August 24th, 2012 by Jack Waknitz
Website security is of primary importance to your internet marketing efforts and its demands are both broad and deep. Fortunately, WordPress websites are relatively easy to keep secure if you follow a few basics:
Make Sure Everything in Your WordPress Website Is Up-to-Date
Ensure plugins, non-custom themes, and WordPress in general are up-to-date. If you want to see if your site is up-to-date, go to http://yourdomain.com/wp-admin/update-core.php . Read over any changelogs for your plugins and themes before updating to make sure there are no known compatibility issues. Once compatibility is confirmed, you can easily update most items with only one button press. If you have questions about updates or compatibility concerns, give us a shout!
Manage WordPress User Access
Keep your “Administrator” user accounts audited. Try to keep the number of administrator accounts you have to a minimum. There are several other user account levels that might work better than just simply having all as “Administrator.” The “Editor” level allows for a user to edit content across the site, publish posts, and manage some other important features, but restricts access to some of the more critical features. The “Author” level allows a user to make new posts, edit only their own content and further restricts access to critical features. The “Contributor” level allows for a user to write content, but doesn’t allow that user to actually publish the content, thus leaving their work for review of and publication by an Editor or Administrator. The “Subscriber” level is simply a registered user that reads your blog.
Review Each & Every WordPress Plugin Prior to Installing
We have a very extensive audit process for any new plugin we install on WordPress sites. Just because you downloaded the plugin from the wordpress.org website, does not mean it is safe and hack-free. Plugins have been compromised in the wordpress.org repository in the past and the repository admins have required them to be taken down or updated. The plugins were hacked to send user information to the person who had hacked it, very scary stuff. If you have a question about a plugin, feel free to ask us before installing it, or go do some research about the plugin and its author.
Remove Unused WordPress Themes & Plugins
Audit your WordPress website regularly and try to keep your site clear of unused items. If you’re not going to use a plugin, uninstall it. The same goes for themes. An inactive plugin or theme, if infected, can still be used to gain unauthorized access to your website.
Change Your WordPress Passwords (along with All Others) Regularly
As a general rule, you should be changing all of your passwords at least every 3 months. Use strong passwords with lots of characters and numbers. There are several online sites that can help generate strong passwords, for example Secure Password Generator or Random.org. You should also avoid using passwords you’ve used elsewhere. If an old account, even on another service, has been compromised, someone out there may have an email-password combination that can be used on a number of other websites and services. To keep track of these complex and varied passwords, a good idea is to use a password app/program such as 1Password or LastPass to store your passwords and generate new ones for you.
Maintain the Security of Your Computer(s) as Well
Your WordPress website can be as safe and secure as can be, but if you’re not keeping your computers & other devices free of viruses, it won’t matter. Gaining access to your computer means gaining access to your stored passwords. Keep your virus software, browsers, operating system…pretty much all software up-to-date. This makes certain you are as safe as possible.
Rest assured, InsideOut Solutions performs security audits on websites we host. Contact InsideOut Solutions with your questions about WordPress security.