Just over a week ago I published this article documenting a hacked website and how to find and fix the issues.
In this article I decided to delve into the whole hacking issue to provide some ways to harden your WordPress website against such attacks.
Help my WordPress Website has been Hacked
A search for “Wordpress Website has been Hacked” in Google returns over 6 million results! Scary when you think about it as WordPress is one of the most well known, well used content management platforms out there.
But it’s not the WordPress platform that is the issue in most cases. In fact, in a lot of cases it is a misconfiguration or a lack of knowledge about what lurks in the dark corners of the internet.
For example, did you know some hackers actively search for WordPress installations looking for the username “Admin”? This is because when you first install WordPress it prompts you to create a password for the admin user.
But did you know you can easily change the admin username? It’s quite easy and while you can’t change it in WordPress, you can make the change in your database.
Now before you start saying “but I’m no database guy, I can’t do this” I’m here to tell you that yes you can.
Changing your WordPress Administrators User Name
If you are not self-hosting your website chances are it is hosted on a platform that gives you a web based administration panel or console. Log into that console and see if there are any web based database tools. For example, most sites use MySQL for their database so will have some tool like PHPMyAdmin installed. This is a web based tool that allows you to make changes to databases.
Log into PHPMyAdmin (or whatever tool you have) and look for the database for your WordPress install. Most likely it will be the only database there. Simply click on the name of the database on the left to see what tables reside in it. You want to find tables whose names start with wp_ as this is the most common installation. If you have found the database with the tables starting with wp_ look for the table called wp_users and click on it.
Here you should see the list of users who have accounts on your wordpress site. You should also see “edit” beside the names of the users. Find the admin user and press the edit link or button beside it.
Now you are looking at the actual data stored in the database for this particular user. User_login is the field that stores the name of the user used to log into your wordpress installation. Type something else in there – could be your first name, your dog’s name or even some random word. It doesn’t matter, as long as you remember what it is.
Scroll down (or up), look for “go” or “save” or something else and hit that button. The browser window will spit out some text at you telling you that the name has been changed.
Without closing this window, open another browser window and go to your admin folder. Put in your new name and your usual admin password and see if it works.
If it does, it means you have changed your admin user from something hackers are looking for to something that is harder to find.
Changing the Admin Password
Did you know you can also change the admin password from your PHPMyAdmin page? And it too is quite easily.
Go back into your database page and look for your newly named admin user. Click edit again and look for the password field. It should be filled with a bunch of seemingly random letters, numbers and characters.
To change the password, simply enter the new password and in the dropdown to the left of it, select “MD5”. This will encrypt the password you just entered in plain text to something the system understands as encrypted.
Then, switch back to your other browser window, enter the new password to test it and you should now see your WordPress dashboard.
Other Simple Ways to Secure Your Site Against Hackers
There are many other simple things that will only take 5 minutes out of your week to do. The first is to log into your WordPress installation at least weekly and check to see if there are updates that need to be applied.
Plugins and themes are usually your weakest point in the site so by updating those regularly you help close potential loopholes that could give a hacker access to your website.
Change your password regularly. I know it’s a pain but passwords can be guessed by hackers. In most cases they will use what is called a brute force attack on your password. In other words they use a giant list of words and keep trying each word along with your username to gain access to your site. By making your password longer, as well as using a mix of lower case, upper case, numbers and symbols you make it harder to guess. And as I said, changing your password – even every 90 days – helps aid against hacking.
What I like to do to help make password a little easier to remember is replace some of the characters with other symbols that look like them
For example, if you are a cat person and your cat’s name is Missy, and Missy’s birthday is July 1 your password could be something like:
What I did is replace the “I” and an “S” with the exclamation and dollar sign. It still looks like Missy, so it’s easy to remember, but the extra 2 characters make this password much harder to guess. I then just capitalized the first letter and added the birth date to the end. Of course if you can make it longer and add more different characters that would help too.
There are many more things you could do to harden your WordPress site against hackers. In fact, the WordPress website has a really good article with suggestions: http://codex.wordpress.org/Hardening_WordPress
Finally, no matter what your site is still always vulnerable whether it is WordPress or not, so please do regular backups of your site. Most hosting services offer automated backups for free which you could then download and store on your computer, or elsewhere in a secure location so that if your site ever is hacked you can easily restore it from your backup.