5 WordPress Site Security Guidelines
As one of the most popular web development platforms, WordPress enjoys a wide and active user base, frequent new features, and thorough documentation. The company estimates that almost 15% of global websites harness WordPress software. With this immense popularity, however, a serious drawback surfaces. Hackers and harmful scripts target WordPress sites because they form such a large pool and share vulnerabilities.
By implementing the strategies outlined below, WordPress site owners can empower themselves and protect their sites beyond the default settings. Owners can successfully minimize their security risks and continue to enjoy the many benefits of the platform.
1. Select or Move to a Reliable Host
Setting up a well-protected site starts with choosing a high quality host. Reliable hosts will constantly monitor their servers for attacks or issues, update their software on a regular basis, and assign your files the most secure permission settings possible. Ask your colleagues about their host experiences. (My host of choice is currently HostGator. I’ve also heard positive reviews of Bluehost, Media Temple, and Laughing Squid.)
Once you’ve compiled a list of recommended hosts, check for must-have features such as: 24-hour phone support (without long hold times), weekly offsite backups, site restoration service, and recent versions of Apache, PHP, and MySQL. Grill your possible hosts about their features, and choose the one you feel most comfortable with.
2. Ask for Theme Security Add-Ons
If buying a custom theme, request that the authoring company complete some extra security-minded steps. Beyond setting up your security keys, developers can: customize the admin username, remove the WordPress version number from public files, define a unique database prefix, and add restrictions to your .htaccess files.
When browsing for a free WordPress theme on the web, be careful in your selection. Ensure your theme is malware-free by choosing one from the WordPress Themes Directory.
3. Choose Safe Plugins
When searching for a plugin, select one from the WordPress Plugin Directory. The plugin detail page should thoroughly describe the functionality. In the sidebar, you’ll find WordPress version compatibility information, when the plugin was last updated (hopefully in the past year), a community star rating (ideally 4 or more), and recent support posts. This information should help you contrast plugins and decide which is the most sound.
In his screencast “WordPress 3: Developing Secure Sites,” Web Designer and Developer Jeff Starr suggests installing several plugins for stronger WordPress site security. These include: Akismet, Login Lock, WordPress File Monitor, WordPress Firewall 2, Exploit Scanner, and WP Security Scan. By adding these plugins, you can increase your site security with little effort.
4. Update All Your WordPress Files
Every few weeks, you will notice an alert in the admin interface urging you to update your WordPress version. This alert is generated when WordPress.org releases a new version of its software. Keeping WordPress updated ensures your site takes advantage of the latest core security enhancements. Plugins similarly will alert you when new versions are available. You should regularly update your WordPress version, plugins, and theme.
If you’ve purchased a custom theme, check back with the development company every six months or so for security enhancements.
Before performing any updates, remember to backup your site. Also make sure your theme and plugins work with the new WordPress version. You may need to check with your development company to confirm theme compatibility. The plugin compatibility information is displayed when you click on Updates in left nav under Dashboard.
5. Use Strong Passwords
Creating long, varied, and complex passwords seems a hassle, but they add an extra layer of protection to your admin interface. Passwords should be unique to users and programs, and they should be changed frequently. Strong passwords include a combination of numbers, characters, and upper and lowercase letters.
Once you’ve completed the steps outlined above, you’ll feel confident knowing you’ve armed your site against potential threats. You can return to creating valuable content for the people you truly care about – your target audience and legitimate site visitors.