You’ll find thousands of folks online saying that you can setup WordPress yourself in just minutes. And, they’re right. What you can’t do is set it up with full security using that method. Here are a few tips to help you protect your site from getting hacked, and the one question to ask folks who say you don’t need to worry about it.
Site Security Matters More than You Realize
Besides the inconvenience of having your site hacked, Google could slap a “don’t go to this site” type label on search results showing your site for a while. Try getting traffic with that warning popping up in the search engines. Plus, see what it does for the hard-earned reputation you’ve acquired as a trusted source. (Read Google Insists You Take Website Security Seriously.)
About this Post
This is not a quick, generic post about how to do your own site security. If you’ve read BlogAid for long, you know that I only post the real skinny, not fluff. If you’re serious about site security, then this is the post for you. And, if it saves your site, you won’t care that it took three minutes to read instead of one.
Ask This First
It’s a good idea to vet the experience of the person giving you advice on anything, especially online security. Here’s the top question you’ll want to ask the advisor. Have they ever helped anyone recover their site from being hacked? If not, consider following the advice of someone who has, who knows the security holes, plus how to fix them.
DIY Security
With all of the recent server attacks, (read Why so Many Websites Have Been Down Lately) you’d think host providers would make website security mandatory, but they don’t. Only recently have the top hosting companies begun to provide medium-level security for their DIY WordPress installations.
You can do it yourself using the step-by-step installation guide they provide, but you may not know the best answers to some of the questions and blanks you’ll need to fill in along the way. And, it’s still not all the security you need but is far better than what hosts have offered to date.
It’s Better the First Time
It’s cheaper and easier to do a fully secure WordPress installation at the start than it is to fix a non-secure installation later. However, it’s better to fix an installation than to just keep hoping your site will be safe.
The other day, I was doing a screen share session with an established site owner and saw three ways to easily hack the site, and that was just during the few seconds it took them to log in and land on the Dashboard page.
Does Your Site Invite Hackers?
Some sites actually advertise they have vulnerabilities on every blog post they make. (Read Invite Hackers and Shun Viewers with Bad Meta Data.) It’s easy to fix this problem by creating a new user. Getting rid of the meta data altogether gets into the code a little more, but can be done by a geek or theme customizer.
Security Plugins
There are several security plugins for WordPress that offer some protection, but not full protection. And, they come in different flavors.
Some attempt to protect the files that a properly configured .htaccess file protects. These include the files that contain your database passwords and login info. Unfortunately, not all hosts allow this plugin to do its thing. Better to have a geek modify the .htaccess file the right way.
Some plugins simply limit the number of login attempts that can be made on your site. They actually work very well, but that is only one entry point to your site for hackers to exploit. Such plugins can make a good addition to your total security setup, but there are other ways of doing it even more securely in the code, especially if you are the only admin for the site.
Firewall plugins protect your site from unauthorized uploads. Just try to get an image into your Media Library with that turned on. The ones I tried were more trouble than they were worth. But, plugins are always improving and that may have changed. I’ve just found better ways to protect the site without this type of plugin. And, the really good firewalls cost money and come from the host.
Theme scanner plugins may also cause more problems than they’re worth. For one, you have to already have the theme installed on your site for it to be scanned. Second, they could overwrite some of your code and/or lock you out of your site.
What Real Security Requires
Real site security requires a real geek to set up. Not a pseudo-geek, nor a site designer, nor even a WordPress trainer. Although BlogAid offers the service, you won’t find a step-by-step guide here because it requires getting into the code of the host files. You have to know code to do it properly, and every host has a slightly different procedure for setting permissions and modifying files. So, there is no one-size-fits-all guide anywhere online that applies to every host.
What You Can Do to Protect Your Site
Besides getting a geek to set up or check your WordPress installation, there are several measures you can take to protect your site.
- Use strong passwords for your login. Make it at least 8-10 characters, and include at least one number, one capital letter, and a special character or two (characters above the number keys). Always start with a letter. The goofier it looks the better. It has to be something you can remember, but not easy for hackers to guess.
- Back up your site regularly. If your site ever goes down for any reason, including being hacked, you’ll turn all shades of the rainbow sick if you don’t have a site backup. I use BackupBuddy, which is a premium plugin and well worth the cost. It backs up everything including the database, theme and plugins. The free plugin I most often recommend is WP-DB Backup. It’s easy to use and gets the whole database, which contains your content (pages, posts, comments).
- Keep WordPress updated. Some folks are wary of updating immediately if it’s a major release because the changes could break their theme. Yeah, I get that, and it’s true. But, don’t wait too long. The last major release that really caused havoc for a lot of folks was 3.0. Releases between it and 3.1, and recent releases between it and 3.2, have mostly been security updates. Those are the ones you want to jump on immediately. Hackers can easily see your WordPress version if that info is not properly hidden.
- Keep your theme updated. If you use a premium theme that has lifetime support, you’ll often get update notices for it. These are to keep the theme compliant with WordPress changes and to plug any security holes. Another thing to consider here is the value of child themes. WordPress updates would only affect the parent theme, or framework. The custom coding of the child theme would likely be undisturbed with a WordPress update.
- Keep your plugins updated. Again, these are to keep pace with WordPress and plug security holes.
- Vet your download source. Before you get that new free theme or plugin, be sure it’s provided by a trusted source. All of the themes and plugins listed on WordPress.org are vetted and safe. The reason some plugins are free and not listed there is because they contain some sneaky code that will allow hackers to use your site or host space for their own purposes. Many have no intention of harming your site, and you may never know they are there until you get a notice from Google that your site has been unflatteringly marked.
- Change your User or meta data. As mentioned previously, this is a simple fix.
Hack attacks are becoming so frequent that host providers are spending a lot of money to beef up their DIY security offerings so that new site owners will begin to take at least the first steps toward site security. For current site owners, if nothing else, call your host and ask what measures they can take for free to make your site more secure. For soon-to-be site owners, have a real geek setup your site right the first time, and then keep it updated.
And now the fine print. There is no such thing as a set it and forget it security installation. Hacker methods change and every upgrade of software has some new vulnerability. Security is an ongoing game you have to play, like it or not. But, the base installation is not something that has to be upgraded often. As long as you follow the suggestions in this post, you’ll be doing all that can be done to keep your site safe and secure.
Themes listed on WordPress.org are vetted for code quality and often the reviewers will pick up security issues (the theme review team are very good, but there’s only so many of them and the automated tools can’t pick up security issues), but plugins in the repository have NO code review or quality review done on them at all – there are simply too many doing too many different things.
Not saying that plugins are in the repo that are security risks (they do generally get found out by the community pretty quick), BUT being in the repo is not a guarantee of safety & lack of evilness.
Sad to say, but many premium plugins and themes are chock full of security holes and other errors, so price isn’t a particularly good indicator of quality either.
Point well taken, Spanky, about the plugins. Appreciate knowing that they are not vetted by reviewers, just by the community as they are used. Agreed that some premium themes and plugins are just as loaded with bad stuff, which is why it’s good to follow folks like you and me to keep abreast of reviews from trusted sources.