Image via http://www.flickr.com/photos/nbachiyski/2536017020/sizes/o/
Since WordPress is the world’s most popular website/blogging platform, I am often confronted with the question of security. I use it for many of my projects. While WordPress has improved in this area over the years, it is still a big target to any nefarious actors out there looking to ruin your day. There are a number of steps I take on all of my (and my clients’) WordPress sites to avoid potential security problems. You can use these tips to help keep your site secure.
1. Change Admin Username
The first thing you should do when creating a WordPress website (upon install and initial login) is to change the default administrative user to a random username and password. The default will usually be “admin” which is prime fodder for brute force attacks on your login screen. You also need to avoid other common users names like “info” or “administrator” as these are also target usernames for hackers. I usually create something totally random, but memorable related to the website I am creating, including numbers and special characters as possible. So if I was creating a website for a dog kennel I might have a username of “puggle23&98beagle” as my login name.
2. Create Strong Passwords
The password for any of my WordPress logins is also unique with similar characteristics to my usernames, if not totally random. I use the tool 1Password to help me create unique and totally random passwords for all of my sites. But even if you do not invest in such a tool, you can at least create a unique password with words, numbers, and special characters which make it harder for hackers to crack. The more characters you have in a password the better off you will be.
3. Always Keep WordPress Updated
Everyone should know this already, but always keep your WordPress core and plugins up-to-date. The patches which come out for WordPress often include security helps in addition to the features you may see visually. Try to update your site within a week or two (at the latest) of these patches. I typically wait a day or two to ensure the patch is not causing the user base any issues. I then do updates when I know if there are any issues with my site (core, theme, plugins, etc.) I have time to correct them.
4. Delete/Deactivate Unused Plugins
Plugins in WordPress are one of the platform’s best features, allowing expansion on your site’s abilities. However, since these plugins have access to your core, theme, and database files you must use them wisely. Be careful how many you install and the ones you do use are legitimate. A quick Google search any any fishy plugins will usually advise you if the are safe to use. Once you do have your plugins in place, make sure any which you choose to no longer use are either deleted or deactivated to help keep your more secure.
5. Install Login Limiter
Another tool I’ve utilized is a login limiting plugin which locks out an IP address for a period if the user fails to get the correct user/password combo in a set amount of tries. This effectively squelches any hackers attempt at brute force attacks. Login Limit Attempts is one good (free) suggestion.
6. Use Google Authenticator
To take security to another level on sites you really want to keeping the bad guys out of can be done by use of multi-factor type authentication. Using the Google Authenticator plugin you are able to require those logging into your sites to have the username, password, and a changing code (60 seconds interval and located via a smartphone app). This makes hacking much more difficult.
7. Run Sucuri Malware Scanner
Running a service like Security scanner on your site regularly will allow you to keep tabs on your site’s health and insure no bad guys came in the backdoor when you were not looking. If you do find any issues, you can contact Sucuri directly for help, reach out to a developer (like me), or try to troubleshoot yourself. Securi has a plugin or you can run their tools on their website.
8. Establish Solid Backup Routine
I advise all WordPress site owners to keep a proper backup of their sites always in their back pocket. This way, if any hacks (or other problems) come to be, you can at least restore your site to the previous backup’s snapshot. Using WordPress plugins, this is managable for almost anyone to do – set it and forget it. WordPress Backup To DropBox or UpdraftPlus are a few examples. However, the best practice will be to download any backups to a 3rd party server regularly for redundancy. I offer my clients backup service on a regular interval and on my webspace – in case of the worse. You can also consider a commercial service to backup your site like VaultPress.
Keeping Your Site Secure Is Smart!
By following a few steps and considering your risk tolerance, you can ensure your WordPress website is reasonability secure while enjoying the benefits of one of the web’s most useful tools.