Do you know how to make your WordPress secure?
You can hope or you can prepare. Your choice.
If you’re running a blog, chances are high that it’s through WordPress. And why wouldn’t it be? Their service is popular because it is both convenient and attractive to readers and content authors alike. But to make WordPress work for you, and not the other way around, you need to know what you’re doing.
Content authoring aside, the security of your WordPress account and page is vital for you and your user base. Handling things incorrectly might mean having your identity stolen, your page defaced, and your reputation shot. Here are a few things to think about that might make your day just a bit easier.
Secure Your Devices First
Making a good page without vulnerabilities is good, but before you worry about that, make sure your access points are well taken care of first. This may be your PC, smartphone, tablet or laptop—whatever you use to access WordPress.
We’re mostly talking about security software. A good anti-virus program should be installed on any device that accesses the internet, and you can get one for free, so there’s really no excuse not to have one. Even if something came with pre-installed, it may have a limited use license. Stick with something such as AVG or Avast, a program that never expires (but does offer premium options if you think you need them).
For more serious problems, Malwarebytes Anti-malware can make removal a lot easier. This is a program you should have available when your anti-virus just isn’t doing the job and something is clearly wrong.
To keep intruders out of your network, use a firewall to close off unused ports. This may be in the form of a program you install or a physical device, such as a router. Keep in mind your router doesn’t come with you, so it won’t be too useful for your mobile devices.
Use a Virtual Private Network (VPN) to encrypt your internet connection and hide your IP address. Keeping yourself anonymous will allow you to safely access public WiFi without worrying about receiving bad packets or other malicious data from hackers. It’s also good for accessing geo-restricted content, such as Netflix or Hulu.
If you’re sharing your computer, or your main device is mobile, ensure some form of password or code is required to access your device. Speaking of which…
Protect Your Login Details
WordPress is no different than any other service, in that it requires you to login before you actually do anything with it. For some reason, this gets taken for granted far too often. The first thing you need to consider is your login name.
For most WordPress accounts, “admin” is the default login name. This should always be changed. Otherwise someone attempting to access your account already has half the puzzle. Be sure to avoid using any subdomains for archiving purposes that include your login name, as these addresses can sometimes be found.
The other end of the spectrum is your password. It may be better for you to think of it as a passphrase; your password should be long and filled with varied characters such as capital and lowercase letters, numbers and symbols, and non-words. This makes it unrealistic for your password to be guessed and much harder to be brute forced.
Limit your login attempts as well; some hackers use automated programs that will attempt different combinations (like cracking a safe) until the right one is found. If you limit the number of login attempts, this risk can be totally avoided.
Update Your Plugins
No doubt you’ve found some cool plugins and scripts to use on your page. They’re what make producing content easier and more enticing for users. But if left outdated, these tools can become holes in your page’s security that anyone malicious can exploit.
Like your software, plugins often have updates that fix security vulnerabilities. Be sure to run periodic checks so that your page is always up to date.
Scan For Malicious Scripts
Criminals use all sorts of scams to commit fraud and identity theft. More recently, phishing scams have been popular, which use hyperlinks to draw users to fake webpages that look real, but have either bad code imbedded or ask for critical information, such as usernames, passwords or Social Security numbers.
Less known are the hidden elements. If your page has any input fields or the code hasn’t been scanned for vulnerabilities, you may be hosting some XSS (Cross Site Scripting) or SQL injections. The former creates problems mostly for your users, as it hijacks their browser and makes it perform otherwise undesirable behaviors.
SQL injection is more of a threat to you, as it can be used to screw with elements of your page or, if your page is selling something, tamper with transactions. Both of these threats can be mitigated by using plugins that scan for vulnerabilities or by learning how to check manually. Personally I think it’s a lot of work to do it manually, but it’s a good thing to know how to do.
Don’t Neglect the Comments
The comments section is where you interact with your audience directly. But sometimes it can also be where unwelcome audience members post links to malware or phishing websites. It’s your job to make sure users don’t face those threats.
Regularly read the comment sections of your posts and make sure these elements aren’t popping up. Not only will you be protecting your readers, but you’ll be sending the message that your site is fresh and current. Unmoderated comment sections begin to take on the appearance of neglect and turn off new users quickly.
Beware of Themes
In the same way plugins can become a threat to your page, so can themes. This is especially true of themes you acquired outside of the regular channels. Outdated themes may have vulnerabilities corrected in more recent versions, but occasionally there are no updates to your theme, and it may be wise to consider getting a new one.
As a rule, anything that hasn’t been updated in two years should probably be dropped. Themes can also sometimes be the target of malware injection. In these cases, someone other than the author may have snuck something into the theme before you downloaded it, resulting in stolen data. Use themes with caution, especially free ones.
Store a Backup Somewhere Safe
You should save your work periodically; but not just in one location. Maintain backups of your page that you can store offline. If something does happen, you’ll be glad you can just upload your most recent backup instead of having to rebuild the page from the ground up.
Keep It Simple
It can seem a tad daunting to handle the variety of security problems that can pop up with WordPress, but the results are well worth it. Having to sit on hold while someone explains why there’s no money in your account is an experience that will quickly convince you of the importance behind securing your work.
Hopefully that never happens. If you’re staying current, chances are you’ll avoid any entanglements with internet tough guys. With that handled, you can focus on producing quality content until you’ve built yourself a small empire of followers!
