WordPress websites need love.
They are kind of like dogs. Be kind to them, feed them, pet them, give them water, and they can faithfully be loyal to you – be your best friend.
Ignore them, be cruel or neglect them, they can turn on you or find another owner to care for them.
The last thing you want, after you’ve invested in creating your website, is for it to fall prey to hackers or spammers.
Earlier this year, there were a large number of attacks on WordPress websites — a botnet ran an attack on WordPress sites across thousands of IP addresses. It likely won’t be the last. WordPress is incredibly popular and is being used to power millions of websites across the globe. W3 Techs reports that WordPress is used by 58.6% of all the website content management systems known: 18.8% of all websites.
That’s pretty huge.
Being used by millions of websites makes it a favorite target of spammers and hackers. But that doesn’t mean it’s any less secure than other content management systems. In fact, I would argue it’s very secure. There is an active group of developers around the world who work on contributing to the code base. They frequently release security fixes when they identify and patch any holes or vulnerabilities.
Why would someone want to hack my site?
There are lots of reasons why your site may be a target.
Did you ever see that Simpson’s episode with Stampy the Elephant? There is a line at the end where the game warden explains why Stampy is trying to head-butt another elephant. “Sometimes animals are just jerks.” That may be the case for some hackers. Others may want your data, especially if you have a lot of users.
What’s also great is that you can protect your own site with a number of steps. I firmly believe in five key ways to minimize your risk:
Backing up your install and database can really save your keister. Some people recommend three layers of backups. But if that’s unreasonable, one layer is fine.
There are a number of free backup plugins available for WordPress. I’ve used WP-DB-Backup in the past. And I did not have any problems with it.
These days, I mostly use Backup Buddy, a premium backup solution from iThemes.
I tried out backup buddy when I needed to move a site from one place to another, and it was incredibly helpful. After that, I decided to buy a developer license so I can use it on every site I work with. Backup Buddy lets you schedule complete or database backups daily, weekly or monthly. You can save them to your local system or send them to a remote location, like your FTP server or a cloud service like Amazon S3.
For the largest site I work with, I asked the company to invest in Vaultpress. Vaultpress is a monthly premium service from Automattic, the folks behind WordPress. They regularly backup the site at multiple intervals throughout the day. They also run security scans. And if something goes wrong, you can restore a previous backup with the click of a button. It’s really nice and well worth the cost.
I can’t stress this enough. Plugins, themes, and even WordPress itself needs to be updated. Some of the updates are security fixes. They need to be addressed. Otherwise hackers could take advantage of a vulnerability.
Don’t use “Admin”
Admin is the default username for the site owner. Hackers know this. If they know the username, they only have to figure out the password and they are in with all of the permissions they need to take over your site.
Here’s what I do. When I create a new WordPress installation, I change the name to something else. Anything else. If you are using a site that already has an admin username — never fear! This can be fixed!
- First, create a new user with the same level of admin permissions — but make sure the username is different.
- Then, logout as “admin” and log in as your new username.
- Finally, delete the admin user.
Use strong passwords
There is a raging debate going on right now over whether passwords are even good or not. But we’re stuck with them for now, and you should do your best to make them strong. That doesn’t mean they have to be impossible to remember, but use common sense. “Password” is not a good password. Neither is your name or username. Or “1234”.
Sometimes you don’t need a super crazy password, but you can add characters and symbols that make it much harder to guess.
Need some ideas? Check out this article from CNET: How hackable is your password? McAffee offers password tips.
Invest in quality hosting
There are dozens of companies vying for your business. Hosting does not have to be super expensive to be quality, but super cheap may not be as secure either. There are hosting providers, like WPEngine, that work specifically with WordPress websites in a managed hosting environment. I have a designer/developer friend that has always had good things to say about Bluehost. And here at Standard Beagle, we host our sites through Digital Ocean. You should consider a number of factors when choosing a hosting provider — just make sure security is among them.
It may seem like that’s a lot to manage and consider, but it really doesn’t take that long. It just takes being pro-active and aware to keep your site safe.
Want more resources? I thought this was another great tip list. We agree on many of the same security tips: 5 tips to secure your WordPress blog.
This is a good review of backup solutions: Top 6 WordPress Backup Plugin Recommendations for 2013