Securing your WordPress website
I thought this article was going to be a little further down the line, but something happened yesterday that pushed the timeline up a month or 2. I was working vigorously on getting BarbApple studios up to speed, you know the drill: website with matching Fackbook, and Twitter page, when the unthinkable happened. My servers went down, and the explanation I got was “Our server thought there was too much activity on my site, logging in and out, branded it as malicious activity and we shut you down.” This might not have been an issue, but I tried to log in like 7 times, and they couldn’t figure out what the issue was.
WordPress was allowing me to change the admin password, but not allowing me to log in. After a day of this nonsense, and back and forth with tech support, it hit us both at the same time. I had a plug installed by BWS plugins called ‘Limit Attempts,’ and that’s what kept me logged out. So when the servers came back online, I was blacklisted from my work computer, and the tech that was helping me also got blacklisted. We went about it 2 different ways, and got the same result, we were able to log back in again.
I had the idea of going to phpmyadmin and deleting the records in the plugin table, but thought that was a bit rash, so instead I FTP’d to my site and just deleted the plugins folder. That might be considered rash anyway, although at the same time my tech deleted the records from the database using phpmyadmin. I don’t know which had the desired effect or both, had the desired effect, but I am back. I think his method might have worked fine, but I’d like to think I would have gotten a plugin missing error, and would be allowed in anyway, as this has happened before. So there you are, the beginning of a post on how to secure your WordPress website. This will be part 1) of 2) I think, because I want to do this properly. I am going to discuss the types of things you need to stop, how to stop them, and the reputable plugins that will help. So stay tuned.
WordPress will not crash your website, but plugins and themes will. WordPress, as I have said before, is one of the most stable web environments out there at the moment. When people complain about WordPress crashing, what they usually mean is that it had crashed due to a plugin being bad or in need of updating, or a theme that stopped working. WordPress itself is as stable as it gets on the world wide web.
BACK UP YOUR SITE!
This is the most important thing I can tell you to do. Do not assume that the place you are hosting has it covered. Whilst they may do, they could charge you extra money for a restore, and they may not get the restore exactly as you want it. Do it yourself, because WordPress has made it so simple. There are many plugins that will do the job adequately, but the one that I use for all my sites is the plugin BackWPup by Pento. It has been around forever and just does what it says it is going to do. So check that out in the plugins section of my blog, as it is one of my favorites.
Administrator Log in
Do not use admin, user, test, or administrator as the main log in user name. When you think about it, they aren’t really user names. These are the first names a hacker will attack, and it means that all they have to get now is the password.
Longer passwords are better: You don’t have to produce intricate passwords, but long ones – like sentences. People think they have to have longer cryptic passwords, but they forget them. Longer is better in this case, and the chances that you remember it will be better.
If you are the administrator of your WordPress site, create another user account with editor privileges to post to your own blog, so that you are not always logging in as an administrator. This way there is less of a chance of being key-logged when you are using your website. The admin account you set up should be used for admin purposes only, and this is a good thing to teach your clients also because there is more of a chance of them just posting to their sites than administering to it. This is a tricky one for me because I admin so many sites, that I am admining more than actually posting but your average client will not.
Update your WordPress
Always update your WordPress core, plugins, and your themes whenever they are due. Don’t wait a few weeks or even days to do this. The need updated for a reason, so go ahead and do it. You will only make things worse if you don’t. Sometimes after I update the WordPress core, I log out and relog back in again to see if anything else has changed in the update department, such as plugins or themes. This may not be necessary, but it is a habit I have gotten into over the years. I just know that I have left updates for a while and crashed my website a few times. There was one time I remember I had to do a full re-install because I didn’t update.