What You Need to Know About Securing Your WordPress Site
By Elaine Griffin on April 12, 2013
Featured Member Post
Just like any online account you have, there are security issues associated with having a WordPress blog or website. Fortunately there are ways to help safeguard your site and your information. Although nothing will completely eliminate the threat of hackers, a little forethought and continued monitoring efforts should reduce your vulnerability.
Yahoo! Security by Yodel Anecdotal via Flickr
Usernames and Passwords
- When installing WordPress on your hosting account, change the default username of admin to a unique username. Using a combination of letters and numbers is a good idea.
- Create a strong password, which contains letters, numbers, at least one capital letter, and a symbol.
- Change your password often, and NEVER let your computer store your login information.
- Never give your login information to anyone. Ever. Even your designer, if you have one. Always create a new administrative login for your designer. Create contributor or editorial accounts as necessary.
- I feel I should tell you to never write down usernames or passwords. I know it’s hard to remember all of our unique usernames and passwords, so you have to make a choice on this one.
WordPress Themes, Frameworks, and Plugins
- Only use premium themes or themes from WordPress.org. The core framework for these themes is in place and most likely free of bugs. Use a trusted designer to customize your design using a child theme. (There are a couple of exceptions to this rule, one being Smashing Magazine, which offers some free, safe themes. Here is another great article about free WordPress themes.)
- Always delete any unused themes you may have installed. You can always re-download them if you want to.
- As I said before, any theme modifications should be done using a child theme. These theme mods should be done outside of the WordPress dashboard, with editing software, and uploaded via FTP.
- Limit the number of plugins you use, and always delete de-activated plugins.
- Always use the latest version of WordPress, any framework you might use, your theme, and your plugins. You should monitor this constantly.
- Disallow user registration. In the dashboard, go to “settings” and then “general” and uncheck the box that says “anyone can register.”
- Dashboard theme and plugin editing can be disallowed with a simple line of code to the functions.php file. You should do this, and you should probably seek help with this if you are not a coder.
- Secure your file permissions. In your FTP directory, you can select user permissions for individual files and folders, users and groups. This is another advanced task that you should seek help with if you do not know anything about coding or FTP.
There are a ton of WordPress security plugins out there. Two of the top plugins are Better WP Security and Bulletproof Security. Another plugin, Limit Login Attempts, combats brute force login by limiting the number of attempts at logging in one can make. Information about attempted logins, including the IP address, are logged and can be viewed in your dashboard.
Outside of WordPress
- In addition to keeping up with your WordPress and plugin updates, you should make sure that your virus protection and firewalls are up to date, and your networks are secure. You should also make sure to update your browsers.
- You should also ensure that your host is keeping up to
More Like This
Recent Posts by Elaine Griffin
Most Popular on BlogHer
Most Popular on Blogging & Social Media
Recent Comments on Blogging & Social Media
By Romi C.
By Laurel Regan