It’s safe to say that I am a huge WordPress fan—I’ve built more than 70 sites using this platform. And suffice to say that there are a variety of other platforms that I can name that I am emphatically not a fan of. (But that’s fodder for another column.)
My clients also tend to love WordPress as well. Usually within an hour or two, I can train them to update most of the elements on their site with minimal stress. Even some of my most tech-adverse clients have told me that they feel comfortable adding and editing content on their sites—something that gives them a great deal of power when it comes to owning their brand. And it seems that it isn’t just my clients who feel this way. WordPress accounts for nearly one in five sites currently online.
So, what’s the problem? WordPress is a Web-based platform (rather than an application which is downloaded and stored locally). This means that with the correct username and password, anyone with a Web connection can access your site. Also, plug-ins can go a long way towards extending the functionality of a site. But if not maintained and secured, they can provide backdoor ways for hackers to infiltrate your site.
You needn’t abandon WordPress, you just need to be smart about how you use it. Here are some tips for how to keep your site secure.
Backup
You’re already backing up your hard drive, right? (Right?!) Well, the same principle applies to your WordPress site. Make sure that you have automatic backups made of your site at least once a week. I recommend the BackupBuddy plug-in. which not only makes it easy to back your site up, but easy to restore if the worst happens. Another great one is WordPress Backup to Dropbox, which allows you to send the files directly to Dropbox if you need them, eliminating the need of storing and managing a bunch of backup files.
Keep Your WordPress Site Software Up To Date
Staying on top of your current version of WordPress is not just a good practice—it is an essential step to prevent being hacked. Periodically, WordPress offers software updates to both introduce new functionality and address bugs. I recommend updating your version of WordPress and all your plug-ins within two days of a new release—often software updates can be in response to a recently discovered vulnerability.
You know when it is time to update your site when you log in and see a message along the top alerting you to update your site. But if you don’t log in often, you may see this. You can stay on top of WordPress updates by following the WordPress.org blog or Twitter feed. If you’d rather have it automatically taken care of for you, you can contact me to update your site when new updates are released (this is one of the services I offer). Or you can host your site with WPEngine, which automatically updates your site as part of your costs.
Change Your Passwords
First of all, stop using Admin as the login name for your backend. Malicious forces assume that this is your login, and if they are right, they work from there to crack your password.
Use something like the Secure Password Generator to create strong passwords for your site. Document them, and change them often. Using strong passwords that incorporate a number of different characters can go a long way toward protecting your site.
Install a Plug-In to Periodically Scan Your Site
Having a service to regularly scan your site is key to making sure that everything is running as it should. Sucuri.net offers the best plug-in I’ve found to perform these searches, and it’s free. This plug-in does a lot of great things. First, it creates a firewall that automatically blocks blacklisted IP addresses. Second, it sends you notifications if it detects that any of your files have been modified. Third, it creates audit log files that allow you to see everything that is happening on your site. And lastly, it has a “1-Click Hardening” feature that allows you to do the following with one function: check software version, hide the version of WordPress you are running, create secret keys, hardening key files, and PHP verification.
If You Do Get Hacked…
It happens, but all is not lost. There are a lot of things you can do here to try to diagnose and fix the problem yourself. But I highly recommend using Sucuri.net to handle the problem. For $89.99 per year, Sucuri will perform the necessary functions to protect your site. But best of all, if you do get hacked, they will clean it up and restore your site as part as your subscription, with no limit on the pages it will restore. Better yet, it helps remove you from blacklists that may identify your site as compromised in search engines.
Lisa Hazen is a Chicago-based Web Designer specializing in author sites. You can find her on Twitter, Facebook, or the WWW. mailto:lisa@lisahazen.com