WordPress’ popularity as a tool to manage websites and blogs has a dark side. With so many installations all over the internet it means that hackers will target it in the same way, for years, hackers targeted the Windows operating system. It’s just a better return on investment for their time.
There has been a lot of news about this week on WordPress security, with WordPress.org having to reset a large number of usernames and passwords because of an incident with plugin-ins being compromised.
If nothing else it serves as a reminder to ensure that your web site is well placed to withstand attempts to compromise it. We’ve posted before on security but it’s something that has to be regularly revisited.
Ok, you may not be a web developer, chances are you’re a WordPress end user, you don’t want to be come an expert in web servers, PHP and all that goes with securing a web site so what can you do?
1) Keep WordPress up to date
When you login, it’s very simple to see if your web site is running the latest version, if it’s not, you will see a message like this one here.
It shows that there is a newer version available a link to do the update.
Depending on your setup, just going an updating it probably isn’t the best idea. It’s best practise to ensure your site is backed up first then proceed with the update. This is a bigger topic that I’m not going to cover here, but yes you should be backing up your site – all the time.
Keeping WordPress up to date means that you’re getting the benefits of all the hard work done by the core development team. As well as working on new functionality they are always looking at the security of the system – so run the latest version, always.
2) Keep your plugins up to date
I could almost copy and paste the above couple of paragraphs and it would make sense. Plugins are published and updated by a large number of providers and they regularly release updates.
The trick to knowing you’ve got updates is shown opposite. Like the core system the plugins will let you know that there are updates available, in this case 6 updates are waiting.
You also get a similar message on the plugin section of the admin menu, see this screen shot.
3) Don’t get too plugin happy
Install only what you need, it’s a common trait for users to install loads of plugins – because they can. It’s better to stick to a small group of plugins, ideally that you know something about. Recommendations from other users goes a long way here. Use plugins from reputable publishes that actively maintain and update the software.
4) Don’t use standard out of date install methods
Often web hosting companies let you install WordPress very easily from their control panel. While this is great from a instant gratification perspective it can be problematic longer term. Firstly software installers like this aren’t always up to date, installing something that is six months old is not much good. Secondly there is no hardening or securing of the installation.
Every install we conduct we follow a list of processes to give the site the best chance to being and staying secure. Refer to the above mentioned post for some of these ideas – it’s a bit techie though.
5) Access to a WordPress expert
Like you have a mechanic for your car, having an expert in this field is obviously going to make your web publishing efforts easier. Naturally a company like ours can tick this off your list, but you also you can find forums online, perhaps your web designer or web hosting companies has these skills?
Either way try to be hooked up with someone that can help.
Go questions? Post a comment here, we’re happy to hear your thoughts and perhaps answer a quick question.
Now, I’ve got to go and upgrade WordPress, all of the screen shots in this post are from an install that needs my attention!