Lockdown WordPress

Over the last few weeks, we’ve noticed a considerable uptick in WordPress CMS site hacks (even GoDaddy got hacked). Although we’re not sure what might be causing this, we do know a few quick ways to get your house in order thanks to the security pros at Sucuri.

1. Scan & Buy Sucuri

If you think you may already have been hacked, you can scan your website using Sucuri’s free site scanner. Even if the scan comes back clean, we highly recommend ponying up a little dough and buying a Sucuri license. For the average user, you’re only looking at like $90/year. It’s worth every penny!

2. Install WordPress “Login Lockdown” Plugin

This free security plugin records the IP address and timestamp of every failed login attempt. After a certain number of failed attempts (a number you can choose) it will disable login for that IP address for some period of time (an hour, day, whatever). What’s the point? This makes it take years (if not decades) for a hacker to use a script that just guesses and guesses your login until it guesses right (called brute force password discovery). It’s a light-weight, highly customizable plugin and with over 150,000 downloads and counting it works. Did I mention it was free?!

3. Buy an SSL and Enable forced encryption login

SSL certificates are not just for eCommerce websites. Even if you’re site is all content a $70-$80 SSL certificate will allow you to encrypt (up the maximum the NSA will allow) the WordPress login screen. Just buy the SSL (GoDaddy’s running a special on them right now) and add the following to your wp-config.php file before the line that says: “That’s all. Stop editing” to force login over SSL: define('FORCE_SSL_LOGIN', true);

UPDATE:
Google is now rewarding sites under HTTPS with search rankings, but it’s just one piece of the security pie.