WordPress, being one of the most popular blogging platforms used, powers 60 million websites worldwide. So quite naturally, it is a prime target for criminals to try and find exploits in â€“ because there are millions of important websites which use it. This article will explain some of the steps you can take to make sure your WordPress blog, and website, are safe and secure.
Make sure your WordPress blog is always up to date.
It is critically important to make sure your WordPress blog is kept up to date at all times. If an update becomes available, it likely includes security and other bug fixes. You must always have the latest WordPress version â€“ some updates may fix severe security vulnerabilities, so always update to the latest version of WordPress when possible.
As a web hosting provider, time and again we notice the principle cause of site hacks are through security vulnerabilities found in WordPress. Criminals tend to inject code into every PHP file they can get their hands on before moving on to the next website to infect. Also bear in mind you can be held responsible under data protection law if criminals get access to the e-mail addresses of anyone which may have registered on your blog â€“ e-mail addresses constitute personal information by law.
So, first and foremost, keep your blog updated.
Host your blog on a separate hosting account to your website.
If you have reseller hosting, host your blog on a separate sub domain. Why? Well, in case something does go terribly wrong and some code is injected into your blogâ€™s files, your website will be safe. If a hacker is able to inject some PHP code into WordPress files, he could just transverse up to inject any PHP file including any files on your website if you host your blog simply in a separate directory to your website.
If you only have shared hosting, consider purchasing a reseller hosting plan so you can separate your blog from your website in case anything goes wrong.
Make regular backups of your blog and database.
While we take regular backups for our own internal disaster recovery procedures and we will restore one of these backups if absolutely necessary when a customer requests us to do so, we strongly advise every customer to take regular backups. It would make it easier for you to restore your blog if a malicious user injected code into your WordPress files than having to manually remove the code from each file that may have been infected.
More importantly, if your database is compromised, this is a much more serious concern. While you can just restore WordPress files without losing any blog posts because they are stored in a MySQL database, what if your blogâ€™s database is compromised? A criminal could destroy every blog post youâ€™ve ever created and without backups, youâ€™ve got no chance in getting them back.
So quite simply, regularly backup up your files and databases. Youâ€™ll need to remember to do this regularly. If you donâ€™t want to need to do this yourself, we offer cloud backup solutions which automates this process and stores your backups securely in our cloud environment.
Only install trusted plugins that have good user reviews.
Plugins which have security vulnerabilities could pose the same sort of risk that a security vulnerability with WordPress can create. Only install plugins you find via the official WordPress plugins repository that look trustworthy and have good user reviews. Always make sure every plugin you have installed is always kept up to date.
If you no longer use a particular WordPress plugin, always uninstall it. It is best to never keep plugins installed which you no longer use.
Making sure your blog is secure in general.
Some factors which no software can prevent is user error and clumsiness.
- Always make sure your passwords are secure: Too many people have the habit of using the same password across multiple websites and having passwords that doesnâ€™t require a lot of thought to try and crack. If you want to have a password that is secure but still memorable, why not have a password where each letter corresponds to something you can easily remember? For example: [email protected]$p065 (I Must Have A Secure Password 065). You are simply using alternate characters which look similar to the first letter of the word you can remember. Alternatively (and something which weâ€™d recommend you consider instead) is using KeePass. KeePass allows you to create and store very secure passwords in what is essentially an encrypted database. This means you do not need to remember any password you create using KeePass as you would simply copy the password from KeePass, paste it and KeePass would automatically clear your clipboard after 30 seconds. It is also free and open source, so a win all round.
- Keep tabs on who has author, editorial and administrative privileges: Do others contribute articles on your blog? Only give them the privileges that are necessary to fulfil what they do. If there are any users on your blog that previously contributed to your blog but still have editorial or administrative privileges, it is best to change their account status back to â€˜Subscriberâ€™ so you always know who has access so you donâ€™t get any nasty surprises later on. It is better to be safe than sorry.