While a Content Management System (CMS) like WordPress is developed with security in mind, practicing good security habits like those outlined in this article will greatly reduce your chances of being attacked.  We’ve found that if you follow these basic steps you’ll be in good shape. Worse case, if you ever do get hacked, and you make regular backups, you can restore your site.

  1. Keep WordPress and the plugins updated
  2. Never use “admin” as your username
  3. Only use secure passwords
  4. Make regular backups

1. Keep WordPress and the Plugins Updated

WordPress enjoys a thriving community of developers who focus on improving the CMS, but more importantly, patching up vulnerabilities and security holes. Fortunately, keeping up to date is as simple as visiting your site’s dashboard.

Before updating any component of your site, a full backup should be made (see more details on this below). Once you’ve made your backup, click the Update Now button in the “WordPress Updates” screen of the Dashboard.

2. Never Use ‘admin’ as Your Username

In fact, never use any of the following common choices such as: root, admin, test, guest, info, adm, user, usr, administrator or “your name.”

Using the default admin username of “admin” for a WordPress site’s administrator account means there’s one less thing a would-be hacker needs to determine in order to gain access.

Sometimes you’ll forget your username or password and need to reset it. That happens to everyone, but remember, hackers can use the same reset form as you – and if they know your admin user name they are already halfway there.

3. Only Use Secure Passwords

This applies everywhere; just as you wouldn’t use 1234 for your credit card’s PIN, neither should you use a generic password. Two of the most common techniques used by hackers to break into sites are brute force and dictionary attacks. In both scenarios, an attacker is attempting to guess your password by systematically testing as many passwords per minute as possible.

Brute force and dictionary attacks quickly become unfeasible by simply using secure passwords. That means:

  • has at least 8 characters;
  • has uppercase letters;
  • has lowercase letters;
  • has numbers;
  • has symbols, such as ` ! ” ? $ ? % ^ & * ( ) _ – + = { [ } ] : ; @ ‘ ~ # | < , > . ? /
  • is not like your previous passwords;
  • is not your name;
  • is not your login;
  • is not your friend’s name;
  • is not your family member’s name;
  • is not a dictionary word;
  • is not a common name;
  • is not a keyboard pattern, such as qwerty, asdfghjkl, or 12345678

To illustrate the importance of practicing good password habits, GRC’s Password Haystacks tool can be used to estimate how long it would take to “crack” a given password using an online brute force technique. Here’s a comparison of a simple password versus a secure password:

cat – Time to brute force: 18.28 seconds

}O”e~m%w){q#(+4 – Time to brute force: 1.49 hundred thousand trillion centuries

4. Make Regular Backups

Backups should be made on a regular basis. We recommend a database backup is made once per week, and a full backup be made once per month. Depending on the site, more frequent backups might make sense (for example, a site with a very active blog or news section, may opt to make database backups once an hour). In addition, a full backup should be made before updating WordPress, plugins or themes.

Backups can be made manually, using a tool provided by your hosting, or using a WordPress plugin. Our ‘go to’ plugin for this is BackupBuddy. It’s a paid plugin, but it seems to work on just about any shared hosting that supports WordPress.

Be sure to store your physical backup copies in a safe location, or store them in remote (secure) locations like Amazon S3, Dropbox, etc.  We have our sites backed up to the hosting server and also to S3. It costs us less than $5 per month to back up about 10 websites.