Because no one wants to deal with the hassle of a hacked site.
Several months ago, InformationWeek and several other sites reported an onslaught of hack attacks on WordPress sites using generic usernames such as “Admin” or “administrator.” This may be old news for some, but the attacks are still occurring.
Of course, it isn’t only WordPress sites that get hacked. It’s just that the platform is one of the most popular out there, which makes it an easy target for hackers. But even if your site isn’t on WordPress, recovering from a website hack is a hassle that you just don’t ever want to go through, so take the following precautions right now:
- Create an account just for you. Using the current administrator account, create at least one account that has administrator access. If you already have this done, kudos! Go ahead and create a second account and assign that to a backup email you own or to someone you trust implicitly. This means someone who has absolutely no potential to get mad at you in five months and go in and mess with your site — so, not a developer or new boyfriend. Preferably, it’s someone who’s not even associated with the website on a regular basis. This way, if you lose access to your site for some reason, you have another way of getting in that would be difficult for a hacker to guess.
- Delete all generic accounts. Using just one login for all users is bad practice anyway. If you must have one generic account, make it something specific to you or your company, like “SiteseeingIntern” or “MicrosoftSerf.” But delete all the common names that most people would be able to guess, which include: admin, administrator, root, webmaster, test, and user. Of course, any combinations and capitalizations of those easily guessable names should also not be used.
- Create a username for every individual user. This gives you maximum control over your site, and also lets you take advantage of some very useful baked-in WordPress features. When everyone has a username, you can easily promote or demote their access to the site on an individual basis — or delete them altogether without having to alert all the other users that the password has changed. By giving each user their own login, you’re also making better use of the Revisions feature, which shows who made what change to a page and when. There are other WordPress features that are best used with individual users, but that’s fodder for another post.
- Update WordPress. Make sure you are running the latest version. WordPress will usually tell you if you’re running an old version when you log in. In most cases, you can just click the link to update WordPress, but you should check with your developer first in case there are plugins or other code that might not be compatible with the upgrade.
- Remember to use secure passwords. Don’t pick your pet or boyfriend’s name, the name of your street, your favorite sports team, etc. Don’t make the password about you and don’t pick a word that’s in a dictionary (of any language), as many bots have been programmed just to randomly try these in the hopes of guessing your password. Some of the most common passwords are “admin,” “123456,” “password123,” “abcde,” and these other horrible choices. More advice on creating secure passwords and creating a hard-to-crack password that’s easy to remember.
- Change the login page. Most login pages for websites are located at www.yoursite.com/wp-admin.php. Make it more difficult for hackers to guess your password by making it hard to find the login page to begin with.
- Limit login attempts. Hackers gain access by attempting a flurry of passwords, so if your site is suddenly barraged with password attempts, it’s a good sign a hacker’s trying to get in. (Or your mom can’t remember her password. Again.) Plugins such as Limit Login Attempts live up to their name and add an extra layer of protection.
There is no silver bullet against all hack attempts, but by taking the above measures, you’ll make your site far less attractive to hackers.
More advice on secure WordPress logins from other sources:
How to Secure Your WordPress Login Page & Mitigate Hacking Risks (Inbound Now)
10 Steps to a Secure WordPress Website (Copyblogger.com)
13 Vital Tips and Hacks to Protect Your WordPress Admin Area (WPBeginner)
Like this tip? Get more by signing up for The One Thing, a monthly newsletter that tells you what to make the priority on your digital to-do list.