Unless things have changed since the last time I set up a new self-hosted WordPress site, WordPress presents you with the username \u201cadmin\u201d as default. And even if they\u2019ve stopped doing this, it was the standard since the inception of WordPress back in 2003.<\/p>\n\n\n\n
Here\u2019s an interesting fact. According to Kinsta<\/a>, out of all the websites in existence, WordPress.org<\/a> powers up just over 40% of them. And, its market share is 65% of all websites that are built on a contact management system. Over 38% of the world’s top websites are on WordPress.org.<\/p>\n\n\n\n
You might be thinking it\u2019s no big deal. You\u2019re nobody. Who\u2019s going to try to hack your site?<\/p>\n\n\n\n
Well, if most hacking attempts on your site were made by a single person looking for a single site to hack into, your lack of concern would\u2014maybe\u2014be warranted. However, that\u2019s not what is happening. For the most part, hacking attempts against your site are made by bots launching brute-force attacks.<\/p>\n\n\n\n
These bots will either use best guesses for username and password, like admin and 123456, or they will use something like a dictionary attack where the bot literally goes through a dictionary trying to match words to your username. So yes, \u201cadmin\u201d is a bad choice, but so is any other recognizable word. Jumble up those letters and numbers.<\/p>\n\n\n\n
If you have a security plugin that sends you a notification when it locks someone, or some bot, out of your site because of too many bad login attempts, you\u2019ll generally see all those attempts are using admin as a username.<\/p>\n\n\n\n
So, now that we\u2019re clear about not using admin as your username, what kind of measures can you take to secure your site?<\/p>\n\n\n\n
Since I love factoids, here\u2019s another one. According to a cybersecurity report published 2 years ago, organizations increased their online security budgets by 50%.<\/p>\n\n\n\n
What does that tell you? Other than a whole lot of people probably didn\u2019t get a raise that year? It\u2019s an indication\u2014a clear message\u2014that none of us can afford to be lax when it comes to online security. Even if you\u2019re that little guy with a hobby site.<\/p>\n\n\n\n
My first recommendation is to download a VPN<\/a>. There are some free options available, but with limited functionality. VPN is an acronym that stands for Virtual Private Network<\/a> and using one is a great step toward securing your site. As long as you access your site via the service, all data flowing in or out is encrypted and your local IP address is hidden. If you\u2019re looking for a good VPN for your needs, check out this article on the best VPN by VPNpro<\/a>.<\/p>\n\n\n\n
Install a security plugin. You have a choice of a free option here as well, and any number of plugins to choose from. Some plugins are more feature rich than others, and some are more complex and may require more setup, so choose one that works for your specific situation.<\/p>\n\n\n\n
Turn off the file editing feature. The WordPress codex recommends taking this step, and it can be done by either manually editing a few lines of code in the wp-config.php file or by installing a plugin that will do it for you. If you\u2019re making the change manually, simply add the following to your wp-config.php file:<\/p>\n\n\n\n
define(\u2018DISALLOW_FILE_EDIT\u2019, true);<\/p>\n\n\n\n
Speaking of your wp-config.php file, you should also hide it and your .htaccess files. Please note these steps, and the ones above, are not to be taken lightly. If you don\u2019t know what you\u2019re doing, I don\u2019t recommend manually editing any of the WordPress core files. If you feel confident, take a backup of these files before doing anything, and then make the necessary changes.<\/p>\n\n\n\n
After you\u2019ve backed up your files, add the following to your wp-config.php file:<\/p>\n\n\n\n
<Files wp-config.php><\/p>\n\n\n\n
order allow,deny<\/p>\n\n\n\n
deny from all<\/p>\n\n\n\n
<\/Files><\/p>\n\n\n\n
Once you\u2019ve done that, move on to your .htaccess file and add:<\/p>\n\n\n\n
<Files .htaccess><\/p>\n\n\n\n
order allow,deny<\/p>\n\n\n\n
deny from all<\/p>\n\n\n\n
<\/Files><\/p>\n\n\n\n
Next, you should consider limiting login attempts to your site. Let\u2019s assume a user has forgotten his password. WordPress will let that user make an endless amount of tries to get into the site. But that user could actually be a hacker, so you don\u2019t want them to have limitless tries to log in. But if you limit attempts, this will deter a hacker.<\/p>\n\n\n\n
Implementing this is typically done with the use of a plugin. Depending on what settings you use, you can block someone temporarily\u2014and this is what you should do in the case where you might have legitimate users trying to log in\u2014or you could permanently block that IP. Of course, a hacker will be circling through IPs, so it\u2019s a bit like playing whack-a-mole.<\/p>\n\n\n\n
Note this can also be done without a plugin, but since it\u2019s a bit complicated, I suggest you stick with the plugin.<\/p>\n\n\n\n
So there you have it. The first step is always to change the default username when you set up a WordPress site. And if you have any seasoned sites that have that default name, go change them now. And make sure you follow the steps above on how to secure your site.<\/p>\n","protected":false},"excerpt":{"rendered":"
Unless things have changed since the last time I set up a new self-hosted WordPress site, WordPress presents you with the username \u201cadmin\u201d as default. And even if … Continue \u2192<\/a><\/p>\n","protected":false},"author":10,"featured_media":59120,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[30,2642],"tags":[],"aioseo_notices":[],"yoast_head":"\n