How do I secure my WordPress site? I see this question being asked quite often, so I thought that I would take sometime to cover at least some of the basic steps to take in order to secure your WordPress blog. Most of these steps are quite easy to take care of on your own, and if you’re not sure how to do it yourself it should be fairly easy to find somebody that will help you out for a couple bucks.
Not only will this help you out and possibly save you some headaches in the future, but it could make all the difference for your users as well. If something happens to your site it means that you will have to spend hours cleaning it up and getting it back to the way it was and is supposed to be (headaches). However, you’re not the only one that is being affected here. Your visitors will also be affected, when they visit your site they are exposing their computers to harmful content, and this could also come back to effect you in the long run as you may loose visitors because your site wasn’t secure.
Let’s dig in
The first and easiest step to take is making sure that your WordPress Core is up to date with the latest version. The team over at WordPress working on the core go through a lot of trouble keeping everything updated, and quickly clearing up any security issues that might have been found or uncovered. They have also tried to make it as easy as possible to update, you still should back everything up before attempting an update but non-the-less a core update is a one click process.
I’ll admit that I am and have been guilty of avoiding core updates, because a plugin that I use wasn’t compatible with the latest version. Sometimes you may be able to get away with doing this but, it’s a risk that shouldn’t be taken. Even if you can’t write code, it might be possible to make a donation to the plugins author in order to get the process of updating the plugin done more quickly.
Next up, themes and plugins. These also require updates from time to time, plugins for the most part shouldn’t be any big deal to update. However, some of them can be found to have security issues; in this case they are pulled from the directory right away until they are fixed. If you find that this is the case for a particular plugin you have installed it would be best for you and your site to disable and remove the plugin as well to avoid exposing yourself to any potential security threats.
Themes on the other hand, you may find yourself avoiding an update because you made some modifications to it on your installation. I have been guilty of this on myself. The good news is that there is an easy way around this with child themes, if you want to make any changes to a particular theme just go ahead and create a child theme and make your changes in there. If you go about doing things in this manner you can easily update any changes to the parent theme without having to worry about the looks or function of your site being effected.
Lastly on the themes and plugins note, if you have a bunch of disabled themes or plugins stilled installed just sitting there is would be best to just go ahead and fully remove them. Fully removing them is the only way to make sure that they can’t still be exploited, if it comes out that there is a vulnerability in a certain theme or plugin every “hacker” and “script kiddie” out there is going to be hunting down WordPress sites and checking to see if they have the vulnerable theme or plugin on the server.
Next up, is doing your part to make sure that everything is secure as it can be. What does this mean? It means that you should do your best to pick out a password that would be hard to crack and than storing it someplace safe. To make sure that your password is even more secure you should consider changing it often.
Lastly, if you’re able to do so it would be best if you change the default admin login name. Everybody is sure to know right away that the login username is admin by default. By changing this it will give your attacker one more hurtle to overcome before getting into your blog (some themes give this away with links to the author page).
If you follow these simple steps you can make sure that your WordPress blog is secure as it possibly can be. These steps shouldn’t be to hard to follow or execute, however some of them do require a little bit of technical knowledge so if you find that you aren’t able to figure one of the steps go ahead and find somebody trustworthy that can help you with this.