Many users of WordPress worry if the site really is protected well against hacker attacks. Some people install Firewall plug-ins and try various tweaks to make it more difficult for the hackers.
But hardly anyone realizes that your system can be secured during the first installation if you follow these four simple rules:
1) never use “admin” as an administrator account.
WordPress is around for several years and during these years, it has improved in security. It created the user “admin” automatically the past, to create a user who has full access to the system.
But this is not what WordPress do nowadays. However, most users are used to have a user “admin” for their administrative account, so they just stick with it.
But you should use a more innocuous name because the user “admin” is always attached first by all hackers. Also, do not use the name of your domain as a username, as this is also an attractive target. You can use “housekeeping,” “boss” or “maintenance” instead.
Tip: If you already have an account named “admin,” just create a new user as the administrator and change the permissions for your “admin” account to “subscriber.” If someone can hack your admin account, they will wonder why they don’t get full access to the site.
2) Always use a strong password.
For this, I have an excerpt from my book (soon to be published):
To administrate your site, you need a username and password. You set both during installation. You will not be able to change the username later. Therefore it’s important to use a name that no one can guess easily.
The reason is simple: usually, people chose the user “admin” as a default username. In earlier versions of WordPress, this username was created automatically during installation. That’s why many users think they need this username for the admin access.
But the hackers also know this. Therefore they try to crack this username with automatically running programs. If you use another name (this can be your first name or a term like “maintenance” or “boss”), you get your site out of the line.
For the password, you should avoid all words that people can guess easily. It includes all words that you can find in a dictionary. The dictionary search is a standard method, how hackers try to find passwords. They use special software that combines all words from a dictionary and tries them out. They also replace some characters by numbers. Like using an “l” for a “1” or an “E” for a “3”. Many people believe that this will make their password more secure.
An action like this is called “brute force attack,” because they just use brute force to try out all possible combinations. You can also avoid those attacks with a plugin, which prevents unlimited guesses. Using this method to slow down these attempts, decreases the chances for the hackers to succeed.
But surely secure is a password, if you build it from a random sequence of letters, numbers, and special characters. Usually, you want to use a password that you can remember easily. So, most people tend to use the name of their children, spouses or pets, maybe combined with a birth date. However, these passwords are easy to crack.
Better is this strategy: Pick a favorite quote or a line from your favorite book or song. For example, from the book “A Tale of Two Cities.”
“It was the best of times, it was the worst of times.”
Now take the first letters of each word and include special chars like the comma, which will give you this:
To get some numbers in, replace the lowercase “i” with a “1” and the lowercase “o” with a Zero, twice in this case. This will give you:
Additionally, you can add something extra, like the first letters of the Author, which is Charles Dickens in this case. Separate it with another special character like a dollar sign:
This looks like a pretty secure password, right? And it’s not too hard to remember if you can remember the original line from the book and the book Author.
3) Always keep WordPress and all the plugins updated.
Any software can have security vulnerabilities, and this is also true for WordPress and the theme and plugins that you use along with it. This includes plugins that you have installed but that you don’t use. Also, the theme is a piece of software, so this should be updated too.
Delete all themes and plugins that you don’t use. Apart from that, you should check your site daily for updates and install them as soon as they are available.
Tip: The security plugin “Wordfence” can notify you by email as soon as a new update is available for a plugin from the WordPress plugin directory. It checks only the plugins that you have installed. It is the fastest method to learn about new updates without the need to check your site every day.
4) Always set up a backup solution during the installation.
Even the best-secured website can get lost, if there is a technical defect on your hosting or if the hosting provider disappears from the market. Therefore you should perform regular backups of your WordPress site.
During the initial setup of WordPress, install a backup plugin and configure it to regular backups. I like to use the free version of Updraftplus.
You should not store the backed-up data on the same server as your site. Updraftplus offers, even in the free version, the possibility to save the data in the cloud. So, you can put the ZIP files of your database and all the other WordPress files in your Dropbox for example.
Security starts with the first step, namely during the initial installation of the WordPress site. In my time as a WordPress developer, I have always seen customers who have been quite negligent with their password, especially when they create a temporary account just for testing and development.