One of the reasons WordPress is so popular among webmasters is its ease of installation and use. Unfortunately, the very features that make it user friendly are the same reasons WordPress is prone to attack. Luckily, there are a few easy ways you can make it more difficult to hackers to gain access to your site.
Strong WordPress Security Starts at Installation
Most hosts today list among their benefits the famous “one click install” of popular blogging platforms, WordPress included. This makes it super easy for new website owners to quickly get their site up and running, without any technical skills or knowledge of databases, secret access keys, or FTP clients.
However, it also makes it easy for hackers to gain access to your site. Here’s why: Fantastico and other installation scripts are programmed to name your database using the extension wrdp and a consecutive number. This makes guessing your database name – and gaining access to it – much simpler. In addition, it uses the default WordPress table name prefix, further increasing your odds of being hacked. These are both settings that can be changed if you install WordPress manually.
For optimal WordPress security, don’t install your blog using Fantastico or other “one click” solution. Manual installation is much safer, and only takes a few minutes more. You can find the full instructions for a manual installation in the WordPress Codex.
Avoid the Obvious
Another WordPress default you need to change is the admin user. Once you install your blog, add yourself as an administrator by clicking Users/Add New. Choose a user name – preferably something different than your actual name – and a strong password that cannot be easily guessed. Make sure you give yourself administrator privileges. Then log out and back in with your new user name.
Next, delete the admin user WordPress created for you, then click Users/Your Profile and update the information there. The name you choose under “Display Name Publicly As” will be the author name on your blog posts. By making this a different name than your user name, you make it more difficult for hackers to get into your site.
A Few Thoughts About Passwords
Just about every website you visit requires a password. Your bank, your library, even your news sources want you to log in. With so many passwords to remember (I have nearly 200 myself), you might be tempted to go the easy way and choose just one for every account. Or perhaps you’re a little more sophisticated and use a formula to create different – but still easy to remember – passwords for each site you visit. When it comes to protecting your business, neither of these options are recommended.
Instead, make it a habit to choose passwords that contain a mix of upper and lower case letters, numbers, and symbols. Strong passwords should be at least 12 characters, and even you should not know them. You should also make it a point to change your passwords periodically. If you need help generating passwords or keeping track of them, we recommend RoboForm Anywhere. It works on any computer with an Internet connection, so you’ll never be without your log-in information.
Updates and Upgrades are not Optional
Sometimes it seems like WordPress comes out with an upgrade almost daily. And if it’s not WordPress, it’s a plugin that wants attention. Or your theme. Some days it seems all you do is upgrade!
You might be tempted to skip some upgrades. I know I am. When I’m busy with client work or up to my neck in a new website design, the last thing I want to do is take time out to backup all my sites just to install yet another version of WordPress. But I do it anyway. The bottom line: WordPress upgrades – and to a lesser extent theme and plugin upgrades – should not be considered optional. They almost always include a fix for some security breach that could leave your site vulnerable to attack.
Backup Regularly and Be on the Lookout for Trouble
If the worst happens and your site does get hacked, sometimes the easiest option is to roll it back to a time before the invasion. Sure, you might lose a few days of work, but if you catch the hack quickly enough, restoring a backup can be a lot less costly than hiring a WordPress security expert to clean your site. Make sure you’ve established and are sticking to a backup routine, and that you frequently check your site for trouble.
According to Regina Smola of WPSecurityLock.com, some signs of hacking are obvious, such as when you type your URL into a browser and are redirected to another site. Others are more subtle. For example, a redirect may only happen when your site is accessed through a search result. Or strange links appear on older blog posts. Both of these examples can be hard to spot, because we don’t often visit our own pages via a search engine, nor do we go back and re-read archived posts.
Keeping your WordPress installation secure takes a bit of time, but when you consider all the time and energy you put into building a strong web presence, it only makes sense to take steps to keep it safe. Establish a routine for installation (if you have multiple sites), password management, and backups, and remain vigilant about looking for security breaches, and you’ll be a lot less likely to fall victim to a hacker.
Photo by West Mercia Police