Tips on WordPress Blog Security
May 4th is World Password Day and it’s the perfect time to remind my readers about WordPress blog security including how hacking works, how to choose a secure password and other ways you can have a secure blog.
Tips on WordPress Blog Security
Without the proper precautions and secure passwords, hackers can gain access to your blog and do all kinds of damage.
How Hackers Get Into Your Blog
When you send information over the internet it doesn’t go directly to the site from your browser. It jumps around a bunch of servers first. So if you login to a site that is NOT using a SSL Secure Connection (https://) then the username and password you type in is actually being displayed to a bunch of other sites and places before it reaches the website server.
Hackers can use FREE tools to find your WordPress login credentials (or other site) and then he or she would have full access to your blog. Also even if you are SSL Secure, sometimes hackers just try different common usernames and passwords and gain access that way. For example your username for your blog should NEVER be “admin” because its one of the most common and so hackers try it first.
How to Tell if Your Blog Has Been Hacked
You can’t always tell easily but there are some signs that can tell you there is something wrong with your blog. Keep your eye out for the following:
- unusual user activity (new users, changing of passwords, user role changes)
- new content that shouldn’t be there
- existing content has been changed in ways it shouldn’t be
- unusual spike of traffic, especially from one particular country that you don’t normally have traffic from
- unusual dip in traffic
- huge amount of spam comments to one particular post in one shot.
- Malware warnings when the page is loaded or in Google Search Console
You can also input your site in the Google Site Status tool to see if any warnings show up.
How to Make Your Password Secure
- Make your password more than 8 characters (the longer it is the harder it is to guess)
- Use a combination of numbers, letters (upper and lower case) and symbols (&#@! etc.)
- Do NOT use dictionary words (vocabulary) like monkey, dinosaur, house. (some programs that try to guess passwords run all dictionary words from different languages)
- Don’t use these most common passwords.
- Don’t use the name of a family member, place you have lived, phone number or other important number (social security number or social insurance number)
- Don’t write your passwords down willy nilly and make sure people don’t see you typing them in.
- Change your passwords regularly
The best suggestion I found for having a password you can remember while still hard to guess that I found while researching is to start with a sentence you can remember but isn’t too easy (include names and numbers) and then shorten it to a password.
e.g. Johnnie and Mason were my friends in 3rd Grade = JaMwmfi3g
e.g. I met my husband 10 years ago in Canada = Immh10yaiC
You can change it up a bit but something like that anyways.
Other Ways to Be Safe
Having a secure password and a SSL certified site are two ways to keep safe.
Here’s another suggestion for WordPress Blog Security from Christine whose blog has been hacked in the past:
“I was told over and over that the easiest way people hack is if you don’t update or get rid of unused themes and plugins. I am now super diligent about staying up on that.” – Christine from Saved By Grace and NorthWest Tourist
Indeed hackers can sneak in through holes made by old themes and plugins. The main WordPress core (without anything added on) is very safe and virtually un-hackable (is that a word?) However themes and plugins are made by different people and if they don’t keep updating them when a new WordPress version comes out there can be safety issues.
Also do not give out your login information and as stated above, make sure your login name is not admin or your blog’s name word for word or your name if your name is shown on your blog. Make it hard to crack.
Wordfence Security Plugin
I also suggest if you are on WordPress to use the Wordfence Security Plugin. This is NOT a sponsored post, I just like the plugin. The plugin helps stop you from being hacked and alerts you to any problems. Wordfence even shows you when hackers are trying to gain access to your blog including what username they tried. Before Wordfence I figured, “ah my blog isn’t that popular, I’m sure no one is trying to break in to my blog.” Well now I know that isn’t the case. It doesn’t matter if your blog is popular.
If you have any other tips on WordPress Blog Security, I’d love to hear them in the comments below. We’d also love to hear your story if you’ve been hacked.