There’s no doubt about it, WordPress is now the largest self-hosted blogging tool in the world, used on millions of sites and seen by tens of millions of people every day. Now on version 3.9.1 (as of June 17th 2014), WordPress has grown and evolved in to a powerful Content Management System (CMS) supported by over 33,000 plugins and widgets.
While its popularity has given both web designers and Internet users greater freedom and power to create amazing websites, it has also caught the attention of hackers and spammers across the globe. This has led to a lot of panic and doubt as to whether WordPress is a safe choice when building a website, in reality WordPress is as safe as any other web based CMS system. The truth is any online bank, email or social media account is vulnerable if the proper safety measures are not taken and WordPress is no different.
“So how do I make my WordPress website as secure as possible?” I hear you ask. To be honest it’s really not that difficult, as my top tips below will explain.
1. Choose a strong username
It seems obvious but it’s surprising how many users, and web designers, go with the default “admin” username and hackers are all to aware of this.
When it comes to WordPress security this is one of the biggest mistakes you can make yet it is also the easiest to fix, simply choose a unique yet memorable username using a mixture of capital letters, numbers and characters such as #, $ or !
2. Choose a strong password
Really this tip goes without saying and should be followed when setting up any online account, not just WordPress. I know it’s tempting to choose a straightforward password that’s easy to remember but it’s just not worth the risk.
Avoid using words that a hacker could easily find out, such as your favourite football team, the name of your cat or your mother’s maiden name. As with your username choose a good mixture of capital letters, numbers and characters.
3. Research themes, plugins & widgets
One of the easiest, and often most overlooked ways for someone to gain access to your WordPress install and potentially cause real damage is through a plugin or widget. Think of your website as a house, there’s no point having the strongest front door in the world if you leave a bedroom window wide open.
That’s exactly what can happen if you install an unsafe widget or plugin, even whole themes can be potential security risks. Always do your research; a simple Google search will find out if anyone else has had issues or security breaches. Also purchase any WordPress add-ons from respected sources, such as Themeforest, who will notify you of any issues as soon as they are found and offer a solution.
4. Install WordPress security
Many users of WordPress are unaware that specially built security plugins are available that monitor your site or blog, add firewalls, block multiple login attempts and help to restrict hackers and warn you of any potential security issues, such as an out-dated plugin. Best of all most of the best security plugins are actually free; Wordfence Security is just one example and is the plugin I install on all of my sites and those of my customers. If you do not have access to install security on your site then ask your Webmaster to do it for you. It is also a great question to ask when contacting potential web design agencies to build a WordPress website for you.
5. Keep WordPress updated
Once your website or blog is built it is easy to let it tick over, only adding the odd post or gallery image here and there and paying little or no attention to any out-of-date plugins, or what version of WordPress you are running.
Just like the updates to your computer and software it is crucial to keep WordPress and any add-ons up-to-date. This makes sure any security vulnerabilities have been fixed and you are as secure as possible. Again if you do not have permissions to do this yourself check that your Webmaster is doing this on your behalf.
6. Disable the WordPress theme and plugin editors
This is an area that is often overlooked by users and designers alike. When WordPress is installed it allows the core files for any themes and plugins to be accessed and edited within the admin area. This is a hackers and spammers golden ticket to install malware or viruses to your site without you even realising.
Luckily there is an easy solution to this problem, which can be found here. If you do not have the expertise, software or confidence to make this change yourself then your Webmaster or any designer agency should be able to help you.
And there you have it, a brief insight in to my thoughts of how to keep your WordPress website or blog as safe and secure as possible. If you have any comments or questions on this blog post, or have requests for future articles please use the form below or email firstname.lastname@example.org, as always your feedback will be gratefully received.