So I’d recently started a new blog (although I now won’t be using it, for various reasons…shortest blog life ever! Ha!). I’d installed a security plugin, but hadn’t done much else since I was just getting it all going.
And then yesterday, I got notifications that someone was trying to force their way into the site. I thought, wow, really? A site with 2 posts? Brand new, no traffic? What the heck?
Then I remembered that’s it’s not personal. Hackers are always trying to get into a site somewhere…they have programs that search for /wp-admin & then try a “brute force” login. If they don’t get in, they move on to the next, because eventually they’ll get in somewhere.
So that has inspired me to write this post to encourage you to do the following things to beef up your blog security quickly. Of course nothing is 100% hack-proof, and if someone really wanted in, they’d find a way, but these steps will give you a nice level of starting protection:
- First & foremost, change your password to something long & obscure. Write it down in a notebook somewhere, or keep it in a text file that has a name other than “blog password.” Keep it somewhere only you know where & what it is. I know it’s a pain in the butt to remember long & complicated passwords, but they’re your first line of defense. Write down in your calendar to change your password regularly. (If you really have a hard time with passwords, consider a service like LastPass.)
- Install the “Limit Login Attempts” plugin (it still works, even though it says it’s not been updated in awhile). This will do exactly what it says & the default is to limit login attempts at 5. I did not have this installed on my new blog (just hadn’t gotten around to it yet), and, well…the hacker tried a lot more than 5 times to get in. This plugin would have stopped the attempt more quickly.
- Install & use the Sucuri plugin. This is the plugin that gave me the notifications of the hack attempt, and I’ve used this plugin often on client sites. I think it’s one everyone should use. It does a lot more than just notify you of logins; see its info page for all that it does.
- Go to your domain registrar & hosting companies and change your password (use a different one for each site), write the passwords down somewhere, then turn on two-factor authentication (if offered)…if they don’t offer it, change those passwords regularly, too (use LastPass).
- Do all plugin & WordPress updates as they are available. Usually the updates are there to fix security issues. A notable example of this was a few months ago when the WordPress SEO plugin (extremely popular & widely used) had a security vulnerability exploited & thousands of sites were compromised…the plugin maker fixed it & put out an update right away, but that fix could only help if the plugin was updated by the users. Not all updates are that do-or-else critical, but there’s no reason to take chances. Update when updates are there.
I’m going to try out a couple of other security measures, and if they seem to work well, I’ll write about them here on the blog & let you know what else you can do. Every bit of security helps! :)