Getting Started with WordPress Security.
We all grew up knowing how to make sure that your house is locked tight at night or when you leave and also make sure that your car is locked and armed as well. Perhaps you also have a security system or cameras to let you sleep better at night or not having to wonder what is going on while you are gone for longer time frames.
But have you ever taken the time to think of who is protecting your site at all hours of the day? Most people think that if they use popular, secure plugins and themes, they will not have to worry about their site on a weekly or even a daily basis. Taking your site’s security is just as important as the security that you take for your brick and mortar store. Once someone gets in through the “back door” of your site, they will have access to everything that you have done. From your client’s credit card numbers, email address, to even their home address is at stake depending on what type of business you have. Not only that, but they can lock YOU out of your own site and make you pay a ransom to get access to your site again.
As you can see, securing your website is just as important as your physical location, in both places a person can steal the same information but without cameras, police or eyewitnesses, sometimes securing your website will take a little more time, but it is well worth knowing that not only you are safe, but also your clients are safe when visiting your website.
Here we will go through some basic ways to make your site more secure.
Default Username and Passwords
One of the easiest things that you can do to prevent a hacker from gaining access to your site is to make sure that you change the default username and password. This may sound like a no brainer, but if you are in a rush, you may overlook this step. The people that you do not want on your site, have the tools to scan hundreds of sites trying to log into them by using the default username and passwords.
As time-consuming as it may be, doing updates on the back end of your site at least once a week will be beneficial. A lot of people think that the updates that are sitting on their dashboard in the backend are for new features and functionality, but realistically they are mostly to patch updates and to fix bugs. Once a company realizes that someone was able to break in their plugin, a patch update will be released to patch that hole back up so that break-ins do not go viral and all the sites with that plugin get hacked. Depending on the patch, you may see that you have a “vulnerability” update. This update you will want to update as soon as possible. Hackers and other malicious parties are always watching release notes and once they see this, they will start exploiting it. As far as bugs, we probably have all been on a site or a game that has a bug. Whether it is being forced closed or that you can not check out through a site, it is always a pain. When a developer fixes a bug, known to you or not, you will want to update them so your clients do not experience any headaches while on your site.
I know that we never want to think about updating a site and those updates break a site. That could be why you drag your feet when it comes to updating your site. Not everyone has a backup plan if something does break after updates. With doing backups, you will be covered if something does go wrong with updating sites. You will want to do backups daily especially if you are updating the content regularly. Having a backup that you can restore to if an update goes wrong and ends up breaking your site so you will not lose everything that you have worked on including blog posts.
Every website, big or small, will need to have plugins installed on them. This is something that you can not get around. Unfortunately, if you install a plugin that is not safe, you are doomed from the beginning. Here are some quick signs to look out for before you install a plugin.
- Just like when you are wanting to go to a restaurant in a new area, you always look up reviews and ratings of a place before you spend the time and money at a new place. Plugin ratings work just the same so if you see a plugin that has really bad marks, stay clear of it. It is like going to a restaurant knowing that they only have 2 stars and yet still expect great food and atmosphere.
Plugin Deemed Unsafe
- Just by going to Google and searching for “unsafe”, “hacked” and “compromised” with the plugin’s name, you can see if anyone else has spoken up about this and has had issues before you install it on your site. There may have been a fix for the plugin since then, so you will want to read the recent reviews for this plugin.
Number of Downloads
- Just like when you are buying that new pair of shoes online or installing a new game on your phone, you will always look to see how many people have bought that pair or have installed that game. This is the same concept for WordPress plugins. Putting a plugin on your site that only has a handful of installs, may have malicious code and will only do harm to your site.
Incompatible with the latest WordPress version
- Since our goal here is to run the latest version of not only WordPress core but also all plugins, not being able to install a plugin due to it being incompatible with the newest version of WordPress is not a good sign. If a new WordPress core update was just released, give it a week or two to see if there are any updates for this plugin. If not, move on.
Not being updated recently or frequently enough
- If you are looking at a plugin that has not been updated in roughly three months or even more, you should avoid it. The time spent in between the last update and the day that you are wanting to install it to your site, there is a large risk of having that plugin hacked before you even install it on your site since there is no ongoing developer support.
Tarnished Developer Reputation
- If you try and search the developer name on Google and nothing comes up, not even their own website…this is not a good sign.
- Their own site is seriously outdated. This is a good sign that either the developer is no longer in business so the plugin will not be updated in the future, or this is not their bread and butter and have spent and will spend less time keeping up with it.
- Brand new owner of the plugin and has no prior history as a developer. This may mean that they bought a known (somewhat popular) plugin to use it to inject malicious code into your website. This is their only goal, to turn a plugin that used to be good into something that will only do harm.
[cp_popup display=”inline” style_id=”4487″ step_id = “1”][/cp_popup]
As you may have read in our earlier blog, Knowing the difference between WordPress Roles, you may already have implemented using different logins for different people on your site. Adding people to the correct roles in WordPress will add another security to the backend of your site, especially if you have one-timers that have access to your site. You may also have bloggers that are great at their job, but know nothing about WordPress and could seriously damage your site with one click of their mouse. You can also limit the number of times that a user can log in with the wrong username and password. This will help with hackers running software that tries different but common usernames and passwords over and over again to gain access to your site. You will also want to make sure that everyone’s password is not easily hacked. Make sure that they do not use common words, names or birth dates in their password and having numbers and punctuation is always a must when creating a good password to keep your site safe.
When you take a look at your logs, you will be able to see what user changed something, the time they changed it and the IP address that was used to change it. This feature will come in handy when you are trying to figure out what exactly broke your site and don’t really know where to start at, just like looking for a needle in a haystack…impossible. Being able to see what was done to the site right before it broke, is a great starting point in correcting the issue at hand especially since human error is common but rarely owned up to.