WordPress is our preferred content management system here at Sperling Interactive. There are so many ways to customize WordPress and make it your own. With thousands of plugins and the ability to create custom post types and templates, the possibilities are endless. With all of this freedom comes responsibility. The more that a WordPress site is open to the outside world, via plugins and third party templates, the more security can become an issue. Here are our top tips and methods for keeping all of our client sites safe and secure.
Don’t Let Updates Get You Down
Keeping your WordPress site and plugins up-to-date is crucial to maintaining a safe website. The trouble we most encounter when a client comes to us with an old website is that it hasn’t been updated in many months, or sometimes years! Updating these sites can become an issue, as sometimes the older plugins are no longer maintained by the original developer, and can have compatibility issues with newer versions of WordPress. We always make a backup of the database and cross our fingers! When updating your site, you should make a backup of the database, especially if it’s been a while since your last update. If you have access to your website hosting, you can log into phpMyAdmin and export the database file. If you’re not super technically savvy, you can use a plugin like WP-DB-Backup (https://wordpress.org/plugins/wp-db-backup/) to help you. If you break the site during an update, you will need to restore the backup. This tends to be a more technical task, so ask a web developer for help!
Keeping track of when plugins need to be updated can be a pain. The plugin Wordfence can be configured to send you emails if there is an update available for a plugin or WordPress core. This is a great security plugin that I will discuss later in this blog.
Use Plugins Responsibly
Oh WordPress plugins. A great example that you can have “too much of a good thing.” WordPress plugins are great, most are free, and they can help you add many features to your site that would otherwise require hiring a fancy web developer. Do you need an event calendar, photo slideshow, or a contact form? Plugins have got you covered. Most are easy to use and compatible with WordPress and other plugins.
As a developer, I approach plugins as I approach shopping. Is this something I need, or something I want? Is this a feature I could code myself? You should only use plugins you absolutely need for your site to run as it should. Because plugins are written by third party companies and developers, there can be security holes. A malicious hacker could get their hands on the code of a plugin and add something that could inject spam or break your website. If a plugin hasn’t been updated in a couple of years, this means that the developer has likely abandoned it, and you can’t guarantee that in that time a hacker hasn’t gotten his or her hands on the code. Here’s my checklist when choosing a plugin…
- Has the plugin been updated in the past two years at least?
- Does the plugin have good ratings?
- Do I have a similar plugin already installed on my site? (If you have contact form plugins installed on your site, there might be a conflict in the code and one or both of the forms could break)
- Does the plugin have good documentation or support? (If I run into an issue and need help, I want to make sure there’s someone there to help me)
Wordfence Security (https://wordpress.org/plugins/wordfence/) has proved to be an invaluable tool for keeping our client’s sites secure and up to date. Here are some of our favorite features…
- Blocking repeated login attempts: Wordfence can detect when a hacker or bot is trying over an over again to log into your site. You can set up Wordfence to block their IP address for as little as 5 minutes to as long as 2 days. You can then log into your site and manually block that IP address permanently. When using this featured you will begin to notice that some hackers use a bunch of different IP addresses from all over the world when attacking a site. So if their IP address in Russia is blocked, they will try logging into your site using their IP address in Germany instead. Wordfence can keep blocking these attempts until the hacker gives up and moves on to wreak havoc on another website.
- Notifications of Available Updates: You can configure Wordfence to notify you when plugins or the WordPress core needs to be updated.
- Malicious Code Notifications: If your site does get hacked, Wordfence is there to help you clean up the mess. When malicious code is detected on your site, Wordfence will send you a notification. It will tell you which files on your site contain the malicious code, so you know exactly where to clean house.
Jetpack (https://wordpress.org/plugins/jetpack/ )is a robust plugin that is created by the WordPress team, so you know you can trust the code. Not only does it have some security features, like protecting your site against brute force attacks, and notifying you if your site goes down, but there at a ton of other features, like share buttons, contact forms, and cool photo galleries.
Overview and Some Quick Security Tips
- Delete any unused themes. If a theme is older, a hacker could break into your site that way.
- Keep plugins and WordPress core updated
- Do not use “admin” or “user” as your WordPress user name. These are the first user names that hackers and bots try when attempting to log into your site. It’s as bad as using “password” as your password.
- Only use the plugins you need. If you’re no longer using a plugin, delete it.
- Install Wordfence and check out some of the features. This is an amazing plugin for security and general website maintenance.
- WordPress comes with Akismet (http://akismet.com/). Use it. This plugin helps control spam comments on your blog, and also controls malicious code being entered as a comment.
If you do get hacked, call us- we can help! We also offer a monthly maintenance package, so if you don’t want to deal with pesky updates, we can take care of it for you.