6 Dead Simple Security Rules Every WordPress User Needs to Know – Part 1

Written by Mark Forrester on March 20, 2014 WordPress tips & tricks.

Today’s guest post is from Brennen Byrne. He’s the CEO at Clef, a company which has developed mobile app that replaces usernames and passwords with your smartphone.

Security can be a hard and scary topic especially for new users. The details are technical, getting them right is tricky, and one mistake can lead to disaster.

WordPress has an amazing security team working hard to protect their nearly 75 million sites, but at the end of the day, you’re the one who is responsible for the security of your site. If you get hacked, you’re the one to pay for it.

So what can you do to protect yourself without getting into all of the messy stuff? Here are 3 simple Rules to keep your site safe

1. Be Careful on Public Wifi

When you’re working from a coffee shop or other public place, make sure to only log into sites that have SSL. You can tell if a site is using SSL because the web address will start with “https://” instead of “http://”. That extra ‘s’ stands for ‘secure’ and it’s the only thing between your password and everyone else at that coffee shop.

Most browsers will also put a little green lock in the address bar to let you know you're on a secure connection
Most browsers will also put a little green lock in the address bar to let you know you’re on a secure connection

If you’re logging into your WordPress site without SSL, anyone else on the network can look at your username and password as they’re sent to the server. You can get around this by using a VPN, installing SSL certs, or using a program like Cloak — but the easiest rule to follow is to only log in to sites with the green lock.

Also, password protect your home and work wifi so you don’t have to worry about this as much.

2. Stop Using Bad Temporary Passwords

The biggest threat to most WordPress sites is your login form. Attackers can guess hundreds of thousands of passwords per second, and many accounts fall in just a few minutes. These attacks can also come from armies of computers (known as botnets) that are infected with a virus, so IP blockers or traditional login rate limiters won’t be able to stop them (BruteProtect is the best tool to help here).

By now almost everyone has heard the advice to use good passwords, but everyone still uses “password” when they hand over the site to a client or set up a new user. Stop it!

The problem is that many of those passwords never get changed. The client can’t figure out how to reset it, the ‘temporary’ account never gets deleted, or life somehow gets in the way and you’re just banking that no one is going to try and log in. Unfortunately, there are robots crawling every site looking for exactly these accounts—they will take over your site and ruin all of your hard work.

Of course, even if you do fix it, you’re leaving your site completely open for however long the handoff takes. It’s not worth the risk, choose a better password.

3. Delete Plugins and Themes You Don’t Use

The WordPress Security Team is working hard to keep core very, very safe. When there’s a security vulnerability, it gets fixed quickly (which is why you should keep your site up to date with the latest version of WordPress). Unfortunately, they can’t do the same thing for every plugin and theme, and few plugins or themes have enough people looking at the code to catch security flaws in time.

This means that most vulnerabilities come in plugins and themes. Of course you shouldn’t download plugins or themes that you don’t trust, but this also means you should delete the ones you’re not using. All of them!

This is advice that isn’t given enough, almost every site still has inactive plugins and themes.

An inactive plugin or theme can still be a danger to your site, and there’s no reason to keep them around. If your host installed a default theme that you changed, delete the default one. If you stop using a plugin, but might try it again later, delete it in the meantime.

That’s It

The security protocols you need to follow change depending on how important security is to a given project (Are you working for on a high-clearance level government project? These rules are not good enough.). But, WordPress is a very secure platform, and most of the security issues we see come from user error. If you follow these three rules, you’ll be better protected from the most common WordPress hacks.

We’ll continue part 2 of this series next week.


6 Responses

  1. bentasm1
    March 21, 2014 at 5:07 am #

    1.) Common sense.
    2.) Common sense.
    3.) Common sense.

    Maybe discuss Brute Protect, or User Login Log, or things like that which help.

    • Henrik
      March 21, 2014 at 11:39 am #

      You know what the sad part is? These 3 things are not common sense at all. I have had the badly sought experience in receiving login credentials from a client I worked with. They had the worst kind of password.

      Only logging in when there is an extra “s” on the http? Not many knows this.

      Protecting your Wifi with a password? Not that many people do this. Unless it comes password protected from your provider. If I walk around here in the place where I live and find wi-fi networks? More often than not are they unprotected.

      So yeah. These are good tips. Might be common sense for you, but for the bigger mass? Nope, not by a longshot.

    • Mark Forrester
      March 21, 2014 at 12:28 pm #

      Common sense is not so common.

  2. Isaac
    March 24, 2014 at 1:53 pm #

    Common sense, easy to be ignored, but wait until your site gets hacked. I have been a phishing victim before and i know how basic security settings are important.

  3. Brad
    March 24, 2014 at 6:41 pm #

    What about making sure you’re continually updating WordPress as they roll out new versions?

  4. Lance
    March 25, 2014 at 4:33 am #

    I’m excited for the next set of security tips, Warren. I personally had an issue with an old plug in before that also got breached. I hope it does not happen to others – it’s important you always update your plug in whenever necessary and also delete the ones you are not using.


The most customizable eCommerce platform for building your online business.

  • 30-day money-back guarantee
  • Support teams across the world
  • Safe and secure online payment
%d bloggers like this: