WordPress security basics: how to keep your site safe

This is Day 2 in the 30 Day Blogging Challenge.  You can read Day 1’s post here.

With WordPress sites accounting for around a fifth of all websites, it comes as no surprise that WordPress has also become the target of hackers, spammers and other nefarious characters due to its popularity. If you run your own self-hosted WordPress site, if you’re not careful, you can fall victim to attack. No website is impenetrable, but here are some steps that you can take to minimise the risk.

1. Never use “admin” as the username of your administrator account

This is the most basic rule in the book and unfortunately, it’s still one that many people get wrong. It’s a bad thing to do because the username and password you use for your site are the keys to your WordPress kingdom, and if you choose a really easy to guess username, then all that someone has to do to get into your account is to guess your password – see point 2 below.

If you have made this mistake, the easiest way to correct it is to:

1. Go to Users > Add New.
2. Make a new user account with another username – the less guessable the better.
3. Use an email address that you have access to (if you want, you can have the password emailed to this address).
4. Assign it the administrator role.
5. Log out of your site and log in as the new user.
6. in Users > All Users, delete the admin user. Make sure when you do this that you choose the option to attribute all content to the new user, or you will lose any posts or pages created by that user.

2. Make sure your administrator account has a strong password

As with your username, you can compromise your site security if your password is too short or too obvious.

Check this list of the most common passwords of 2014 – if you are using any such as “123456”, “dragon” or “letmein”, change them now!

For password length, you should be using passwords of 12 characters or more. Try out your password in the How Big is Your Haystack? site to see how strong it is. You might be surprised how quickly they can be cracked.

Make a mnemonic to remember your password, or use a random password generator such as the Norton Identity Safe password generator. You can also use a password manager to remember all your website passwords for you. You just have to remember one master password to access all the sites you log into.

WordPress will let you know whether your password is weak, medium or strong when you type one in.

3. Keep WordPress, your plugins and themes up to date

This is really important too. WordPress is continually being updated – this includes patching security holes. An outdated installation is more vulnerable as it will have older code that could be exploited. The same is true of any plugins and themes that you use.

If you have a plugin or theme you installed but no longer use on your site, you are best to delete it, as the plugin files can have malicious code injected into them.

It is, however, a good idea to keep one of the default WordPress.org themes on your site (e.g. Twenty Fourteen). If you have a WordPress problem that may be theme-related, you can switch to a default theme. If the difficulty is resolved, this lets you know it is an issue with your theme and not some other aspect of WordPress.

4. Get your plugins and themes from a reputable source

It may be tempting to download a free theme or plugin from an unknown site, but they are not always safe to use. The Sucuri blog warns of the danger of installing a “free” version of a premium plugin, which may have been doctored to infect your website.

Decent theme and plugin authors will add their works to the WordPress.org site, where they can be reviewed by others. Well-known theme manufacturers such as StudioPress, Elegant Themes and WooThemes are also fine.

The Theme Authenticity Checker plugin, downloadable from WordPress.org, can scan your themes for malicious code.

5. Use an anti-spam comment plugin

If you don’t run a blog on your site, this is not an issue. If you do, and you want people to comment on it, you really need anti-comment spam protection. Otherwise you may find yourself quickly overrun with spam comments.

Firstly, make sure that you have your optimal comment settings as suggested here.

To block spam, I use Akismet – the plugin comes free with a WordPress install. To use it, you need to subscribe to their online service at Aksimet.com and get an API key. Subscription is free for personal bloggers and nonprofit organisations, though you can leave a donation. For a single commercial site it costs $5/month, or $50/month for unlimited sites.

A free alternative is the Antispam Bee plugin. Don’t be put off with the page being in German; it installs in English. One warning – it’s not compatible with Jetpack Comments (part of the Jetpack plugin), so you can’t use both together.

Remember that these plugins will mark comments as spam, but you have to manually delete them. Occasionally they will miss the odd spam comment, and may mark a genuine comment as spam, so you have to remain vigilant.

You can also use the Growmap Anti Spambot Plugin, which adds a checkbox to your comment form that has to be completed by a user to show the comment is genuine. Spam bots can’t see this, so it will reduce the amount of spam.

A final possibility is to use an external commenting system such as Disqus instead of the native WordPress comments. Read more about the pros and cons of an external comment service vs WordPress comments.

And finally…

You can never guarantee WordPress security 100%, but you can bolt the door to slow down intrusions. Just remember not to leave the keys in it!

Please leave a comment if you found this article helpful, or if you have any other security tips you’d like to share.