WordPress Security and You
This page may contain links to Amazon.com or other sites from which I may receive commission on purchases you make after clicking on such links. Read my full Disclosure Policy
When it comes to website security, I’ve heard everything from “I’m not really worried about security. Why would anyone want to hack into a professional organizer’s website?” to “I don’t want to use WordPress – it’s always getting hacked!”
Let me start by saying that neither assumption is correct.
Hacking isn’t limited to major corporations who store credit card numbers and other sensitive client information on their servers.
One of my colleagues was the victim of the pharma hack and didn’t even know it until I told her my security software had alerted me to the problem. When she looked at the site on her own computer, everything looked just fine, but what I saw was a bunch of pharmaceutical links. It cost her several hundred dollars to get the problem fixed and her site restored to normal.
Just last week I was contacted by an interior designer whose site had been taken down by her web host because someone had installed malicious files on her site. She is also facing the expense of having her site either restored or rebuilt.
Both of these people own very small businesses and neither had valuable information stored on their website.
Many hackers don’t do it for personal gain, but just because they can – not unlike a vandal who walks around a neighborhood at night smashing windows without actually stealing anything. I’ve even seen a website where the content was replaced with a message saying, “Ha ha, you’ve been hacked!”
These stories are not prevalent due to a flaw within WordPress, but simply because it’s such a popular platform. In most cases, the security breach could have been prevented by following these best practices.
1. Don’t use an obvious user name.
Thousands of WordPress sites have been set up with “admin” as the username. Clearly if someone wanted to try to break into your site, that’s the first thing they’ll try.
If you were given “admin” as your username by a one-step WordPress installation tool or someone who didn’t know any better, it’s not too late to do something about it. You can create a new user with admin access, log in as the new user, and delete the original user, making sure you attribute any posts and pages created to the new user.
Alternatively, the iThemes Security Pro plugin can manage this change for you seamlessly, as well as guiding you through other security measures you should implement on your site.
2. Don’t use an easily guessed password.
If your password is a proper name or a word that can be found in the dictionary, the chances of someone guessing it are very high – especially if they’re using an automated tool to do so (see How Secure Are Your Passwords? [infographic]).
It’s easy enough to change your password. Just go to your User Profile and change it. Go do it now before you forget!
3. Keep your WordPress installation and plugins up to date.
The bad news is that hackers are constantly figuring out new ways to get into your site. The good news is that WordPress itself and WordPress plugins are constantly updated to address these issues.
If your site isn’t running the latest version of WordPress and any plugins you have installed, you’re leaving it vulnerable to attack.
4. Remove unnecessary plugins.
Speaking of plugins, there’s no need to load up your Dashboard with a bunch of plugins that aren’t even being used. I’ve often gone to work on client sites where multiple plugins had been installed for the same function, and others for features that weren’t even in use on the site. If you try a plugin and it doesn’t work for you, take the time to deactivate it, then delete it. Do the same with any unneeded plugins that were automatically added when you installed WordPress. This will help to protect your site by eliminating potential security problems, and will also keep your site running more efficiently.
5. Set up a regular backup system
Even if you maintain good security practices, you should always have a backup available. There are plenty of plugins that allow you to back up your WordPress site. Some will back it up automatically according to a regular schedule, while others require you to do it manually.
One of the most popular backup plugins is BackupBuddy. Not only can you schedule it to back up your database and all of your website files at regular intervals, you can configure it to send your backups to a remote location such as Dropbox or BackupBuddy Stash. This means you still have access to your backup in the event that something happens to the server.
6. Choose a reputable web host.
Although it may be tempting to go with the cheapest hosting company you can find, keep the old saying “you get what you pay for” in mind. Some companies can afford to charge very low prices for “unlimited” storage and/or bandwidth because they cram a large number of websites on the same server, and you have no way of knowing who you’re sharing that space with.
Your Organizing Business is hosted with WP Engine, who actually guarantee security. Their system is so robust that you don’t need either BackupBuddy or iThemes Security Pro. They’re not cheap, but they frequently run special promotions.
7. Add a WordPress specialist to your team.
If you find any of the information in this article overwhelming, don’t just ignore it. Although Benjamin Franklin didn’t know anything about WordPress, he nailed it when he said, “An ounce of prevention is worth a pound of cure.”
If you’re uncomfortable with the inner workings of your site or are too busy to stay on top of updates, check out my Website Care Plans.
Photo by hyena reality / FreeDigitalPhotos.net
A former professional organizer, I now eliminate stress for my clients by hosting, monitoring, and maintaining their WordPress sites so they don’t have to worry about security, downtime or performance issues. When I’m away from my desk, I enjoy reading, photography, watching movies, and cooking.