There has been a wave of websites hackings. Some were very public, like the one that affected Target’s website.
But small websites get hacked, too. One of my websites was hacked about a year ago and believe me, it’s a frightening experience to go to your own website and see a message that says that the website is unsafe and telling you to get out of there as fast as possible.
It took 2 days of working with my webhost to get it fixed, using backups.
Your website might be next
I have a WordPress plug-in called Wordfence that tells me when someone logs into my account, when plug-ins are out of date, and more. Usually, these notices are routine; either myself or one of my assistants is logging in and that’s fine.
But In March, I saw a flurry of emails that looked like this. Look carefully at the parts with the red arrows.
That’s right, someone was locked out for exceeding 20 login failures! And I got 9 of those emails! All within a couple of minutes.
It was clear to me that someone was using software to try to hack my website.
Now look at the second arrow. It says that the person (or program) was trying to log in with the user name “admin.”
I don’t use admin, which is the default username, on any of my WordPress accounts and neither should you! That’s because hackers will try that first and if you use “admin,” all they have to figure out is your password. With a unique username, they have to figure out 2 separate items.
How to add a level of security with a unique username
Ideally, you set up your account from the start with a unique username. But if your username is admin, here’s the problem — you can’t change your username. Instead, you have to add a new user and then delete the old one. Follow these steps:
- Go to your WordPress Dashboard and choose Users, Add New from the left-hand menu.
- On the Add New User screen, complete the information, including a unique username and a strong password. Be sure to write it down somewhere so you don’t forget!
- For the Role, choose Administrator.
- Click the Add New User button at the bottom.
- Click Users again, then All Users
- Check the old user (the one that says “Admin”).
- From the Bulk Actions drop-down list, choose Delete.
- Confirm the decision if asked.
Tools to protect your website
If your website is hacked and you don’t have backups, you’re entire business is gone! Don’t trust your webhost’s backup (if there is one). It may not work, or it may be compromised.
There are many tools that you can use to protect your website, but I’m going to recommend two that I use.
Wordfence is the WordPress plug-in that sent me the emails I showed above. It warns you when there’s a problem.
BackupBuddy is a back-up service that backs up your WordPress content and settings. You can configure it to back up your website as often as you want. And they have great service. I won’t go into details, but believe me, I know. (BackupBuddy isn’t free, but worth the cost; this is an affiliate link.)
Unsure of how to install a WordPress plug-in? Here I explain how to find and install a plug-in (with a video tutorial).
If you want personalized service, leave a comment and I’ll privately email you the name of 2 experts that I know of in website security.
Is YOUR website secure? Leave a comment!
3 replies to "Website security: They’re trying to hack your website — I have proof — and what to do about it"
Ellen, you’re so right about the dangers of hacking, and what you share here will protect people somewhat. However, there’s not one WordPress plugin that creates all the security people need in order to be as safe as possible online. My security service, http://www.PressLock.org, is designed specifically to secure small business (and microbusiness) WordPress websites from hacking. I invite you to check it out. If you think it would serve your clients, you can even become an affiliate.
Thanks for helping call people’s attention to this HUGE problem.
Emily, I agree that one plug-in isn’t enough and a service offers the attention of an expert. We can talk!
Great insights on website security! It’s shocking how vulnerable we can be without taking proactive measures. I love your suggestions for using unique usernames and reliable backup solutions like Wordfence and BackupBuddy. It’s a crucial reminder for all website owners to prioritize security and stay informed. Thanks for sharing!