It just keeps happening. WordPress sites keep getting hacked. It seems like every week there is another news story about a massive brute force password attack or a vulnerability in a popular plugin. But I don’t need to fret if I just follow three simple rules …
- Always have a recent full site backup – files and database. This won’t stop me from getting hacked, but will give me a quick and easy recovery path if I do. Much more likely it will allow me to recover from my own dunderheaded mistakes. I have never been hacked, but have had to recover from my own dunderheaded mistakes numerous times. My web host makes backups for me, but I shouldn’t rely on that. I need to make sure I always have a recent full site backup, stored in the cloud and locally. UpdraftPlus is one of several excellent choices.
- Use a strong admin username and password – it doesn’t have to be crazy strong, just something that I can remember and bad guys, gals, nonbinaries, and bots can’t guess. I should most especially not use ‘admin’ as a username, and stay off of the most common password list.
- Keep everything updated – core, themes, and plugins. This can be automated. Automating updates runs a small risk of oops-the-update-broke-my-site, but I much prefer that to getting hacked. And, as long as I follow rule 1 I can always recover. PHP needs to up to date too – as far as I know that can’t be automated but I only need to check on it once a year or so.
That really is all there is to it. There are of course many other WP security measures I can take if I am paranoid and obsessed, which I am. But if I just follow these three simple rules I will – in very high likelihood – be safe from hacks.
