The following 09 steps will help you secure and protect your WordPress website against hackers.
1. Use a strong password
Minimum password recommendations:
At least 8 characters total
Mixture of upper and lower-case letters
Numbers, punctuation or other non-alphanumeric characters
Example weak password: secret1
Improved strong password: Z#hupsZ2M4!Z
2. Change default WordPress admin username
When installing WordPress by default the administrator user has the username of admin.
The botnet attack is currently only targeting this default username, so even having an administrator username of admin123 could significantly reduce the likelihood of your site being succesfully logged into by a malicious user.
3. Lock down WordPress admin access with .htaccess
Utilizing a WordPress brute force plugin for this type of attack is not very efficient, and in some cases can actually lead to your site becoming unavailable due to the large amount of processing power used to attempt to challenge each and every malicious login attempt.
4. Temporaily disable CPU intensive login limit plugins
Blocking this attack with .htaccess rules is the preferred method, as login limiting plugins can not only lead to issue with triggering our own internal security rules, but they also will not be effective in this type of large scale attack.
5. Scan website for hacks, check Google Safe Browsing
If your WordPress site had been successfully compromised, a clear indication will usually be found either by a surface security scan of the website, or it will also get reported to Google's Safe Browsing.
Scan your website with an online malware scanner like sitecheck.sucuri.net/scanner
Check Google's safe browsing for your domain, at google.com/safebrowsing/diagnostic?site=example.com
7. Backup WordPress
At this point it's probably a good idea to backup WordPress just in case. That way, as the attacks continue, you're ensured that you always have a good point to restore back to in the event something goes bad.
6. Verify the User Is Human
reCAPTCHA forms, which ask the user to input what they see in an image as text, are a useful way to stop botnets from attempting to brute force login to your WordPress site. Botnets typically can’t automate this part of the login process, therefore it helps prevent them from accessing your site.
8. Keep WordPress Updated
Since WordPress 3.7, minor releases – which cover security and maintenance – are automatically applies. However, you can also extend this to automatically install major WordPress releases, by adding the following to your site’s wp-config.php file:
define( 'WP_AUTO_UPDATE_CORE', true );
Whilst this may seem like a good idea, it may result in incompatibility between the newly installed version of WordPress and your existing themes and/or plugins. It’s always a good idea to maintain a testing environment for this sort of thing.
There are third party tools which can connect to your WordPress website and let you manage all of your WordPress installations from a single, unified interface. Best of all, you can perform one-click installs of WordPress, theme and plugin updates
9. Clean up hacks
If your website has been the victim of a hack, you can follow my guide on how to reinstall WordPress after a hack for steps on cleaning it up and getting back in business.
