WordPress Security

– Posted in: Passwords, Security, WordPress

WordPress is one of the top used content management systems used on websites and blogs. Although the WordPress staff and engineers work hard at keeping the core of the software secure, we still end up with vulnerabilities. Over the past few weeks, I’ve heard of many websites being shut down because of phishing scams. I was not lucky enough to be passed over either. My site, as well as several of my clients, experienced the embarrassing sign at the front door of our websites that said their website had been shut down. I also received multiple emails from hosts all over the world tell me to please shut down my sites because they were spoofing some of their clients.

This is a very serious problem! So, I’ve spent the bulk of my days meticulously sifting through my websites, looking for malicious files that might allow for these security issues. I’ve researched across the Internet on safety precautions and any kind of anti-viral software that I can use to keep me from being attacked again.

I found out that the leading cause of WordPress hacks is through plugins and themes. It is extremely important to update your plugins and theme… not to mention WordPress itself! These things are upgraded for a reason. Any part of the WordPress equation, outdated WordPress, plugins, or themes will create vulnerabilities.

Did you know that one of the most overlooked aspects to using WordPress, aside from outdated software, is poor login credentials? Often times, people set weak passwords or passwords that are easy to figure out. How many of you have set a password with a date, a family member’s name, a pet’s name, or even the infamous one, password? These are terrible choices! How many of you have set up an account on WordPress and then forgotten the password you created? So, the next time you go in, you create another account, leaving your old account behind. WordPress has a neat little feature that asks if you have forgotten your password. If you click on that link, it then sends you an email and tells you where to go to set a new password.

A strong password is a minimum of 8 characters and has a mixture alpha-numeric-symbol characters. A good password would be something like $nak3-eYeS or G0ld3n_$n1+ch. Get creative!

How often do you change your password? Did you know it is advised in most circles to change your password often? The latest advice says to change as often as every 3-6 months. Don’t make your next password similar to your current one either. If you find it hard to remember, then write it down and put it somewhere safe.

For optimal security on WordPress, it’s also advisable to keep your admin access minimal. There should only be one administrator, two at the very most. Administrators have the ability to delete other users. They can also restrict user capabilities through adding code or plugins.

Recently, I changed some of the users on my WordPress sites from Admin to Editor. This still allows them to do posts, pages, media, etc. But they cannot add plugins or code. I figured if a person doesn’t understand WordPress and its power, then to keep their sites safe, they would be given a lesser role. And if they absolutely wanted the role as admin, then I would discuss all of the above about making stronger passwords and changing often.

With all this trouble, I searched for ways to protect my domains without any high costs. I found and installed some plugins which come highly regarded. They help to make sure I have all vulnerable points locked down. I also found a plugin that scans the server for malware. This one has already found known malware on a couple of my servers. Once I’m convinced that these plugins will do what I think they should do, I will give my review on them.

So far I’ve found, there is no “bulletproof” way to make your site 100% protected because hackers will go to the nth degree to find vulnerable points to launch their malware. However, you can be proactive toward keeping your website clean. Follow the advice above and you will reduce your chances of getting hacked.

Let’s all be safe. Protecting your website protects your neighbor’s website too.

3 comments… add one
Kevin March 6, 2013, 9:40 am

What about b2evolution? have you tried it? people seem to say it’s more secure then wordpress

Heidi Hafner March 6, 2013, 5:59 pm

@Kevin — I’ve used b2evolution in the past. It has it’s share of vulnerabilities. Any time you have executable files (i.e. *.php, *.asp, etc.) you have potential for security breach. All content management systems have their problems. The all have uploaders that allow you to upload files. They all hook into a database and, as far as I know, they all use executable files to help contribute to content managing. Therefore, whichever system you choose, security should be your top priority.

Lorenzo March 26, 2013, 7:44 am

Cloudflare can help prevent your site from bad bots and provide a bump in performance. Also a plugin like Login Lockdown or Limit Login Attempts can increase the security for your site by temporarily blocking ip addresses that make excessive failed attempts to login to your WordPress dashboard.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.