Given the recent exploits of WordPress sites hosted on GoDaddy’s servers, I thought it may be helpful to offer some security tips for WordPress users. (I say “WordPress users,” but these tips apply to any powerful, robust application like WordPress that has a large amount of code. Where you see “WordPress” feel free to insert the name of your favorite CMS or blogging software.)
- Don’t use the automated WordPress installation your hosting service may offer.
- Keep your WordPress installation up to date.
- Keep your plugins up to date.
- Delete any unused or outdated plugins.
- Choose an administrative password with letters, numbers and symbols. No common words!
Install It Yourself
The automated WordPress installation provided by some hosting services creates auto-generated passwords, database names, nonce, login, security and authentication keys. Create your own secure names and passwords using numbers, letters (cap and lowercase), and symbols. Install WordPress yourself or have your friendly-neighborhood web developer do it for you.
While most automated setups notify you when a WordPress update becomes available, usually the notification only appears in your hosting service control panel, and, if you’re like me and don’t spend a lot of time inside the cpanel, you can easily miss it. If you manage your website yourself, take responsibility for your own updates.
Perhaps your site content changes infrequently. In that case, you may even miss an update notification that WordPress provides inside your administrative area. I strongly urge everyone to familiarize themselves with the WordPress backend and schedule regular times to login and look for update notifications — I offer WordPress Training Sessions for the beginner, intermediate or expert user.
Update, Update and Update!
Which brings us to updates. Website applications, like operating systems, evolve to work more efficiently, provide new features, and patch potential security holes. The more robust the software, the greater the potential for some nefarious code finding its way into the maze of legitimate code.
Luckily, WordPress has a large and fervent open-source community, and its developers rapidly address any security issues. The only problem is (and this is going to sound dumb) for the security updates to work you must update to the latest version of WordPress. Seriously, do it!
And, if backing up your database and installing the updates seem confusing or scary, then get someone to do it who is comfortable with it. Believe me, disciplined updating is far less time-consuming and costly and headache-inducing than fishing for and cleaning up some malicious code injected into your site. And, don’t get me started on the revenue lost when Google slaps a giant warning on your website that reads “VISITING THIS SITE MAY HARM YOUR COMPUTER.” It’s like trying to get a date while wearing a T-shirt that reads, “I have herpes!”
The same thing goes for plugins. Plugin developers frequently update buggy or outdated code, but it’s your responsibility to update the plugin. Do it! Now!
And, if you no longer have any use for a plugin, deactivate it and delete it. Some plugins, upon deactivation, leave residual data in your database, so you may want to clean that up as well.
Create Secure Passwords
And, lastly, this is a no-brainer. If you want a secure WordPress site, create a secure admin username and password. And, don’t give it out to other people. If your website is a collaborative effort and you need to give someone access to your admin area, create a new user profile for them and grant them the security access commensurate with their contributions.
Conclusion
Just like a car, a website requires responsible management and regular maintenance to run efficiently. Don’t take the set-it-up-and-forget-it approach, or you’ll inevitably run into problems down the line.
If you need help keeping your WordPress site secure, updated and purring along, contact me to sign up for my Extended Maintenance Services.