WordPress is rapidly becoming one of the most popular CMS (Content Management System) to use for a website. Because of this, more and more developers are creating new and amazing templates and plugins for it every day.
Unfortunately, there is a down side to popularity as well. It is also one of the most popular targets for malicious activity.
The bad news is WordPress is not very secure right out-of-the-box. Leaving everything at its default settings is a good way to have your page hacked.
The good news is hackers are generally looking for easy targets. So by putting in a just a bit of time and effort, you can stop a large majority of attacks on your site.
Below is a simple guide to get you started on a safer and more secure website.
Change the Default Admin Account
This one is such a no brainer. The default account name for WordPress is ‘admin’, and every hacker knows this. By not changing this you are basically telling hackers half of what they need to break in! Change the administrator account name to something else, that isn’t easy to guess (Don’t use your name, or your company’s name, or you son’s name, etc…).
Don’t use the Administrator Account for Posts or Pages
By default, when you create a new post on your site, WordPress will put in a by-line. That by-line is the name of your account. By doing this, you are again just giving away half of what a hacker needs to break in. Make sure to create a secondary, non-admin, account specifically for creating new posts.
Change your password regularly
(and don’t use the same password for everything!)
This one is huge. I know it’s a pain to remember new passwords all the time, but this is really one of the best ways to keep out unwanted people. I’m amazed at how many people will use the same password for their FTP, cPanel, Website, etc… You are leaving yourself open to more than just a broken website by doing this.
Keep Plugins and Templates Updated
Regularly keep your templates and plugins updated. Developers are always trying to keep their products fully secure. If you notice one of your plugins has not been updated in a while, it might be abandoned by its developer and you should find a replacement.
Remove unused plugins and templates
Hackers are always looking for new ways to break in. This is why WordPress and plugin/template developers constantly update their products. Besides adding new features and fixing bugs, they are actively securing potential security risks in their products. If you have any unused plugins and/or templates just sitting there, they are not getting updated. Which makes them a very large security risk. Completely delete them from your FTP server.
Manage your Comments
By default, WordPress allows anyone to comment on your posts. While not necessarily a security threat, there are bots out there that will take advantage of this to post spam. Here are a few things you can do to help prevent this:
More Security Options
There are lots of great security plugins out there. They offer features such as 2-way authentication for administrators, IP Blocking for forced login attempts, blacklisting countries and Regions, etc… Some even offer scans that detect if your page has already been hacked, and if your plugins are too out of date.