J. Brooke Chao Designs | Blog | A Word About WordPress Security

J. Brooke Chao Designs


A Word About WordPress Security

Security for WordPress Sites

So you’ve decided on WordPress as your content management system for your brand new site.  Congratulations!  WordPress is an easy way to get a great looking site for not a lot of money, and with the use of themes, you can get a semi-custom site in very little time, and for much less than a custom site build would often cost.

If there’s one drawback to WordPress is that it is a prime target for people up to no good.  Hackers love to find way to exploit WordPress and its plugins.  In this article I will detail a few ways you can keep your site safe.

People that hack into sites do so to get the ability to take over control of the site, use the to send out spam email, and will often replace content with bogus spam ads for prescription drugs and knock-off merchandise.  You do NOT want this to happen to your site.  Once this happens, and search engines and internet service providers know it, your site can get blacklisted.  Not only is it a giant pain to get a site secure again, and remove all traces of hacking activity, but often it’s easy to miss an errant file, or even line of code, that looks legit, but is actually how the hackers are gaining access. More than once I’ve disinfected a site only to figure out that the hackers still had access through some backdoor in a file or line of code. If the situation is bad enough, you can wind up having to rebuild the entire site from scratch, to remove all traces of the security breach.

The best way to deal with this is to prevent it from happening in the first place.

Keep Everything Up to Date

This is key.  The fastest way to get a compromised site is to never login to your site and check the status of your plugins and WordPress. As fast as hackers try to find loopholes and weaknesses in code they can exploit, WordPress, theme designers and plugin developers work to find and identify those vulnerabilities, and write code to fix or patch the weak spots.  Those take the form of updates.  So as soon as their is an update to WordPress, your theme, or any of your plugins, you’ll want to apply it.  If you will login at least once a week, and make sure that all updates are performed to your site, themes, and plugins, that, alone, will do quite a bit to keep your site safe.

Use Good Usernames and Passwords

Hackers look for weaknesses in usernames and passwords.  Do not use generic logins like “admin” or “webmaster.”  Try to come up with something unique that uses upper and lowercase, as well as special characters.  Same goes with passwords.  Do not use anything that you use on another login, or that includes information people can easily find out about you online (pet’s name, child’s name, etc.).  To be super safe, it is recommended that you use “secure passwords.”  They’re impossible to memorize, so you’d want to store them somewhere securely, but they are very difficult for hackers to get (as long as you’re keeping your site up to date). If you’re using WordFence (see next tip), you can set the option to require strong passwords, which will not allow a user to be created without using a strong password.

Prevent Unnecessary User Registration

If you are not a site that needs people to be able to register as a user, then you can disable that feature in Settings/General. Where it says “Membership” make sure the box “Anyone can register” is unchecked.  This will prevent random people from registering for an account. Also set “New User Default Role” to “Subscriber” so that if someone does register, somehow, that they have the barest access possible. You can always change someone’s role if you deem it appropriate or necessary.

Employ a Plugin Like WordFence

There are quite a few plugins out there that address security for WordPress sites, but the one I’ve had the greatest success with is WordFence.

There are both free and paid licenses for WordFence, but I do really like, and strongly recommend, the Premium license for this plugin, because it allows access to a much more robust set of features and options.  WordFence allows you to view live site traffic to your site, separating it into both human traffic (people visiting the site) as well as crawlers (like Google, and other programs that go through sites).  You can set it to send notifications to one or more email addresses when there are updates that need to be applied, when WordFence has updated itself (if you’ve set that parameter), or when there are security issues that need to be explored.  I also like the country blocking feature, which allows you to block IP addresses from certain countries from accessing the site at all.  For instance, if you have a site that deals specifically with things pertaining to the U.S., and have no need for a world wide presence and traffic, it might be a good idea to block countries that are known hotbeds of hacking activity (Russia, Romania, India, China, etc.).  You also have the ability to look at your site traffic and block any IP addresses you see engaging in suspicious browsing activity - for instance, trying to visit back end system files, or logging in, when you know it’s not a user.  You can also add your admin user IP’s to a white list so they can’t be blocked.