Security can be a hard and scary topic especially for new users. The details are technical, getting them right is tricky, and one mistake can lead to disaster.
WordPress has an amazing security team working hard to protect their nearly 75 million sites, but at the end of the day, you’re the one who is responsible for the security of your site. If you get hacked, you’re the one to pay for it.
So what can you do to protect yourself without getting into all of the messy stuff? Here are 3 simple Rules to keep your site safe
1. Be Careful on Public Wifi
When you’re working from a coffee shop or other public place, make sure to only log into sites that have SSL. You can tell if a site is using SSL because the web address will start with « https:// » instead of « http:// ». That extra ‘s’ stands for ‘secure’ and it’s the only thing between your password and everyone else at that coffee shop.
If you’re logging into your WordPress site without SSL, anyone else on the network can look at your username and password as they’re sent to the server. You can get around this by using a VPN, installing SSL certs, or using a program like Cloak — but the easiest rule to follow is to only log in to sites with the green lock.
Also, password protect your home and work wifi so you don’t have to worry about this as much.
2. Stop Using Bad Temporary Passwords
The biggest threat to most WordPress sites is your login form. Attackers can guess hundreds of thousands of passwords per second, and many accounts fall in just a few minutes. These attacks can also come from armies of computers (known as botnets) that are infected with a virus, so IP blockers or traditional login rate limiters won’t be able to stop them (BruteProtect is the best tool to help here).
By now almost everyone has heard the advice to use good passwords, but everyone still uses « password » when they hand over the site to a client or set up a new user. Stop it!
The problem is that many of those passwords never get changed. The client can’t figure out how to reset it, the ‘temporary’ account never gets deleted, or life somehow gets in the way and you’re just banking that no one is going to try and log in. Unfortunately, there are robots crawling every site looking for exactly these accounts—they will take over your site and ruin all of your hard work.
Of course, even if you do fix it, you’re leaving your site completely open for however long the handoff takes. It’s not worth the risk, choose a better password.
3. Delete Plugins and Themes You Don’t Use
The WordPress Security Team is working hard to keep core very, very safe. When there’s a security vulnerability, it gets fixed quickly (which is why you should keep your site up to date with the latest version of WordPress). Unfortunately, they can’t do the same thing for every plugin and theme, and few plugins or themes have enough people looking at the code to catch security flaws in time.
This means that most vulnerabilities come in plugins and themes. Of course you shouldn’t download plugins or themes that you don’t trust, but this also means you should delete the ones you’re not using. All of them!
This is advice that isn’t given enough, almost every site still has inactive plugins and themes.
An inactive plugin or theme can still be a danger to your site, and there’s no reason to keep them around. If your host installed a default theme that you changed, delete the default one. If you stop using a plugin, but might try it again later, delete it in the meantime.
The security protocols you need to follow change depending on how important security is to a given project (Are you working for on a high-clearance level government project? These rules are not good enough.). But, WordPress is a very secure platform, and most of the security issues we see come from user error. If you follow these three rules, you’ll be better protected from the most common WordPress hacks.
We’ll continue part 2 of this series next week.