I was having lunch with a friend of mine, who manages a kitchy shop that sells wine ephemera.  Totes, and bottle openers and novelty vine racks.  It’s called something cute like, ‘Pinot’.  She told me that the boss was asking her to do some minor updates to what she refered to as ‘a wreck of a website’.  It was made with wordpress, many years ago, and wasn’t properly maintained.

She said something like, ‘It can’t possibly be secure, I’m surprised it hasn’t been hacked already.’

I asked, “Why, is the password ‘pinot123′?’

Her jaw dropped, and I asked another question, “Is your wordpress username, ‘admin’?”

Admin is the kind of the default administrator username for wordpress. Some of the newer quick install programs make you choose something else, but not all of them do.  Using ‘admin’ as your username just makes it that much easier for someone to worm their way into the back end of your site.  So, choose another username.

My friend then asked me to give her a few other tips to make her site more secure.  Here are some that you should be able to do in less than an hour.

  1. Use a unique username for your Administrator Account.  We discussed this above.   Having an ‘Admin’ username floating around is asking for trouble
  2. Use a different username for your blogging. The account I used to write this blog, ‘Dark Roast Design’, is an editor account.  If people hack into the site using this username, they still won’t have admin access.  Nobody needs to know what your Admin username is, except for you.
  3. Add The Ithemes Security Plugin.  This will give you all sorts of ability to protect and monitor your site.  Not the least of which is the ability to blacklist users who try to log in using the ‘admin’ password.  I do actually get several email notifications daily about this very thing.  It’s happening.
  4. Add the wSecure Lite plugin.  This plugin will allow you to hide your login page.  Most wordpress pages use /wp-admin as their login page.  Try adding it to this homepage.  You get redirected to the homepage.  wSecure adds a custom string, which only you will know.
  5. Backup, Backup, Backup.  This will help to reduce your risk, but you aren’t bulletproof.  I’m actually concerned that posting this article will be seen as a challenge, and I know that this site, and no site, really, is 100% secure, all the time.  To this end, you’ll want to make regular back ups of your site.  Some hosting companies will do that for you on a regular basis, and some wont.  A good, easy solution is to use the ‘All in One WP Migration’ plugin, and export your site regularly.  If anything happens, you can then import your backup, and your site will be as good as new.

I wish you good luck with all of this, and a happy, and healthy site.  Of course, if you would like help with any of this, or want to consult about your site on any level, please feel free to reach out.