On October 30, 2014 I appeared with an awesome cast of colleagues on GoDaddy’s “The Campfire” Hangout (webcast). My friend Mendel (GoDaddy Evangelist) asked me to come on to talk about “Protect Your Site: Security Tips For WordPress”. I presented some material which you can watch in the video version (above, YouTube or here). Below is the abbreviated text version of my remarks and the slides. We also talked about some business and marketing topics on the Q&A, so see the video/audio for that. Enjoy!
With WordPress being the world’s most popular website/blogging platform, people often question me regarding its security. While WordPress has improved in this area over the years, it is still a big target to any nefarious actors out there looking to ruin your day. There are a number of steps I take on all of my (and my clients’) WordPress sites to avoid potential security problems. You can use these tips to help keep your site secure.
1. Change Admin Username
The first thing you should do when creating a WordPress website (upon install and initial login) is to change the default administrative user to a random username. The default will usually be “admin” which is prime fodder for brute force attacks on your login screen. You also need to avoid other common users names like “info” or “administrator” as these are also target usernames for hackers. I usually create something totally random, but memorable related to the website I am creating, including numbers and special characters as possible. So if I was creating a website for a dog kennel I might have a username of “puggle23_beagle98” as my login name.
2. Create Strong Passwords
The password for any of my WordPress logins are unique with similar characteristics to my usernames, if not totally random. You should use a tool like LastPass or 1Password help create unique and totally random passwords for all of yours sites. But even if you do not invest in such a software tool to manage your passwords, you can at least create a unique password with words, numbers, and special characters which make it harder for hackers to crack. The less human readable, more varied characters, and the longer your passwords — the better off you will be.
3. Always Keep WordPress Updated
Everyone should know this already, but always keep your WordPress core up-to-date. The patches which come out for WordPress often include security helps in addition to the features you may see visually. Try to update your site within a days or a week of these patches. I typically wait a day or two to ensure the patch is not causing the user base any issues. If there are any issues, I do my updates when I have time to troubleshoot them – say late at night or otherwise. Further, when you see theme or plugin updates come in, make sure to update them promptly as well.
One big improvement in recent years is as of WordPress 3.7, is the system will automatically update the core to the latest release. You can also turn this off if needed to have more control, but if you leave it on you will know your WordPress Core files will always be up to date.
4. Delete/Deactivate Unused Plugins
Plugins in WordPress are one of the platform’s best features, allowing expansion on your site’s abilities. However, since these plugins have access to your WordPress files and database you must use them wisely. Be careful how many you install and only use ones which are legitimate. A quick Google search of any fishy plugins will usually advise you if the are safe to use. Over time, also make sure any plugins which you choose to no longer use are either deleted or deactivated to help keep your site more secure.
5. Install Login Limiter
Another tool I’ve utilized is a login limiting plugin which locks out an IP address for a period of time if the user fails to get the correct user/password combo in a set amount of tries. This effectively squelches any hackers attempt at brute force attack. Login Limit Attempts plugin is one good (free) suggestion — though it is a bit dated. Also consider using BruteProtect plugin or any number of other similar tools in the WordPress plugin library.
6. Use Two Factor Authenticator
To take security to another level on sites you really want to keep the bad guys out of, you can use multi-factor type authentication. Using the Google Authenticator plugin you are able to require those logging into your sites to have the username, password, and a changing code (which changes at a 60 second interval and is only located via your personal smartphone’s Google Authenticator app). This makes hacking much more difficult. The only downside I have seen to this tool is some other plugins and services will not work if it is installed. So after installing this one you start to see some other plugins or services having issues with your site – look to this as the possible culprit.
7. Run Malware Scanner
Running a service like a malware scanner on your site will allow you to keep tabs on your site’s health and insure no bad guys came in the backdoor when you were not looking. If you do find any issues, you can contact the tool providers directly for help, reach out to a developer type like me, or try to troubleshoot yourself. The company Securi has a plugin or you can run scans of your site directly from their website. You can also get this kind of malware scanning on your site if using managed WordPress services from GoDaddy or other hosts.
8. Establish Solid Backup Routine
I advise all WordPress site owners to keep a proper backup of their sites always in their back pocket. This way, if any hacks (or other problems) come to be, you can at least restore your site to the previous backup’s snapshot. Using WordPress plugins, this is manageable for almost anyone to do – set it and forget it. The UpdraftPlus plugin is an example. However, these tools by default will load the backup onto the same server as your master install. The best practice will always be to download or have the plugin move these backups to another computer or server regularly for redundancy. Another option is for your host to help you. Many hosts provide a service to do auto backups or you can also consider a 3rd party dedicated service (there are many) to backup your site independently.
Keeping Your Site Secure Is Smart!
By following a few steps and considering your risk tolerance, you can ensure your WordPress website is reasonability secure while enjoying the benefits of one of the web’s most useful tools.