A few weeks ago, a friend of mine tried accessing her WordPress blog via her smartphone only to find that it mysteriously redirected her to a Russian website. When she tried accessing the site through her desktop web browser, however, it came up just fine. She called me to help figure out what was going on, so I dug into the code for the template she was using and discovered someone had exploited a WordPress security vulnerability. They added code that redirected mobile visitors to the foreign site.
It was a reasonably quick and easy hack to fix, and I immediately changed the passwords used to access both the WordPress site, as well as the server credentials used to upload code, but it left me feeling uneasy about the security of that WordPress install for a while.
So, when I saw that Dre Armeda from online security firm, Sucuri, was delivering a talk about WordPress security at the recent New Media Expo, I made sure I was in the front row, notebook in hand.
It turns out that keeping your WordPress installation secure – whether your site is hosted on WordPress.com or installed locally through WordPress.org – is not difficult, but you need to stay on top of it. There’s nothing inherently insecure about WordPress – certainly no more than any other web application – but following these tips, culled both from Armeda’s talk, as well as my own experience managing WordPress sites and other online systems, can reduce the chances that you’ll be unpleasantly surprised by a hack.
- Change passwords frequently – Armeda likens passwords to toothbrushes – you should choose a good one, change it often and not share it with anyone. Changing your password monthly or quarterly is good practice for anything that requires a password. Select something that can’t be found in the dictionary and liberally pepper it with numbers and non-alphabetic symbols like #@$ or %. Armeda also recommends taking advantage of a password manger like LastPass, which can handle much of the heavy lifting of changing and maintaining multiple secure passwords for you.
- Keep both WordPress and its plugins updated – It seems that every time I log in to the admin console for WordPress, there’s another prompt to either update WordPress itself, or one of the plugins I’ve installed. It only takes a few minutes, but I’ve been tempted to put it off. Like me, you’ll need to fight this temptation. Try to log in as the admin user at least once a week to make sure everything is up-to-date. Often, these updates fix security vulnerabilities that could leave your site open to hackers. Since the code that runs WordPress and its plugins is open for the world to see, it often doesn’t take long for some nefarious coder to find and exploit a security hole. Keeping everything up-to-date helps keep your site safe.
- Delete unused plugins – I often install two or three plugins for a specific feature – such as SEO, social sharing or contact forms – before I settle on one I plan to use. Simply deactivating the plugins you’re not using isn’t enough – the code is still on your server and, if it has some weakness in it, can be exploited. Make sure you hit the “Delete” link on these plugins to remove them from your server completely.
- Never use the “admin” account to create content – WordPress and its plugins are only one point of possible infection. The computer and browser you use to access them can also be a weakness. Some pieces of malware sniff for passwords and then share them with other bad guys in the Internet. Since the “admin” account on WordPress has access to the entire install, having that password get out could be disastrous. To limit the risk, set up a separate user with the “Editor” or “Author” role in your WordPress installation and only use that account when you’re creating new blog posts or commenting. You should only use the “admin” account when you’re performing administrative functions.
- Keep your antivirus software up-to-date and scan your computer frequently – If you don’t currently have antivirus software installed on your computer (i.e., Norton, Avast, Trend Micros, etc.), stop what you’re doing (ok, finish reading this post then do it) and get it installed immediately. And when your antivirus needs an update, allow it. Do a thorough scan of your machine at least once a month to keep it clean of the kind of malware that can open you to a whole variety of security issues.
It’s important to understand that nothing can guarantee 100% WordPress security. But, staying on top of software updates, changing your passwords frequently and limiting your risk to exposure for a security breach can get you more than 98% of the way there.
© 2013 – 2018, Contributing Author. All rights reserved.