From Malicious Theme’s, Plugins & Hackers
Unfortunately, the Internet is crawling with people who want to do damage to websites and computers with malicious software and viruses, just for kicks. WordPress is no exception… Hackers have laced plugins and themes with malicious software and they have also learned how to hack unsafe WordPress websites. I’ve been working in and with WordPress websites and blogs for quite a while now, and I learn a new tip to protect the sites each time. In this article I’ll share just a few of the things I’ve learnt from friends, guides and tips around the Internet.
Delete the Default ‘Admin’ Profile
The first thing you must do when setting up a new WordPress site is setup a new admin profile inside your WordPress admin dashboard. Create a new username and password unrelated to you and your website. Too often, I see people using parts of their website name in the username and password. Say in my case I used ‘creative’ for the username and ‘addict’ for the password… Many servers and programs will set this up automatically as well. This is very obvious and one of the first things a hacker will try, after the default admin username ‘admin’. Making a safe password is not enough.
After you have created a new administration profile, log into it and delete the default admin profile.
Configure the ‘Authentication Unique Keys’ in ‘wp-config.php’
The second thing I suggest you do to protect your WordPress blog, is update the ‘Authentication Unique Keys’ inside your wp-config.php file. I didn’t even know it was there until someone showed me. Download your wp-config.php file, which is in the root folder where your WordPress is located and open it in an HTML editor, or even WordPad. Look for this bit of info as displayed below:
Follow the instructions in orange: paste the given link into your browser. This will generate four lines of code. You would then replace the above lines in red and blue with your new generated code.
Scanning Your Plugins and Themes
Installing themes and plugins is always risky. Make sure you either trust the source, or check every single plugin and theme you install. Some themes can harm your website without even being activated so check it immediately after uploading it. I check my themes using a plugin called “TAC (Theme Authenticity Checker)“. Click here to visit the plugins’ website for instructions and info, or simply search, download and activate it in your plugins manager. You can then run checks on all your installed themes. I cannot stress enough how important this is… My fiance installed a malicious theme and it almost got his website banned by Google as it was pinging websites constantly. I am sure there are far worse things out there.
Then there is a second plugin I use to scan my entire blog for anything suspicious. It is called ‘WordPress Exploit Scanner‘. Click here to visit the plugins’ website for more info.
Ensure your WordPress Version & Plugins are Always Up-to-Date
This is probably the most important tip… Always make sure you update your WordPress website to the latest version. When you log in, a notification at the top of your blog will appear if there’s a new version. Luckily, WordPress can update it automatically (without you downloading and reinstalling), however it is always recommended to backup your files and database. Same goes for your plugins – make sure they are always updated. Often, the updates will include patches to any exploits.
Backup Your WordPress Website and Database
No matter what you do to protect your WordPress website, there’s always a small chance it may still get hacked and you loose everything… Be prepared! After initial set up of your blog and plugins, download your entire website and keep a copy on your local computer. You must also backup your database regularly, as this contains important files, such as your posts. I use a plugin called ‘WP-DBManager‘. Click here for more info on this plugin. I set it up to backup my database weekly. It emails a small file to you, so you don’t need to keep remembering to do this nor do you need any knowledge of how to download this manually. Very handy!
There are probably a hundred more things you can do to your WordPress website to protect it. I’ve only mentioned a handfull. Below are some external links to some additional tips:
If you have any additional tips you’d like to share, please leave a comment or contact me. I will try keep adding to this post as I find useful tips.