WordPress is a powerful tool that offers numerous advantages to web masters, but it isn’t without its drawbacks. One drawback is that WordPress is now so widespread that hackers have developed a suite of tools and tricks exclusively for breaking into and exploiting WordPress blogs. After all, each WordPress blog starts out more or less the same, regardless of which WordPress themes you use, so identical hacks and exploits can be used against a vast number of the WordPress blogs online today. And those WordPress blogs are legion: recent surveys by internet experts found that almost 20 percent of the web today is powered by WordPress back ends. That’s an enormous number of web pages that are vulnerable to a hacker who knows his way around WordPress.
To keep your WordPress blog or web site safe, follow these tips and tricks that will lock out hackers who use the most common means of breaking into WordPress blogs. These won’t foil every hacker, but they’ll make your blog or web site much less accessible than most others , and that alone will be enough to deter many would-be hackers.
Block Unwanted IP Addresses
Not from your entire blog, but only from the admin panel, which is what a hacker likely would try to access. This is a very effective trick that will make your blog immune to the most dangerous type of hacking, which is when a hacker gets onto your admin panel and then takes total control of your WordPress site and all the information saved in it. In this scenario, a hacker could even lock you out of your own site and make it difficult (if not impossible) for you to get back in. To prevent that, edit your htaccess file to include a list of IP addresses that are allowed to access the admin panel. This only requires editing the “white list” line to include your IP address; once that’s done, no one working from any other location will be able to get onto the admin panel. Remember that if you are using a commercial ISP, your IP address will change periodically, and you will then have to update the htaccess file on your web server.
Ditch The Admin Account
By default, the username used to log into your blog is “admin.” That’s true on every single WordPress blog (when they’re first set up), and hackers know this. If they know the username used to get into your admin panel , that puts them much closer to having unfettered access to your web site’s back end. So set up a new account with a username other than “admin,” and then delete the admin account altogether. Remember, if you don’t delete the admin account, hackers will still be able to use it to crack into your blog, even if you no longer use that account.
Move Your Blog’s Configuration File
Your configuration file contains all sorts of information about your blog that cannot be gleaned without reading it directly, and which could potentially aid a hacker in breaking into your blog. This is bad news, because the configuration file is always named “wp-config.php” by default, and it’s always stuck in the exact same place: your WordPress directory. Hackers who get ahold of it will find themselves very close to having access to sensitive information on your blog. The way to stop them is to move the file so that hackers aren’t sure where it is, and they’re forced to guess randomly what its location might be. When you move it, WordPress will automatically search your site for it and locate it. By contrast, finding the configuration file would take hours for a hacker, and most won’t bother. They’ll just leave you alone and that, after all, is what you want.