XML-RPC has been the method of choice for many hackers. The term may sound too technical for a majority of WordPress users but in short, XML-RPC an API that allows you to publish posts without having to be logged in to your WordPress admin. The benefits of XML-RPC is that it allows third-party applications like JetPack to push content and commands to your WordPress site, creating a more streamlined experience for users like yourself. Read more
When websites are hacked, lines of code are typically injected into existing files through the WordPress admin. If you become the unfortunate victim of a hack, you can still prevent the most common attacks by preventing anyone from editing your files – your last line of defense when the worst happens. Read more
Most of the time, when you set up a new WordPress site, you’re set up with an administrator account whose username is “admin.” It’s the default setting for WordPress. This is problematic for a number of reasons. Read more
Every WordPress database table is prefixed with wp_ by default. This means that if there is a theme, plugin, or a version of WordPress with a vulnerability, hackers can run automated attacks across tens of thousands of websites that use the particular software and target their databases by referencing the standard database prefix. But if you change your WordPress database table prefix, you can avoid scenarios like this and have a second layer of defense against such attacks.
If you’re using a plugin that provides some level of protection or monitors all login attempt activity such as Loginizer, you might be getting tons of email notifications about failed login attempts. If it’s really bad, you might be getting hundreds of these email notifications every week.
The most common hacking method is nothing sophisticated or new. It’s the attempt at guessing your username and password. Unfortunately, many users leave their username vulnerable by leaving it as the default “admin.”
In this article, we’ll go through the ways in which you can secure your administrator user account, more specifically the username. We have a separate article written that dives deeper into the password which you can read here.
In my webinars, I always get questions about security. It always seems like the people whose WordPress sites get hacked believe that it happened through some sort of unknown vulnerability that’s beyond their technical comprehension. Though it is true that outdated software does leave vulnerabilities open, in many of my observations, I found that these same users did not follow basic security protocols like using a strong password.
Here’s a real story: I had a client several years back whose website constantly got hacked. So they came to me for help. The name of their company was Sons X, where X represents what their business did, for example, Sons Window Cleaning or Sons Automotive. I omitted their full business name for their privacy. They were using a firewall (as should everyone) so they were confused as to how they were getting hacked more often than their peers.
After they began to work with me, I immediately found a red flag. Their admin credentials were:
Two-Factor Authentication is one of the few guaranteed security methods that every WordPress website should use. The method is popular among many websites (WordPress or non-WordPress) that take security seriously such as banks because it ensures that unauthorized users will not be able to access your account, even if they have your password.
So why is it so secure? Two-Factor Authentication relies on two elements in order for someone to login:
Using a firewall for your WordPress website is the best way to protect yourself against any hacking attempts. The reason why firewalls are so effective is because they can be used to deny access to your website if the visitor does not belong there. This means that the potential hacker will not even have an opportunity to compromise your website.
In a basic scenario where your WordPress login password is as simple as “password1” and a bot is making attempts to guess your password, it would probably take less than 2 billion attempts to get it right, which would take only a couple of seconds, depending on your server. One of the best ways to combat this is to simply lock out users who have guessed their passwords incorrectly too many times. Limit login attempts on your site through the use of simple plugins.