WordPress security is certainly not a glamorous topic. It’s easy to put off and put off…until your site is down and you have no easy way to put it back up. Then, WordPress security becomes the hottest topic in your world!
There are 4 main parts of WordPress security:
- Obscure – hide or change everything you can – especially ‘default’ settings – from prying eyes and those who would do your site harm
- Protect – what you can’t hide, you want to lock down tight as a drum
- Detect – once your shields are up, you still need to know when the wolves are at the door trying to get in. Because they’re crafty, you know, with all their huffing and puffing. They won’t quit until they find a way to blow your house down.
- Recover – should the worst happen, you want a quick and easy recovery plan. One that you understand and that works.
But before we dive in…
Did you know that 6 out of 10 of all the websites on the Internet WORLD-WIDE that use a content management system of any kind – use WordPress!!
What’s a content management system?
The easy definition is any website that you log into and use an interface to publish content is using a content management system.
Other content management systems you may have heard of are:
- even GoDaddy’s Website Tonight product.
Pretty much anything that allows you to get content published on your site without having to write code is a content management system.
So…60 percent of all websites using a CMS use WordPress. That’s a LOT of websites!
In fact, that works out to almost 24% of ALL websites on the Internet!
What does that mean for us?
On the positive side, that means we have a huge community of website owners, website developers, plugin authors, theme designers, and third party services of all kinds available to us.
WordPress is an open source CMS, which is a bit of a double-edged sword.
The upside is: it’s FREE! Not only is it free to get an account at WordPress.com (the hosted version of WordPress), but it’s free to download. You can install it on your own hosting account and use it to build a website (what we call the self-hosted version.)
The downside is: It’s free! Because the code is freely available to anyone, hackers can exploit it to do harm.
If you use WordPress.com, all the maintenance and security issues are handled for you. The cost of that convenience is limitations on what you can do with your site. Self-hosted WordPress sites have no such limitations. But the price you pay for all that freedom is all the maintenance and security is your responsibility.
Let’s get a few important concepts handled before we move on:
The first and most important thing to understand is that the only way for your website to be 100% secure is for it to not exist online. This is true not just of WordPress sites but of all websites. If anyone ever tries to guarantee you they can make it 100% secure – RUN! The only way they can do that is to take it down.
Good security is about minimizing risk. The folks on the WordPress core development team take security very seriously. Almost every update to WordPress is fixing some kind of security vulnerability they’ve found, in addition to adding new features and capabilities. The same is true of theme and plugin updates.
You don’t have to look too far on the web to find someone talking smack about WordPress not being secure. Horror stories about hacked websites abound in the WordPress world. I have my own stories I could share with you! But I bet you dollars to donuts, in 99% of cases – including my own – it boiled down to WordPress not being kept up to date. For me, since I have multiple websites, it was a case of one or more sites being ignored. And that’s all it takes – just one – and your whole hosting account can be affected.
However, you can tighten up a site so much that you can’t effectively use it. So, we want to minimize risk, but we also have to pay attention to usability.
Ok, so where do we start?
With default settings.
The first user account established when you install WordPress is ‘admin’. That’s a default setting, and everyone – hackers included – knows it. So, don’t use it.
Create another administrator account with a strong password. Log in with that new administrator account and DELETE the ‘admin’ account.
The database is another element of your WordPress site that has default settings. The default table prefix is ‘wp_’. Every hacker knows that, too. Using anything other than wp_ will make the job of hacking your database that much harder, so change it during setup or immediately afterward.
Removing the login error messages is something that you definitely want to do if you’re the only person who logs into your site. Removing the login error messages creates a usability issue if you have multiple users, especially on membership sites. But if you’re the only one, remove them. You don’t need to make it easier for hackers to know which part of your login they got wrong.
Finally, do you really need to log into your website 24 hours a day? If you turn off access to your dashboard altogether after your business hours are done, then no one can access it. Not hackers, and not even you! It’s like it’s not even there.
Probably the #2 most common way a site gets hacked is weak, easy-to-guess passwords. Folks, there are software programs out there that can do 1,000 login attempts with different usernames and passwords per minute – yes – per minute! I know it’s a pain in the rear to type in – much less remember – a password full of special characters and combinations of letters and numbers that don’t make any sense.
One way around that is using a password keeper app like LastPass or Dashlane to remember them.
Through some simple additions to your .htaccess file (in your hosting account), you can deny access to your site for known blacklisted bots and user agents. You can also ban hosts and users with invalid login attempts by IP address.
This is the online equivalent of bars on your windows and steel security doors on your house, except they don’t make your website look like you live in a cage.
No matter how locked up and tight your website is, intruders will always try to get in. You can have 7 deadbolts on your doors, but that won’t stop someone from busting out your windows, now will it? Just like at your house, if they want in, they’ll find a way in. So you’ve got to post some guards.
Guards in this context are activities like regular file scans that report changes made, malware scans that detect malicious code lurking around just waiting to be executed by some trigger you don’t know about, and scans that report multiple unsuccessful attempts to get in. Because as we said, they may be unsuccessful now, but they’ll keep at it until they get in, so better to know about them so you can block them and stop them.
At this point, you may be sitting there thinking, “Oh, come on, Suzanne. No one is going to try THAT hard to get into my little ol’ site.”
And my response to that is, “I bet they are right this very minute. You just don’t know about them because you don’t know where to look.” I show my clients the attempts I find, and they are stunned.
As you can see, this business of keeping a site secure is a somewhat iterative process, too. Maintenance and security are definitely not one-and-done endeavors!
Now that we’ve done all this obscuring, protecting, and detecting, you’d think we’d be safe, right?
As I’ve said, no website is 100% secure unless you take it down. We can do all this obscuring, protecting, and detecting, but all we’re doing is minimizing, NOT eliminating, risk.
You know what I’m going to say next, right? BACK UP YOUR SITE!! Frequently!
The minimum backup schedule I recommend is a FULL site backup once a month and a database backup every week in between. You also want to make a full backup before you change your site. Just in case you get a little click happy and blow up your site by accident. Hey – it happens! It even happens to me occasionally!
And what good is a backup if you don’t know how to use it to get your site back on the air? Just like a fire drill, it’s an extremely useful exercise to ensure you know how to use that backup to get your site back up when it’s NOT an emergency.
The steps I’ve outlined here are the BARE MINIMUM required to keep your site healthy and secure. Everything else I’ve discussed – plus a whole lot more I didn’t even bring up – are part of a comprehensive maintenance plan for your site.
I totally understand if you’re feeling a little overwhelmed right now – that’s a normal reaction to learning about all the threats that exist in life out here on the interwebs. And no one – least of all me – expects you to know how or want to learn how to handle all of these things yourself.
That is exactly why WP Anti-Hack Plan exists. We ensure your website is safe and sound while you handle your business..
Here’s the bottom line: Your WordPress site requires maintenance to become and remain secure.
Use the information provided here to handle it yourself, or let us handle it for you. But handle it.