Since I listened to Kieran O’Shea’s talk at WordCampUK, I’ve been taking security much more seriously. Kieran had some pretty scary statistics regarding hacking. For example, 90% of all businesses have been hacking victims in the last 12 months, and, there is an average of 156 days before victims realise that hacking has taken place.
Having your site hacked is bad news. There are many ways in which a site can be hacked, and many outcomes, but be assured that none of them are pleasant.
Luckily there are things that you , as WordPress site owners, can do about it.
User names and passwords
This is my absolute number one tip, use strong username and password combinations.
I recently had my PayPal account hacked because I used the same username and password everywhere. Eventually, I either signed up to a fake site, or a site I registered with was hacked. Either way, once the hackers had my details they could access everything of mine online.
Here are some rules to follow:
- Don’t use ‘admin’ as a username.
- Use a strong password.
- Use a unique password.
If you have a user called ‘admin’ set up a new user with administration privileges and then go and delete the ‘admin’ user. Do it now!
WordPress will tell you if your password is strong or not. If it isn’t, think of another one.
Since my PayPal incident I’ve started to use unique passwords for nearly every site that I use. I know that it sounds daunting, but there are ways to manage passwords (check out 1Password).
Keeping up to date with the latest version of WordPress and especially the security patches is my next biggest tip.
As of writing WordPress is at version 3.4.1. They are constantly releasing security patches and other major upgrades. Keep ahead of the hackers by having the latest version installed.
Warning: back up your site fully before installing updates, especially point releases, i.e. moving from 3.4.1 to 3.5.
Sometimes upgrades will break your themes or plugins. This is just the way it is. Nobody can predict the future, but the best themes and plugins should be more future proof.
If you run into problems with upgrades, revert to your backed up version and contact your WordPress professional. Ideally, have your pro do the upgrade, testing and bug fixing for you.
I will be offering my clients upgrade services. Please contact me to discuss upgrading your site.
There are some really helpful security plugins on the market:
- WordPress File Monitor Plus – Scott Cariss
- Limit Login Attempts – Johan Eenfeldt
- Better WP Security
- WP Security Scan
If you need help or advice regarding security please get in touch.