There are volumes that can be written about WordPress security. In this brief blog post, I’ll attempt to cover a few of the basics.
WordPress itself, is a very secure software package – however nothing is 100% foolproof. And the more popular it is, the more hackers try to figure out how to hack it – because uncovering a vulnerability in WordPress would allow them to hack a large number of sites.
The most important tip to keep your website safe, is to keep your WordPress site updated. WordPress is developed regularly, and as vulnerabilities and security issues are discovered, they are quick to modify their code and release a new version. Keeping your code up to date is the easiest way to keep your site safe. WordPress updates are easy, just a simple click from the admin panel. Likewise, keep your plugins updated.
Since nothing is 100% foolproof, the surest way to recover if your site is hacked, is to have a complete site backup. Download this backup to your computer, or use an offsite backup service, so that your backup doesn’t also get hacked. And keep multiple copies! If you backup your site weekly on Saturday, and your site is hacked on Friday, you might not notice it until it’s already been backed up… then at that point, you might as well not have a backup at all.
Basic security principles apply to your WordPress site, just as in other areas of your web world. Don’t use an overly simple password. Make your passwords complex to include upper-case and lower-case letters, numbers and special characters.
By default, the main admin user on WordPress sites is “Admin”. Every hacker in the universe knows that, so they don’t need to try to guess your username, they just need to try to guess your password. So change this username to something unique.
When you install your site, the default MySQL database prefix is wp_. Again, every hacker knows this, and if they are able to gain any kind of access to your account, they can run a script to inject data to your database. If you use a custom database prefix when installing WordPress, some of these hacker tactics won’t work if the hacker is expecting your database table to be prefixed with wp_ and instead yours are prefixed with acme_.
Lastly, delete an uninstall any plugins or themes you are not using. Every bit of code is a potential open door, so if it’s not being used, get rid of it to reduce the number of doors a hacker can use to mess up your site.
>> Joshua Pettit is Lead Developer and Project Manager at Sunrise Marketing. http://www.sunrise-marketing.com/