Your company’s got someone in-house in charge of the website and if you’re reading this, it’s most likely you. If you work for a smaller company or a smaller non-profit, it’s also likely that you aren’t an IT specialist. You don’t consider yourself to be techy, but you’re comfortable when it comes to adding/revising web content and supporting co-workers with basic how-to questions. But is your footing less stable when it comes to the deeper layers of your site, especially serious WordPress security concerns? You’re not alone.
Here are 4 tips for the non-techy and DIY web admins out there that will help prevent hacker access and help keep things running smoothly.
1. Is your default username “admin”? Change it!
If you’re using an older WordPress site, it’s likely that your username is “admin”. (Newer iterations of WordPress require you to select a custom username when you installing WordPress.) The problem is that usernames make up half of your login credentials. Hackers using brute force attacks will most certainly try using “admin” as the username first.
You have a few options, but the easiest way to remedy this is to create a new admin username and delete the old one. Here’s how:
1. In your dashboard, click on Users » Add New and fill out the form. (You will need to use a different email address than the one used by the old account.)
2. Logout and login with the new user account you just created.
3. Go to the Users section and click on the Delete link under your old username.
4. WordPress will ask what you want to do with content created by the old user. Be sure to select the ‘Attribute all content to:’ option and then select the new user you just created.
5. Then, confirm the deletion of “admin” as a user.
2. Limit Login Attempts
WordPress allows users to attempt to login to the dashboard as many times as they want. Brute force attacks will be unimpeded in their attempts to access your site – and that’s not good.
We recommend installing the All-In-One WordPress Firewall plugin for this. This plugin can also be used the change the admin username (as described above), force logout after x number of minutes, change the table prefix in the database so it’s not set to the default “wp_”, and much, much more.
3. Add 2-Factor Authentication (2FA) to WordPress Login
Adding one more step to the login process can be easy enough for you and your team, while making it even harder for a hacker to gain access. We recommend using 2-factor authentication like the Google Authenticator plugin. You’ll be able to choose additional login credentials like a secret question, a secret code, a set of characters, etc.
4. Install a Better Firewall
The firewall plugin suggested in #2 (above) is ideal for limiting login attempts, but when it comes to the actual firewall, we highly recommend something more robust like the Wordfence firewall plugin. You’ll want to disable the firewall portion of the All-in-one plugin above.
Once the Wordfence firewall is installed, use it’s scan feature to scan for malware. This will also monitor files and notify you when updates are available and if any suspicious activity occurs.
Additional Web Security Support
If this all makes sense, but you don’t have the time to tackle it, we offer basic monitoring and service packages. Contact us for details.
You might also like: