Harold Mansfield
05-08-2017, 12:36 PM
I hear all the time from people who don't use WordPress, that WordPress isn't secure.
This is a little unfair since nothing that is on or connected to the web is completely secure. Just ask Target, Sony, Yahoo, and the (est) 4k businesses a day who are hacked.
Core WordPress is secure, and updated regularly to keep up with new threats. It's probably updated more than any other software I use including Windows and Android.
However, it runs on a plug in and theme architecture. Where as other software keeps you out of it's core architecture to protect you from yourself, WordPress has NO RESTRICTIONS in how you can customize it, configure it, or what a user can install. You are in complete control. If you don't know what you're doing with any software or device that gives you that much control, it becomes you who isn't secure. Not the software.
So I thought I'd share a few tips on how to better secure a WordPress website, and keep the thread going to help answer any concerns.
Keep it updated. Always run the latest version of whatever software you're using. AND read the darn updates to see what they fixed.
Keep the number of admins on your site to a minimum.
Delete the first admin account that you created. It's likely user ID 1, and that's the first place hackers and malicious bots look.
Don't use "Admin" as your user name. If you're using "Admin", create a new account. (You'll need a second email address to do this. You can change it later).
Don't use the same username/nickname that you use with other online accounts. You're just making it too easy.
Use strong, unrecognizable passwords (ask for elaboration on this if interested)
Use or create your business email address for your WordPress administrator account. Business site. Business email. Stop using free email accounts for business and don't use the same email address that you use for everything else. (This is a whole security rant in itself, but for another time).
Knowing a little HTML and CSS will save you from installing 30 plug ins to do what a little code could have done.
Stop installing 30 crap plug ins, and leaving them there even when you're not using them. Delete things you aren't using.
Make sure your theme doesn't create a comments area on every image upload.
Delete spam comments completely from your dashboard. Use a spam blocker like Akismet. If you need the pro version, pay for the pro version.
Don't click on suspect comment links out of curiosity.
Vet your themes and plug ins. Read the reviews. Check to see if others report issues. Look at how the developer handles support. Stop installing whatever just because it promises to do that one thing that you think you need right this second.
Keep plug ins updated. If you're using old plug ins or themes that haven't had an update in years, the developer has probably abandon it, and any hope of keeping it secure. Check with them. If there is no response, find a new solution and get it off of your site.
Stop using your Root for storage. If you need storage, buy storage. Where your website is hosted is not storage.
Delete the "read me" file from your installation.
Use iThemes Security (https://wordpress.org/plugins/better-wp-security/)Plug in. It may take a while to read and understand all of the settings, but at min you want to use the setting that hides /wp-admin and changes it's URL to a custom one that you set. Everyone knows where /wp-admin is.
Set back ups. Best case is doing it through your hosting dashboard and letting your host take and store your files and database backups. If your account doesn't come with back ups, change it.
Stop using the cheapest hosting available for your business website.
Cheap hosting is shared hosting. Shared hosting is used by amateurs who themselves are a security risk, which makes your site and any site anywhere near them at risk.
It also means a shared email server which is also crap. Ever had an IP address blacklisted? Use shared email servers, and you will.
I could talk about this one for days, but bottom line is good, secure hosting costs money. It's supposed to cost money. You don't need WordPress specific hosting that comes with a crap load of bloatware and monitoring software. Much of it is over priced junk which limits your access and control of your website. Just make sure it's Linux hosting, and not Windows hosting and take the time to learn something about running your own website.
Get an SSL/TLS. Some hosts offer free SSL's for WordPress sites now via Let's Encrypt. (https://letsencrypt.org/) and other open source SSL/TLS's. Give yours a call to see if they do. If not, pay the money and get one. This isn't optional anymore.
Most hacks are not personal. They are crimes of opportunity. If you walk around thinking you have nothing a hacker would want, you're an opportunity. If a hacker sees a weakness in how you secure your website, it's a good indication that they can probably access your other accounts just as easily.
Does anyone else have any tips that they can share, or have questions about anything I've posted above?
