WordPress security is a growing concern. If you have been using WordPress for any length of time chances are good that at least one of your sites has been compromised. The good news is that you can take some basic precautions to reduce your risk and security headaches.
Basic Security Steps
Securing WordPress can range from basic common-sense steps, all the way to complex and complicated configurations. Today we will focus on the basics. Using the analogy of your own car…. if you leave the door unlocked and the keys in the ignition then your asking for trouble. And wordpress is no different.
Five Simple Things You Can Do To Secure WordPress
1 – Avoid using “Admin” as the default administrative user. This is a big deal and an easy fix. When you set the administrative login to “Admin” you have essentially reduced the authentication security by 50%. Now every attacker knows they just need to determine your password and then they OWN YOU and your site. The simple solution is to avoid using the admin name when you install WordPress. The second option is to create a NEW admin user with a different login name, log out, then login as the new admin user and delete the original admin.
2 – Use Strong Passwords. – This seems like common sense to most of us but maybe your one of those folks who have a tough time remembering passwords. Regardless of the situation you need to pay careful attention to this as it is the second half of the authentication security issue.Using the car analogy the password is the “keys to the car” and the username is simply locking the doors. If you leave the door unlocked and the keys in the sun-visor then your car is bound to be stolen. SO what can you do about it? Ideally you should use passwords that are at least 10 characters and contain a combination of letters, numbers and special characters. Can you pass this test: https://howsecureismypassword.net/
3 – Block Access Entirely – If your running a WordPress site for a small Deli in New Jersey… there is NO reason for your site to be accessible to websites in Russia or China. In fact you could just block all non-US traffic for a site like this. There are several security plugins that can do this and not only does it improve security but it also redues WordPress Comment Spam. At the moment my favorite plugin for this is IQ Block Country. If I am running a local business site I usually block all non-US traffic. If it is an international site I just block Russia and China (unless the site needs to be visible to these countries).
4 – Remove Inactive Plugins & Themes – Those old themes and plugins could be used against you. Secondarily…. inactive plugins can actually slow down your WordPress website and negatively impact performance. Many plugins and themes can go months without updates so it is also a good idea to use WordPress plugins and themes that are well maintained.
5 – Perform Regular Maintenance – Another simple but effective way to secure your WordPress site is to maintain current versions of WordPress and perform regular backups. Plugins, themes and the core WordPress files all need to be maintained and updated. Often times these updates include security fixes. Some well known and others somewhat hidden through dependencies.[box type=”note” style=”rounded”]Now this article barely scratches the surface but the idea is to reduce the biggest risks to your site. And if your like me, and manage hundreds of sites, this process could be a full-time job just from the updates alone. In a later post I will discuss effective ways to manage multiple WordPress sites.
If you have something you would like to add to this conversation please feel free to post your comments below. Your feedback helps me and other readers of this blog. :).[/box]