WordPress Security and You
This page may contain links to Amazon.com or other sites from which I may receive commission on purchases you make after clicking on such links. Read my full Disclosure Policy
When it comes to website security, I’ve heard everything from “I’m not really worried about security. Why would anyone want to hack into a professional organizer’s website?” to “I don’t want to use WordPress – it’s always getting hacked!”
Let me start by saying that neither assumption is correct.
Hacking isn’t limited to major corporations who store credit card numbers and other sensitive client information on their servers.
One of my colleagues was the victim of the pharma hack and didn’t even know it until I told her my security software had alerted me to the problem. When she looked at the site on her own computer, everything looked just fine, but what I saw was a bunch of pharmaceutical links. It cost her several hundred dollars to get the problem fixed and her site restored to normal.
Just last week I was contacted by an interior designer whose site had been taken down by her web host because someone had installed malicious files on her site. She is also facing the expense of having her site either restored or rebuilt.
Both of these people own very small businesses and neither had valuable information stored on their website.
Many hackers don’t do it for personal gain, but just because they can – not unlike a vandal who walks around a neighborhood at night smashing windows without actually stealing anything. I’ve even seen a website where the content was replaced with a message saying, “Ha ha, you’ve been hacked!”
These stories are not prevalent due to a flaw within WordPress, but simply because it’s such a popular platform. In most cases, the security breach could have been prevented by following these best practices.
1. Don’t use an obvious user name.
Thousands of WordPress sites have been set up with “admin” as the username. Clearly if someone wanted to try to break into your site, that’s the first thing they’ll try.
If you were given “admin” as your username by a one-step WordPress installation tool or someone who didn’t know any better, it’s not too late to do something about it. You can create a new user with admin access, log in as the new user, and delete the original user, making sure you attribute any posts and pages created to the new user.
Alternatively, the iThemes Security Pro plugin can manage this change for you seamlessly, as well as guiding you through other security measures you should implement on your site.
2. Don’t use an easily guessed password.
If your password is a proper name or a word that can be found in the dictionary, the chances of someone guessing it are very high – especially if they’re using an automated tool to do so (see How Secure Are Your Passwords? [infographic]).
It’s easy enough to change your password. Just go to your User Profile and change it. Go do it now before you forget!
3. Keep your WordPress installation and plugins up to date.
The bad news is that hackers are constantly figuring out new ways to get into your site. The good news is that WordPress itself and WordPress plugins are constantly updated to address these issues.
If your site isn’t running the latest version of WordPress and any plugins you have installed, you’re leaving it vulnerable to attack.
4. Remove unnecessary plugins.
Speaking of plugins, there’s no need to load up your Dashboard with a bunch of plugins that aren’t even being used. I’ve often gone to work on client sites where multiple plugins had been installed for the same function, and others for features that weren’t even in use on the site. If you try a plugin and it doesn’t work for you, take the time to deactivate it, then delete it. Do the same with any unneeded plugins that were automatically added when you installed WordPress. This will help to protect your site by eliminating potential security problems, and will also keep your site running more efficiently.
5. Set up a regular backup system
Even if you maintain good security practices, you should always have a backup available. There are plenty of plugins that allow you to back up your WordPress site. Some will back it up automatically according to a regular schedule, while others require you to do it manually.
One of the most popular backup plugins is BackupBuddy. Not only can you schedule it to back up your database and all of your website files at regular intervals, you can configure it to send your backups to a remote location such as Dropbox or BackupBuddy Stash. This means you still have access to your backup in the event that something happens to the server.
6. Choose a reputable web host.
Although it may be tempting to go with the cheapest hosting company you can find, keep the old saying “you get what you pay for” in mind. Some companies can afford to charge very low prices for “unlimited” storage and/or bandwidth because they cram a large number of websites on the same server, and you have no way of knowing who you’re sharing that space with.
Your Organizing Business is hosted with WP Engine, who actually guarantee security. Their system is so robust that you don’t need either BackupBuddy or iThemes Security Pro. They’re not cheap, but they frequently run special promotions.
To learn more about WP Engine and other hosting options, read Signing on with a Web Hosting Company.
7. Add a WordPress specialist to your team.
If you find any of the information in this article overwhelming, don’t just ignore it. Although Benjamin Franklin didn’t know anything about WordPress, he nailed it when he said, “An ounce of prevention is worth a pound of cure.”
If you’re uncomfortable with the inner workings of your site or are too busy to stay on top of updates, check out my Website Care Plans.
Photo by hyena reality / FreeDigitalPhotos.net
I recommend...
I am so glad you take care of all this sort of thing for me, Janet. It’s sometimes hard enough to find time for all the things I need and want to do, without having to deal with the security of my website too. Thanks for doing all you do for me (in so many ways) and for knowing all you know.
xo
Thank YOU for realizing how important this is. I worry about clients who don’t consider it a priority, and hope nothing terrible happens to their site!
Hopefully this post will help people realize that it IS a priority! All best, Janet.
I’m going to be spending some time in the next few days addressing all of these. Thanks, Janet!
Glad to hear it, Seana! It probably won’t take as much time as you might think.
I think I have all of these areas covered, but I will look at what plugins I am actually using.
Good idea, Jill! It’s so easy to install something, realize you don’t have time to check it, then forget to go back to it.
My WordPress security system is named Janet Barclay. I did read the article, but will you let me know if I should be doing anything you aren’t already doing for me? Thanks! 🙂
Absolutely, Hazel (and thanks for the plug)!
Janet, a great article as ever. Unfortunately hackers attacked my website last week and have totally destroyed it. Rest assured as I now have to go through the very painful process of rebuilding it (as unfortunately I didn’t have a recent back up) I will be working my way through your list to try and ensure I am never in this awful situation again. Tina
Tina, I am so sorry that happened to you. 🙁 Maybe this is an opportunity to make it better than ever!
Thanks Janet for sharing your expertise. I get notifications to update WordPress frequently, and I try stay on top of that. I’m always interested in the advice you post, I’m sure to not miss anything that I need to know 🙂
That’s good to read, Nancy!
Excellent advice Janet. I had my hosting service beef up my security this year and have hired my web designer to update everything annually. When I updated my plugins myself I didn’t notice issues for weeks, like when my opt-in form went missing. Then I had no idea how to fix the issues. Hiring someone to update has given me peace of mind.
Good decision, Jill! Having one person look after all that means that if something does go wrong, they’re more likely to know what caused it as well as how to fix it.
Great advice. My username has an intentional, but not obvious or even logical misspelling in it- makes it that much harder to guess.
That’s an excellent idea! Not only hard for others to guess, but easy for you to remember!
[…] To learn more about potential issues and how to avoid them, read WordPress Security and You. […]