May 4th is World Password Day and it’s the perfect time to remind my readers about WordPress blog security including how hacking works, how to choose a secure password and other ways you can have a secure blog.
Tips on WordPress Blog Security
Without the proper precautions and secure passwords, hackers can gain access to your blog and do all kinds of damage.
How Hackers Get Into Your Blog
When you send information over the internet it doesn’t go directly to the site from your browser. It jumps around a bunch of servers first. So if you login to a site that is NOT using a SSL Secure Connection (https://) then the username and password you type in is actually being displayed to a bunch of other sites and places before it reaches the website server.
Hackers can use FREE tools to find your WordPress login credentials (or other site) and then he or she would have full access to your blog. Also even if you are SSL Secure, sometimes hackers just try different common usernames and passwords and gain access that way. For example your username for your blog should NEVER be “admin” because its one of the most common and so hackers try it first.
How to Tell if Your Blog Has Been Hacked
You can’t always tell easily but there are some signs that can tell you there is something wrong with your blog. Keep your eye out for the following:
- unusual user activity (new users, changing of passwords, user role changes)
- new content that shouldn’t be there
- existing content has been changed in ways it shouldn’t be
- unusual spike of traffic, especially from one particular country that you don’t normally have traffic from
- unusual dip in traffic
- huge amount of spam comments to one particular post in one shot.
- Malware warnings when the page is loaded or in Google Search Console
You can also input your site in the Google Site Status tool to see if any warnings show up.
How to Make Your Password Secure
- Make your password more than 8 characters (the longer it is the harder it is to guess)
- Use a combination of numbers, letters (upper and lower case) and symbols (&#@! etc.)
- Do NOT use dictionary words (vocabulary) like monkey, dinosaur, house. (some programs that try to guess passwords run all dictionary words from different languages)
- Don’t use these most common passwords.
- Don’t use the name of a family member, place you have lived, phone number or other important number (social security number or social insurance number)
- Don’t write your passwords down willy nilly and make sure people don’t see you typing them in.
- Change your passwords regularly
The best suggestion I found for having a password you can remember while still hard to guess that I found while researching is to start with a sentence you can remember but isn’t too easy (include names and numbers) and then shorten it to a password.
e.g. Johnnie and Mason were my friends in 3rd Grade = JaMwmfi3g
e.g. I met my husband 10 years ago in Canada = Immh10yaiC
You can change it up a bit but something like that anyways.
Other Ways to Be Safe
Having a secure password and a SSL certified site are two ways to keep safe.
Here’s another suggestion for WordPress Blog Security from Christine whose blog has been hacked in the past:
“I was told over and over that the easiest way people hack is if you don't update or get rid of unused themes and plugins. I am now super diligent about staying up on that.” – Christine from Saved By Grace and NorthWest Tourist
Indeed hackers can sneak in through holes made by old themes and plugins. The main WordPress core (without anything added on) is very safe and virtually un-hackable (is that a word?) However themes and plugins are made by different people and if they don’t keep updating them when a new WordPress version comes out there can be safety issues.
Also do not give out your login information and as stated above, make sure your login name is not admin or your blog’s name word for word or your name if your name is shown on your blog. Make it hard to crack.
Wordfence Security Plugin
I also suggest if you are on WordPress to use the Wordfence Security Plugin. This is NOT a sponsored post, I just like the plugin. The plugin helps stop you from being hacked and alerts you to any problems. Wordfence even shows you when hackers are trying to gain access to your blog including what username they tried. Before Wordfence I figured, “ah my blog isn’t that popular, I’m sure no one is trying to break in to my blog.” Well now I know that isn’t the case. It doesn’t matter if your blog is popular.
If you have any other tips on WordPress Blog Security, I’d love to hear them in the comments below. We'd also love to hear your story if you've been hacked.
Dawn McAlexander
Monday 22nd of May 2017
The one thing that I fear the most about my blog is that it will be hacked. I have taken some strong measures to try and prevent that, but who knows? Maybe it isn't as safe as I thought.
LauraOinAK
Monday 22nd of May 2017
I haven't tried Wordfence yet, but did have to pay someone to clean up after a hacker got in. It really makes you wonder what they stand to gain by doing it.
Diane Hoffmaster
Monday 22nd of May 2017
Hackers drive me nuts! I try hard to do all of these things and keep my backups done. And my fingers crossed!
Nayab Khan
Monday 8th of May 2017
Hey Kathleen, Its really important to keep our blog secure not only for the sake of ourselves but for the sake of our user privacy. NO doubt SSL and keeping your blog plugins and themes updated are the best ways to prevent. Obviously a good strong password as well as you mentioned above. There are a few more things one can do to secure their blogs like backing up your site regularly to prevent the data loss an automatic backup can be scheduled with the help of back up plugins. Fixing the error messages that displays the server path and not having an anti virus on your computer can also make your blog vulnerable to all sort of attack. A Great post Kathleen.
Emma Shearer
Monday 1st of May 2017
Great blog post. It's always important to keep your login details safe! I had once had my full computer hacked as a teenager before I started blogging but that was because I stupidly clicked on a link. Ended up being a girl in my year at school had created a virus to specifically target me. Her and several others had been bullying me at the time so she made and sent the virus to try get more stuff to pick on me for :(
Kathleen Bailey
Thursday 4th of May 2017
Oh wow. Bullying sure has changed over the years but it unfortunately never goes away. There are so many people (not just teenagers) who don't know how to keep info safe.