to avoid them!