Hosting companies often lure new WordPress site owners with the promise of making their WordPress installation super easy. Unfortunately, that type of installation also makes it easy for hackers to compromise your files. But, you can avoid having your site turned into a phishing expedition for hackers by following five simple steps.
1. Avoid using the 1-click installation feature.
Hosting companies will assure you that this is the easiest way for you to install WordPress, and they may even offer to do it for you for free. But see if you can get them to give a you “hack-free guarantee” on that installation and see what they say.
Actually, there is no such thing as a hacker-free piece of software in the world. Even the Pentagon has a team of folks working around the clock to keep the hackers out. But, you’ll likely find that the host won’t do anything extra to secure that easy installation, leaving you wide open to attack.
2. Do a manual installation of WordPress or freelance it to a qualified geek.
There are several steps involved in a manual installation beyond installing the WordPress files. It involves setting up the database that will eventually contain your site content including all of your text and images. One of the files that needs to be modified is wp-config.php where you can change the table prefix to your database.
You’ll also want to configure and add a file called .htacess to your root directory to protect your database login information. This file is crucial and without it, hackers can easily install phishing software into the system files area. You’ll never know it happened until you start getting ugly emails from site visitors, or worse, when paid programs like PayPal start demanding money for all of the things you just purchased.
Keep in mind that some big-name host providers do no allow you to add this file to your root directory, which is why you won’t find them in BlogAid’s preferred vendor list.
3. Install Security Plugins
Regardless of how WordPress was installed on your site, you’ll want to add a few security plugins. One of my favorites is Login LockDown. It keeps hackers from coming through the front door of your site by limiting the number of failed login tries.
There are dozens of security plugins for WordPress. Be careful what you install. Some think every image you load into your Media Library is a virus and makes you jump through a bunch of hoops to upload it. Some do a scan of your site security risks and make suggestions that few host providers allow.
4. Change your Login ID
If you login with the username “admin” your site is open for attack. You can easily create a new WordPress User through the Users link in your WordPress Admin area. But, that user will also need permission to access the database. You’ll likely want to contact your host provider or freelance a geek to do that for you.
Once the new User is setup, be sure to delete the “admin” User.
5. Back up Your Database Regularly
While this practice won’t keep your site from being hacked, it will preserve all of your site content and information in case you have to start all over with a fresh installation if your site becomes corrupted.
There are several good plugins that will make it easy for you to backup your files. My favorite is BackupBuddy. It allows you to backup your files to your computer, and then easily restore them if necessary. It also lets you optimize, repair and set options on your database.
Hackers break into thousands of sites every day. Only the novices do any detectable damage to your site, like make it unusable. There’s way too much money to be made by installing phishing software or purchase links onto your site, that they prefer to run their schemes in stealth mode.
Protect your site by either having a professional installation performed, or installing as many security features as you can with the installation you have.