August 26, 2016 | Web Design
This post was written by DeAnne Curran, senior designer and developer here at Visible Logic.
At WordCamp 2016, Doug Vanderweide did a talk on WordPress security, and I thought it would be useful to create a post to help inform our clients on some basics for making their sites secure.
Keep your WordPress core files and plugins updated
By keeping your version of WordPress up-to-date, along with all your plugins, you reduce your exposure to known security risks. Unfortunately, security vulnerabilities do arise, but WordPress and plugin authors are continually finding and patching issues and it’s best to keep your files updated with the latest security settings.
Some hosts will automatically update your WordPress version for you if you let it get too far out of date. This is a protection for them, especially on shared hosting. It’s usually better to take care of these updates yourself so you can review your site to ensure everything is looking and functioning as expected after the update.
backup your site
Create a backup of your site before doing any updates of plugins, themes, etc. This way if anything goes awry you have a place to start from. If you run into any errors or problems, you can then work systematically to pin-point when and where things went wrong.
Don’t use “password” as your password
Create complex passwords that would be hard for someone to guess. There are a number of WordPress security plugins that force you and other users of your site to create more complex passwords.
Also, don’t use the same password across multiple accounts; it’s like giving a hacker the keys to many doors of your accounts.
One password trick is to use a passphrase rather than a password. “The skipping elephant was $40” is easier to remember than “Ajksi(7&60(” and even more secure because it has more characters for a bot to have to decipher.
help prevent Brute Force Attacks
A Brute Force Attack is the most common WordPress attack. It occurs when a bot tries to log in to your admin via automated attempts, sometimes hundred of times, until it gets it right. There are a number of plugins created to help prevent these attacks by moving your WordPress login URL, or by limiting the number of login attempts allowed by a specific IP address.
WordPress User Permissions
If you have a site with multiple of users, make sure that each user has only the permissions they need, but not more. An inexperienced user with admin access can accidentally modify something they shouldn’t. You can read more about the roles and privileges for WordPress here.
Cheap hosting does matter
If you skimp on your hosting you likely don’t have a host who will help if something does go wrong. Top tier hosts tell you when something is wrong and help you recover.
Inexpensive shared hosting can sometimes get you blocked because of naughty things your neighbors have done on the shared servers.
Finally, some better hosting plans may include a staging site to test updates before you make them live, which gives you an escape if things don’t go as planned.
Get a checkup
All of these things are just basics, but it’s important to check up on your site or have a professional help you to do so. This way if anything goes wrong they are there to help and already familiar with your site’s setup and functionality.
Here at Visible Logic, we offer maintenance packages for our web clients and have found that it helps people stay on track with upgrades and maintenance. Also, we keep up-to-date with known issues that can happen when you update WordPress or plugins so we are prepared to make the updates smoothly with little interruption to your live site.
It is easy to let web site maintenance and updates fall on the “to do someday” list. Need help? Give us a call.