Keeping A WordPress Site Secure
WordPress is one of today’s most popular platforms for building websites, with over 25 million installed users. Why is it so popular? Well, it can be used to build very attractive websites with an incredible range of functionality and styles. Over 11,000 plugins are available, and these can add everything from eCommerce and polling functions, to music players and various games, onto the stock WordPress install. A cornucopia of over 1100 visual themes are available. These use the popular and relatively simple CSS scheme to control the colors, layout and type on the site. So, chances are, if you’re pretty good at working with websites, you can build something really attractive and dynamic using WordPress.
But there’s a catch. This very popularity of WordPress makes it an appealing target for hackers, spammers, bots, and other criminals of the Web demimonde. In short, WordPress can be vulnerable to security breaches. So it’s important, when installing and using a WordPress site, to follow some sensible procedures.
In order to understand some of the security issues with a WordPress site, it’s helpful to understand a bit about how one of these sites works. A WordPress site is built on a PHP/MySQL platform. PHP is a server-side scripting language, and MySQL is a database program. So, there are two sets of files which control what shows up on the WordPress site: the PHP files which control all the functionality and the visual appearance and styles, and the separate MySQL files, which hold all the content. Every single article, comment, image, blog post, or anything else that’s ever created for the WordPress site is stored in this MySQL database.
Because all the content for a WordPress site is stored in this database, it is vitally important that it be protected from attack, and backed up regularly to protect it against system and operator error.
Thankfully, backing up the database almost couldn’t be easier: there are plug-ins for that. Just follow the install and use directions for the plug-in you choose, and you should be all set in this department. Here are links to a couple of the more popular ones:
I use this last one, and it works smoothly and very conveniently: it emails me a complete backup of my database every week.
WordPress is open source code, and this can make it easier for malicious hackers to find vulnerabilities. Older versions of WordPress are much more vulnerable; also, if a hacker knows which version is running, he has a head start on cracking your site. So, always update your WordPress site to the latest version on offer. This is a simple procedure, and takes only a few minutes. (Of course, backup your database up before updating!) Also, don’t display the WordPress version number you’re running anywhere on your site! Many themes, by default, automatically display the WordPress version number, and you need to take a moment to go in to remove this code. The procedure is relatively simple: just open your theme’s header.php file. Look for code similar to this, and remove it:
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />
That should help substantially.
Another common trouble spot is the username and password. If these are too simple, a bot can crack them in no time, and run crazy on your WordPress site. For instance, if you’re like most people, you’ve probably set up your WordPress site with yourself as the administrator, and you also write many of the articles. Thus, each article you post has your site administrator’s username right on it. And, if a bot knows the username, it’s halfway to cracking your site!
It’s best to set up an entirely separate administrator account, with an extremely obscure username, and a virtually impenetrable password. This provides the most protection against hackers. A good, strong username for the administrator account would probably look like complete gobbledygook, for instance, “pamtimIamowat.” Usernames that are obscure, but relatively easy to remember, can be generated by remembering a line from a song, and using the first letter of each word to form an anagram (“PamtimIamowat” comes from the first line of The Rolling Stones song “Sympathy for the Devil”). Also, use a strong, long password, as explained in this helpful article. Keeping the bots out of your administrator account is vital to WordPress security. Take a few minutes to harden this account!
These few, simple steps, will do an enormous amount to help with WordPress security. Keeping your version information secret, and your username and password obscure and difficult will help enormously, and eliminate the most common vulnerabilities. And, if you regularly and routinely backup your database, even if you are hacked, you can recover completely. But, of course, that’s a huge hassle that’s best avoided, and for further information on the subject, these articles are very helpful:
12 Essential Security Tips and Hacks for WordPress
and