• In linking schemes
• To redirect visitors to nefarious pages
• To infect specific files that then carry viruses onto computer systems or servers
• To mask their activities elsewhere by making them appear to have originated from you
• (And perhaps most importantly) to participate in a growing network of rotating hacked IP addresses that poll the Internet for vulnerabilities to exploit

You might think that with constant advances in security you are safe, but the exact opposite is true: because of advances in software security, the window for taking advantage of software vulnerabilities is closing. As a result, more and more hackers focus on human vulnerabilities such as weak passwords or other paths we unwittingly leave open to exploitation.

How Do WordPress Sites Get Hacked?

Brute force attacks on WordPress and other password-centric sites can run scripts across a growing network of distinct originating sites. The hacking network grows as more sites are hacked and enlisted in the scheme. An entire network or array of hacked IP addresses can churn through multitudes of login attempts, while also polling for author IDs and other weaknesses in targeted sites across the globe. These attempts become difficult to track as a concerted effort—each originating from a distinct IP address—and so, blocking IPs becomes near pointless.

Passwords that were once considered secure are now vulnerable because they are up against the power of these networks of successfully-hacked, coordinated IPs.

But How Much Should I Really Worry About Security for My WordPress Website?

A lot. Hosting providers have witnessed a spike in brute force attacks on WordPress login pages this year. Since the beginning of 2015, this type of attack has multiplied sixfold. Let me say that in another way: Servers that might have seen around five million brute force login attempts per month in January of 2015 are now seeing an average of thirty million per month.

So Should I Maybe Not Even Use a WordPress Website?

That’s your choice, but consider this:

• WordPress takes security seriously. They do everything possible to make and keep their code secure.
• WordPress is a powerful high-level development platform for building affordable sites. Thousands of developers create and maintain excellent plugins and themes for WordPress.
• You are just as likely to get hacked using any content-managed system that relies on passwords.
• WordPress is easy to use.
• WordPress is beautiful and free.

Whether you build your site with the most cost-effective and feature-rich platform available or not, ultimately it’s down to how you use the software. We mere humans are the weak link. But we don’t have to be.

Okay, So What Can I Do to Secure My WordPress Website?

Understand that the overwhelming majority of hackers are “skimming the cream” for the easiest accounts to break into, and two key vulnerabilities besides your password will get you targeted, so you’ll want to secure those. You can also make your site difficult to hack. Think of this as a two-part strategy: “batten down and shore up.”

Batten Down Site Vulnerabilities

The first vulnerability is your login page. Hackers are not, for the most part, messing with custom login pages. They go right for the standard “www.yoursite.com/wp-login.php.” There are plugins that can protect your login page in various ways. You can also use .htaccess code to protect your login and admin areas.

Next up is your WordPress login ID, and especially the standard WordPress “admin” account. The “admin” account is the first account you will typically get when you install WordPress. As the name implies, by default it has administrative access to your WordPress installation. Its frequency of use, however, makes it a target for hackers, who almost universally make brute force attacks using the “admin” login ID. This means that if you have an account called “admin,” you should make sure that account has the strongest possible password. Better still, change the name of that account to something harder to guess.

The admin account is not the only account hackers go after, though. Your next step in login security is to ensure that hackers can’t get your login ID from your website. Part of this is in avoiding displaying the login ID on the public side of your account (if you post from the administrative account, display your name, or some other title, instead), and the other part is in choosing an ID that has nothing to do with your name or the name of your site.

Finally, all administrative accounts on your installation of WordPress should have strong passwords. These days a password that is considered strong can be tricky to build. Consider using a random password generator. If you would rather create your own password, your best bet is to follow some established guidelines.

Do make your password:

• At least fourteen characters long
• Include lowercase and uppercase letters
• Include numbers and symbols (such as !@#$%^&*()_+?)
• Avoid common patterns, or information otherwise associated with you or the site

The following practices, alone or in combination, make your password weak, so avoid:

• Default passwords (supplied when you set up the account)
• Names of celebrities
• Words from the dictionary
• Common words with one or two obfuscations (using a symbol for a letter, for example)
• Words with numbers (especially the year) appended to them
• Patterns that are easy to type, like qwerty, asdfg, or 12345 (sorry, I know this hurts)
• Common numeric patterns (314159, 5551212, etc.)
• Your username
• Any of your knowable personal data (zip code, license plate, social security, etc.)
• “Foreign” words (Unless you happen to know an obscure language that no one speaks or writes in anymore, those words may only be foreign to you.)

Shore Up Your Support Systems

Making your site difficult to penetrate and difficult to work with for anyone who does target you is the best policy.

Consider using the plugin, Wordfence. Wordfence can block brute force attacks on your logins, check for security issues, and prevent polling for your login ID. Wordfence can also monitor traffic to your site, watch for known vulnerabilities, and remind you to update your plugins and themes, as well as handling many other security-focused tasks.

Also consider deploying a secure certificate over your entire site, and make sure your domain and WordPress administrative email accounts are configured using your host’s SSL email configuration guidelines. SSL (Secure Sockets Layer) encrypts communications between the user and your site. Sites that use WordPress are automatic candidates for a sitewide SSL certificate because they collect user data and passwords. If you collect any additional information from your visitors, or especially if you handle payment information, you should have a secure certificate. Not only will the certificate protect communications data to and from your site, but it may also improve your search engine rankings because search engines like Google will view the site as stable. If that isn’t enough, users who see that padlock next to your domain name will take your business more seriously.

And don’t forget to keep your own computer clean and free of possible security leaks. All the strong passwords and hardening of your website won’t do you much good if you have spyware monitoring your every keystroke.

Sum Up

More and more hackers are using brute force attacks to guess at passwords, but there’s no need to panic or get paranoid: follow a simple two-part strategy to protect your WordPress site from hackers and keep your visitors safe:

Batten Down the Vulnerabilities

• Protect your login page.
• Use strong passwords for administrative accounts.
• Be extra careful with the “admin” user account (or consider replacing it).

Shore Up Your Support Systems

• Use WordFence to monitor and stop suspicious activity.
• Consider a secure certificate (SSL) to guard sensitive information.

Finally, don’t rely on any one strategy or tool, because as long as there are software developers and hackers in the world, security is a moving target. And new vulnerabilities do happen.