There’s nothing more disheartening than checking on your author website, only to find that it was hacked. Well…perhaps finding yet another rejection email in your inbox may be worse, but it’s close.
There are several simple ways to improve the security of your author website. Note that your website will never be perfectly secure. A dedicated, well-trained hacker can find a way to get in eventually. Script-kiddies and wanna-be’s will be your main security focus.
- Never, ever, use an account name that someone can guess.
Your user name should never be the default admin or administrator. Surprisingly, it should not be your displayed name either, especially if it is your website administrator account. The display name for my account is Guy, but my login account name is 21 characters long. It’s doubtful a kid will be able to guess the account name and the complex password I use. - Use a better version of .htaccess files.
The .htaccess file is used to restrict who can see what items, and who can execute or run scripts and programs. (It’s actually more complex than that, but that is beyond the scope of this blog post.)
You can write them yourself from scratch using a text editor, or you can use a free plugin such as Bulletproof Security. If you decide to use a plugin, it will make the process easier, especially if you are not a Linux or Apache guru.
One benefit of Bulletproof is that it allows custom code to be injected into your .htaccess file. I actually use a complex .htaccess file to limit what people can do in different areas of my website. Another benefit is that Bulletproof will scan your files and recommend what security settings should be adjusted. You can use an FTP client to modify, or CHMOD, the files. - Use a lockout method to block visitors who are just trying to guess your passwords.
I like Wordfence, a free plugin, because it will not only auto-block the password guessers, it will also let you scan all of your files to see if any were modified by a hacker. An added benefit is it will alert you via email if it finds any problems with your files, if people are trying to log on, and if anyone logged in.
Another plugin I’ve used is Limit Login Attempts. It will block the guessers, and is very simple to install and use. - Keep your plugins and installs up to date.
Most hacks are successful because there was a known security issue that was patched but the website admin never got around to installing. Wordfence will alert you when files need updating. Remember to not only update your plugins but also your themes.
Since I know many folks tend to install several themes before settling on one, make sure you uninstall plugins and themes you are not using. - Backups are your friend.
There are two kinds of people — those who back up their data, and those that wished they did after a crash or hack. Don’t be the latter.
I usually download my files through FTP and the tools provided by my website host. Don’t forget to get a backup of your database, since that’s where your posts are stored.
There are several backup plugins. I haven’t found one that was either free or relatively inexpensive that I liked. (I have over 75 domains, and $30/site gets ludicrous quickly.
If you have any tips, drop me a note on Facebook and I’ll add it here.