WordPress Security Tips

A couple of years back, I returned home from a two-week vacation, to find within my mountain of mail and email some notices from my hosting company to “cease and desist” with distributing the malicious code. What the… I checked out one of my sites, which fortunately was not something I was actively working on at the time, and found this image on my front page:

wordpress security tips - you've been hacked

That’s right – “You’ve been hacked.”  While I think the placement of the guy with the scimitar was little more than a politically incorrect ruse, they definitely got their point across.

Naturally, ever since then, I’ve been a bit of a fanatic for WordPress security.

I tell all of my clients, students, friends, and family members (much to their dismay) about the importance of maintaining the security of your site, lest this happen to you. Recently one client did not take this advice seriously. No one thinks it will happen to them, but unfortunately, it did. Can happen to anyone.

While WordPress as a CMS is one of the most powerful and user-friendly systems available, it does have some drawbacks (as with any system). Most notably is that WP-powered websites are a magnet for hackers, who get their filthy little hands on your site to spread their germs far and wide.

Here are some WordPress security tips to help ensure your site is protected:

Use a unique username

Never use “admin”. The “admin” username is the most common, and therefore the first thing a hacker will try. Use something like “JPeterson”, or “jimPeterson”, or some other combination with your name, or even something no one would easily guess.

Always use a STRONG password

This is the single most important step. Use a combination of upper and lower case letters, numbers, and symbols. The new strength checker built into WP is quite particular, and will reject most of your passwords as being too weak. This is a good thing. It forces you to make it stronger.

As with other secure sites, be sure not to use the same old password over and over again… if someone gets your password on one site, they would now have access to every site you log into. Not so cool.

 Who do you think is the target audience for each of these websites?

Keep WordPress, themes, and plugins up to date

If you’re running an old version of WordPress, you’re pretty much inviting a hacker into the back door of your site. Even leaving a plate of cookies out for him. New versions are always the most secure, as new security patches are released regularly.

As of WP version 3.7, WordPress now has an auto-update feature for the minor updates (e.g. 3.7.1). This is a great feature, but make sure you always check the dashboard for updates, as this doesn’t include major updates, such as the recent update to 4.0.

Along those same lines, also make sure all plugins and themes are also up to date. Sometimes this will unfortunately throw parts of your site out of whack, as various plugins or theme features don’t synchronize well with the updates. But that is small price to pay to avoid hackage.

And of course: be sure to backup your database and files before doing an update! Things do happen in the update process, and it’s better to be safe than sorry.

Check out this free plugin to help alleviate your backup woes, one of the best plugins ever made:

UpdraftPlus Backup and Restoration

Use only the code you need

This means to eliminate any unnecessary and unused plugins. Yes, they’re very tempting to stock up on, since many of them are free; but if you’re not using it, deactivate it, and delete it.

Particularly as WordPress cruises down the highway of progress, many old plugins get left behind like abandoned vehicles on the roadside. Considering the free-ness of many plugins, if the developer isn’t making a cent on all that hard work, at some point, he or she may just silently abandon it.

This leaves a gaping security hole in the back wall of your site.

However, just because a plugin wasn’t free doesn’t mean that it was coded to exacting standards of efficiency and best practices, and that the developer won’t nonetheless abandon it at some point.

Check your list of plugins. Do you have over 20 installed? Over 30? You probably don’t need that many. In most sites, I rarely exceed 10 plugins. Use only what you need.

Out of your list of plugins, how many of them are activated? Even deactivated plugins can contain security risks. Purge them!

If you haven’t seen updates for some plugins in a while, check them out in the “Add New” Plugins section of your WP control panel, and see when they were last updated. If it’s been more than a few months, good chance they’re collecting rust on the roadside. Clean ‘em out.