Reduce WordPress hacks by managing users, passwords

reduce wordpress hacks

WordPress websites are often targeted to be hacked or taken over. Sometimes the purpose is to inject malicious code, other times it’s to hold the site ransom. Other reasons exist as well. Regardless, there are some methods that can be used to help reduce WordPress hacks.

The screenshot above is a report of failed login attempts from outsiders on this website for 1 week. Notice the failed attempts used just two usernames: admin and {login}. Of those attempts, 20 were made with admin. The reason is simple. It’s the default username for WordPress. Statistically, most people never change default passwords or usernames and most people that do set their own passwords use weak passwords. Hacking is hardly a challenge when defaults are used and almost as easy when weak or common passwords are used.

I have had my site unknowingly hacked a handful of times over the years where malicious code was inserted into my website. I was able to fix it, but it was time consuming and frustrating. I have since tried a few WordPress plugins to help block and track attempted hacks. The current one I am using is Wordfence, which notifies me of attempted logins, security risks, updates, and other important information. It also generates reports informing me of how much my website has been targeted and how successful the plugin/service has been in blocking those attempts. It’s these reports that drawn my attention to a likely common way hackers get into WordPress sites. Fortunately, I had addressed this years ago.

If you haven’t figured it out already, what I am going to suggest is creating a new user in WordPress as an admin, then delete the default admin user. Be sure the new user uses a unique name that will be difficult to guess and use a strong password. Using a mixture of upper and lower case characters plus symbols and numbers helps make passwords stronger. Also, don’t use common passwords or easily found personal information. You can search for lists of common passwords to see what to avoid. Birth dates are very common in passwords and this can easily be found through various social media sites and possibly through search engines.

I have replaced the admin user in my WordPress installation long ago and if you see the login attempt report at the top of this article, you’ll see the username that I do use is not listed, nor are any other usernames I have in my database. This doesn’t guarantee my site doesn’t get hacked, but it does reduce the risk by blocking one avenue of access.