Thoughts

WordPress thoughts

WordPress is one of, if not the most used website platforms out there. It’s also one of the most attacked by hackers worldwide, so today my post is all about keeping your WordPress site safe and secure. Note: This is not meant to be a comprehensive list, it is only what I do when setting up a new site.

Over the years I have had many WordPress websites, including this one. I’m happy to help when someone asks for advice on setting one up for themselves, but only to the point where I get it installed, updated, and buffed up with the plugins that I consider a must-have. After that, they’re on their own! That’s the beauty of WordPress though; literally, anyone can use it.

Here are 3 great plugins that I consider a must, regardless of the kind of site you’re going for:

    • Wordfence. This little gem is going to save your bacon when it gets noticed by hack-bots. You’ll notice I said “when”, and not “if”. Any website that has a domain name or gets mentioned/linked to is going to get found and scanned by a bot sooner or later. Simply put, Wordfence is a powerful firewall and malware scanner that you can customize to your preference. A word to the wise though; you will get a LOT of email from this addon as good bots scan your site for search engines, and bad bots attempt to scan your website for vulnerabilities. More about that last bit in a minute. Set up filters on your email to deal with notifications as you see fit, and don’t panic when they start to roll in. Do that now, before you do anything else! The heading you will get most often is: [Wordfence Alert] yourdomain Blocking IP xx.xxx.xxx.xx and that means that a person or bot has triggered a preset in Wordfence, and Wordfence has blocked them. Don’t panic, it doesn’t mean you’ve been hacked, or that it was even attempted. Essentially it means your site was noticed and a scan was attempted. Back to the email filter thing: I just checked and there was 187 email since last night [for 3 different WordPress sites I manage] with essentially the same message in the special folder I set up for it. Select-all, mark as read. Keep them for a few days in case you notice anything amiss that you want to look back on, but then delete them. Back in the early days, these emails would really make me paranoid and I’d go IP address by IP address banning each one. Don’t even bother doing this, because it won’t even slow them down. The best thing you can do is button down your website and make sure it’s as secure as you can make it. Then get on with living your best life.

 

    • Hide Login. This one, my friends, is a Game. Changer. One of the most potentially vulnerable URLs on a WordPress site is wp-login.php. Changing that requires coding OR a good plugin. Use the plugin. This allows you to redirect your login page to something only you will know, so make sure you bookmark it once you create it. Obviously, you’re not going to use a person or pet’s name, or any other-easily guessed word for this. Guess what happens when you make this one simple change? Your email notices from Wordfence decrease, and you have the peace of mind knowing that you are far, far less likely to get compromised.

 

  • Classic Editor. No, this is not a security feature, and not everyone is going to want or need this, but if you know your way around building a website, you’re not going to want to rely on the WYSIWYG page builder. Yuck. I really love the ability to go back to the original editor, and I appreciate that WordPress made that happen.

Now that I’ve shared the AddOns that will make your life easier, I want to also cover some “dos and don’ts” for using WordPress.

Click to see larger image
Click to see larger image
    • Never, ever EVER use “admin” for your username. Not admin, not administrator, not adm, not root, not user, and definitely NOT YOUR OWN NAME. Just don’t. You can customize your author name (‘Nickname’) and what is published on posts once you are logged in, so don’t make it easy. Use a couple of words together maybe. For the image on the left I used “Securename”. Obviously that isn’t my login username, just an example. You can add the Nickname you want to use in the nickname field, and it will appear in the dropdown menu where you choose what appears on posts. Easy and much more secure.

 

    • Always make your password secure. Do I even need to tell you not to use “password” as your password? This is a good link for you to visit and this is a great secure password generator that I use all the time. I could write a few pages on this topic, but it will stress me out and I’ll end up swearing and no one needs me to go down that rabbit hole.

 

    • Make sure WordPress is set to auto-update. That one I know some will fight me on because sometimes big updates break addons and themes that have not kept up with the latest versions, but I’m going to stand firm on it because I know people often forget to even login for months sometimes, and WordPress is one of those things that is constantly updating. It is not unheard of to have several updates over the period of a week as vulnerabilities are identified. This is a good thing, but it also means users must keep it updated. So set it to auto-update, and also consider doing the same for your installed plugins. That segues to my next topic nicely:

 

    • Backup your WordPress every so often, and always before a major change. I also recommend backing up the whole database, but that might be out of your comfort zone so I won’t cover that. If you’re interested though, Google is your friend. I recommend keeping the last 2 backups and discarding older ones. Always better safe than sorry. I usually choose a backup day (and put it in my phone calendar to remind me) where I do my sites and my cell phone. You do backup your cell… right?

 

It may sound like a lot, but most of it is common sense and also learning from those who have been using the platform for a long time. I really like WordPress, personally. It’s super user-friendly, incredibly versatile, and a massive time-saver. (That I’m using 3 superlatives in one sentence is a good indication that I am a true fan).

No, I don’t work for WordPress, but I really should! Hey, Matt Mullenweg! Are you hiring?