WordPress is a mature and secure Website Content Management System or CMS which is used by millions of websites all around the world.
But like all websites and webservers, WordPress can also be hacked and compromised by intruders if you don’t pay attention to basic security aspects.
A Practical Guide To Basic WordPress Security
Website security is a complex area and to discuss all the aspects of web server security I would end up filling a whole book (perhaps I’ll write it one day).
What I’m going to do here is provide you with the essential and most important basics of WordPress security which will go a long way in providing you with an acceptable level of security for your website and which involve relatively low overhead from yourself to implement.
The most common problem websites around the world face are attacks launched by so-called “script kiddies”.
Script kiddies are the most common – and fortunately also the least competent, types of computer hackers. Script kiddies are people – they may indeed be “kids”, but are actually often adults, who rely on running freely available hacking tools and program scripts to try and identify and break into websites which have lax basic security.
These scripts and hacker tools look for websites which have weak administrator accounts and especially passwords, unpatched, bug-ridden or outdated WordPress plugins or databases, or web-hosting providers that have security holes in their systems.
The majority of successful break-ins occur simply through script-kiddie hackers finding and exploiting these weaknesses.
So, what you need to do first of all is to make sure you eliminate these weaknesses from your website.
Take A Look At Your Web-Hosting
First of all, take a look at your web-hosting.
Make sure you are hosting your site with a web-hosting provider who takes web server security seriously. They should ensure that proper security measures are taken at all times and that their system and those of their customers are backed up properly and are properly protected against intruders.
It’s especially important that operating system and web server system software is updated whenever new versions are released. This can usually close most security holes straight away.
The good news is that most web-hosting providers do look after their systems fairly well, but there are still some out there who are lax in this area.
The best advice is to check the reviews of your web-hosting provider to gauge what their level of reliability is like in practice.
WordPress and Web-Hosting User Accounts
Always use secure passwords for both your Web-Hosting and your WordPress accounts.
There’s a lot that can be said about what makes for a secure password.
But basically a secure password follows these fundamental rules:
- The longer the password the better.
- Use a combination of lower and uppercase letters, alphanumeric, and other characters such as hyphens, dots, dollar, hash, percentage signs and so on.
- Use “nonsense” words – NEVER use a word from a dictionary.
- Never reuse a password.
- Never use the same password on more than one site.
- Never write your passwords down on paper – and be careful about where you store them on your computer or online. DON’T store passwords in an email inbox.
- Never use any password obviously based on some aspect of yourself or your business. That’s too easy to guess.
- Use separate editor and administrator accounts for WordPress – with different passwords and user names for each.
- Do not use obvious login names for your WordPress user accounts. Do not use “admin” or “administrator” names for your root or admin accounts for WordPress.
- You can randomize your WordPress user account names for both administrator and editor accounts just as you can with the passwords. You can set the displayed editor name in your pages and posts to the one you want the public to see. Make sure your chosen randomized user names are not displayed as page or post authors.
- Use a password storage and retrieval tool such as LastPass or Roboform. These tools also generate random, long and complex passwords for you on demand which are then encrypted and stored for you. They provide a local and an online instance of your own password database. Make sure you always remember your master password for your password database – and keep it safe.
- If you can accept the extra inconvenience involved, add two-factor authentication to your login systems. These tend to involve an email or mobile phone check – sometimes even both.
WordPress Security Plugins
Install a couple of reputable WordPress security plugins on your site. There are a number of these available, but it’s best to stick to the most popular, proven, tried and tested security plugins.
The two security plugins I recommend in most cases for WordPress websites are Bulletproof Security and WordFence.
You can also install the Stealth Login Page Plugin which will add a second tier of security to your login procedure, requiring you to enter a previously set Authentication Code along with your user name and password when you want to login to your WordPress Dashboard.
Only install WordPress themes from reliable theme design providers. I recommend Elegant Themes, Woo Themes, and Weebly. These are established quality theme providers who provide on-going support and maintenance of their themes.
Make sure you apply updates to the themes promptly as and when they become available.
WordPress Core Updates
Make sure that you also apply all WordPress Core Platform version updates immediately they become available. This can be crucial in ensuring that any new security exploit is prevented.
WordPress Plugin Policy
Be careful when choosing your WordPress plugins. Plugins can contain bugs and vulnerabilities. It’s important that the plugin should be actively maintained by the developer so that bugs and security weaknesses can be resolved quickly.
The best rule to follow with plugins is as to use many as really necessary and as few as possible.
It’s best not to access your website’s WordPress dashboard through a public wi-fi system, because your user name and password can be intercepted by anyone using Internet sniffer software. A safer way to do this on a public wi-fi network is to use a trusted VPN service.
WordPress and Server Backups
Finally, make sure you backup your website regularly. Both your web server and your WordPress website, including the database should all be separately backed up on a regular basis.
Always maintain more than one copy of your backups – and keep these backups on a separate machine and location to your web server.
By following these basic security rules you will be able to thwart many of the attempts of hackers to attack and compromise your web server and your website.