WordPress Security

6 Essential Security Tips for Using WordPress  by Martin Brossman and Andrew Hill

Each month, more than 372 million people look at 4.1 billion WordPress.com blogs. From big name websites like TechCrunch to CNN and the NFL, WordPress.com is a household name in the web world. And with WordPress.com users publishing nearly 50 million new blog posts each month, it is easily one of the leading blog hosting platforms.

Whether you are a seasoned blogger or are just getting started, the following are some essential tips to help make your next WordPress experience as safe and secure as possible.

 Immediately change the default ‘admin’ username:

Your WordPress username is viewable by the public, so keep this in mind and make it something unique. Any hacker who is trying to gain access to your website will always try to use the default ‘admin’ username first. Therefore, leaving the username as the default will only make it easier for your site or blog to get hacked into.

 Use a strong password:

Choose a complex password that will be easy for you to remember but difficult for hackers to penetrate. Phrase based passwords that have an emotional connection to the phrase are both easy to remember and more secure. For example if you have a goldfish as a kid called ‘Goldie’, then you may choose “golDiewasMY1stFish” as your password.

 Don’t ignore site updates:

It is important to keep your WordPress site updated ALL THE TIME. You can usually tell if a site update is available by logging into your WordPress site and glancing towards the top of your Dashboard.

Site updates are issued by developers usually with the express purpose of resolving potential security issues. Therefore, it is always a good idea to stay updated. Best of all, it usually takes no more than a few seconds to complete your site update; and because the updates are secure, you won’t have to worry about losing any information on your site. However, if you are working in the middle of a blog post, be sure to save your information first.

Additionally, if you are using a particular WordPress theme, check for ‘theme’ updates, and make sure you’re caught up.

 Take control of spam:

Spam is annoying, but it can also be dangerous if left unattended or worse- if it is allowed to slip through the cracks. Combat spam by moderating your blog post comments carefully. Most bots will not make it through the spam filters, but some spammers are coming up with clever ways to outsmart the system. Make sure you select the comment option that says, “Comment author must have a previously approved comment” and then manually approve the comments that make sense.

Pay attention to the IP address of the person posting the comment. Did you know that you can actually block one or more IP addresses?

Make sure that you have some sort of anti-spam filter or plug installed. Akismet is the most popular one, though there are several others.

You may also choose to require people to sign-in using their Facebook page which slows down SPAM as well (explained in our Advanced WP class in more detail).

 Use SSL Encryption:

A Secure Sockets Layer, more commonly referred to as ‘SSL’ Encryption is a type of connection that is used to connect your computer or other electronic device to a secure server on the Internet so that information may be transferred safely and securely. Think of using your credit card to make an online purchase or wiring money to your bank account online. It is all done using SSL Encryption.

To further safeguard your blog or website from hacker activity, it is a good idea to use SSL encryption. Not only will your site information be difficult to intercept, it will also be difficult for hackers to decrypt it. If you are using WordPress SSL encryption, it is free. However, in most other cases, you will have to pay for a SSL encryption.

 Take advantage of WordPress plugins:

Did you know that there are a number of WordPress plugins that you can tap into to help make your site more secure? Below are just a few:

• Login Lockdown – Registers every failed attempt and IP of the person; blocks the ability to login for a range of IPs (so make sure you write down your login info and keep it in a safe place!)
• Change DB Prefix – Changes your WordPress database table prefix to something unguessable by hackers. This protects all of the sensitive information contained within your posts, categories, settings, plugin settings and more
• WP-DB-Backup – Sends site backups to your email (can also be stored on the server)
• BackUpBuddy – Also provides full site backups (for a yearly subscription)
• WP Security Scan – Removes the visibility of which version of WordPress you have, making it impossible for hackers to know which version you have. This is beneficial because if hackers know which version of WordPress you have, they will also know what the bug issues are, making it easier for them to hack into your site. By removing this from sight, you make it more difficult for them to hack in.

These are just a few security tips to help you get started. For further reading, check out some of the reading list below. Are there any other tips that you can think of, if so share them in the comments?

See training on WordPress at:

References

WordPress. A live look at activity across WordPress.com. Retrieved from: http://en.wordpress.com/stats/

 Further Reading

Louise, G. (April 2013). 6 Simple WordPress Security Tips. Gretchen Louise. Retrieved from: http://gretchenlouise.com/wordpress-security/

Pignataro, M. (April 2013). 15 Advanced Security Tips To Make Your WordPress Site Bulletproof. Core PHP. Retrieved from: http://www.corephp.com/blog/15-advanced-security-tips-to-make-your-wordpress-site-bulletproof/#.Uco1eBa9CYp

Wright, K. (May 2013). Get 5 Essential WordPress Security Tips in 7 Minutes. ithemes. Retrieved from: http://ithemes.com/2013/05/01/get-5-essential-wordpress-security-tips-in-7-minutes/

(Research done by Janelle Vadnais )