Feel free to ask, that's why we're here.
This is a little unfair since nothing that is on or connected to the web is completely secure. Just ask Target, Sony, Yahoo, and the (est) 4k businesses a day who are hacked.
Core WordPress is secure, and updated regularly to keep up with new threats. It's probably updated more than any other software I use including Windows and Android.
However, it runs on a plug in and theme architecture. Where as other software keeps you out of it's core architecture to protect you from yourself, WordPress has NO RESTRICTIONS in how you can customize it, configure it, or what a user can install. You are in complete control. If you don't know what you're doing with any software or device that gives you that much control, it becomes you who isn't secure. Not the software.
So I thought I'd share a few tips on how to better secure a WordPress website, and keep the thread going to help answer any concerns.
Keep it updated. Always run the latest version of whatever software you're using. AND read the darn updates to see what they fixed.
Keep the number of admins on your site to a minimum.
Delete the first admin account that you created. It's likely user ID 1, and that's the first place hackers and malicious bots look.
Don't use "Admin" as your user name. If you're using "Admin", create a new account. (You'll need a second email address to do this. You can change it later).
Don't use the same username/nickname that you use with other online accounts. You're just making it too easy.
Use strong, unrecognizable passwords (ask for elaboration on this if interested)
Use or create your business email address for your WordPress administrator account. Business site. Business email. Stop using free email accounts for business and don't use the same email address that you use for everything else. (This is a whole security rant in itself, but for another time).
Knowing a little HTML and CSS will save you from installing 30 plug ins to do what a little code could have done.
Stop installing 30 crap plug ins, and leaving them there even when you're not using them. Delete things you aren't using.
Make sure your theme doesn't create a comments area on every image upload.
Delete spam comments completely from your dashboard. Use a spam blocker like Akismet. If you need the pro version, pay for the pro version.
Don't click on suspect comment links out of curiosity.
Vet your themes and plug ins. Read the reviews. Check to see if others report issues. Look at how the developer handles support. Stop installing whatever just because it promises to do that one thing that you think you need right this second.
Keep plug ins updated. If you're using old plug ins or themes that haven't had an update in years, the developer has probably abandon it, and any hope of keeping it secure. Check with them. If there is no response, find a new solution and get it off of your site.
Stop using your Root for storage. If you need storage, buy storage. Where your website is hosted is not storage.
Delete the "read me" file from your installation.
Use iThemes Security (https://wordpress.org/plugins/better-wp-security/)Plug in. It may take a while to read and understand all of the settings, but at min you want to use the setting that hides /wp-admin and changes it's URL to a custom one that you set. Everyone knows where /wp-admin is.
Set back ups. Best case is doing it through your hosting dashboard and letting your host take and store your files and database backups. If your account doesn't come with back ups, change it.
Stop using the cheapest hosting available for your business website.
Cheap hosting is shared hosting. Shared hosting is used by amateurs who themselves are a security risk, which makes your site and any site anywhere near them at risk.
It also means a shared email server which is also crap. Ever had an IP address blacklisted? Use shared email servers, and you will.
I could talk about this one for days, but bottom line is good, secure hosting costs money. It's supposed to cost money. You don't need WordPress specific hosting that comes with a crap load of bloatware and monitoring software. Much of it is over priced junk which limits your access and control of your website. Just make sure it's Linux hosting, and not Windows hosting and take the time to learn something about running your own website.
Get an SSL/TLS. Some hosts offer free SSL's for WordPress sites now via Let's Encrypt. (https://letsencrypt.org/) and other open source SSL/TLS's. Give yours a call to see if they do. If not, pay the money and get one. This isn't optional anymore.
Most hacks are not personal. They are crimes of opportunity. If you walk around thinking you have nothing a hacker would want, you're an opportunity. If a hacker sees a weakness in how you secure your website, it's a good indication that they can probably access your other accounts just as easily.
Does anyone else have any tips that they can share, or have questions about anything I've posted above?
Feel free to ask, that's why we're here.