How to Protect Your Blog
A quick “public service announcement” with a tip to protect your blog from hackers.
Having lost sites in the past, before I knew better, because they were hacked, I now take very seriously the security of my WordPress sites, and use the plugin WordFence because it emails me to warn me of login attempts I'm not expecting.
I'm not sure what was happening this morning, but I looked in my inbox there was a whole stream of login attempts over a few minutes. Below is a screenshot:
So for instance, should anyone try to sign in with the username “admin”, I've set it up so that's an immediate lockout because using admin as your WordPress username is like an open invitation to hackers!
I get these alerts every so often, but it's fairly unusual to get so many of them so close together. Wordfence tells me what IP address they're from (in case I want to block an exact IP address) and these were all from different IP addresses – although I understand these can be fairly easily spoofed by anyone with evil intent.
My simplistic view of this is that my blog has just two or three trusted users to whom I have granted login privileges. So if any-one else tries to login they are probably “up to no good”.
Much as I would feel if I found someone with a bunch of keys trying to get into my house 🙂
What Should You Do To Protect Your Blog?
Given that it's a free plugin, the minimum I believe you should do is install the Wordfence plugin.
As well as the ability to lock-out attempted logins there are many additional options on the Wordfence dashboard and it's well explained, so do spend a few minutes looking at the various options and tailoring them to what you feel is sensible. (A little further down there's a link to a video on the WordPress site.)
For instance – I felt that by default it allowed too many attempts at logging in, so I brought it right down.
Other Benefits of Wordfence
The WordPress site describing the plugin lists a huge number of benefits, some of them pretty technical – so if you're of a technical bent, head on over to learn more.
For me, these are the highlights.:
- Hackers often get into your site by means of vulnerabilities in plugins that the plugin authors will fix with a free update. Which is great – unless you don't notice there's been an update. If you're logging in daily, you'll notice the updates, and can fix them. But if you only login to your site (say) weekly – or even less frequently – you're in danger of missing vital updates. However, Wordfence will email you when updates are needed, so you can login to fix them.
- It will scan your site and warn you of any potential problems.
- It also speeds up your site! Who wouldn't want that?
You can learn more about the features of Wordfence here.
The Paid Version of Wordfence
Starting off with the free version of Wordfence will give you an immediately improved level of security.
Premium users can also block countries and schedule their scans for specific times and with a higher frequency.
How Do YOU Secure Your WordPress Blog?
There are many other plugins available to protect your blog against hackers. Wordfence just happens to be one I was recommended to use, and it's doing a great job for me.
However, I know I have some very experienced bloggers amongst my readers, so please feel free to add your own recommendations in the comments below.
Update August 2019
This post was originally written in 2015! But the dangers of WordPress security still remain for the unwary.
Since this post was written I have moved to managed WordPress hosting with Pressidium and they handle the security of my site, but I still use the free version of WordFence on clients' sites and everyone has been very happy with it.
However, do read the comments on this post as well because other bloggers with more technical expertise than I have kindly added their own security tips and favorite WordPress security plugins too.