WordPress is the most popular blogging platform in the world, by far. It has become so pervasive on the Internet that you probably might not recognize that you’re actually on a site that uses WordPress. We’ve already covered the installation and several other aspects of handling WordPress and its seemingly endless array of plugins and features. Here are ten steps you should take to lock down your WordPress site.
Popularity breeds contempt, as they say, and WordPress is certainly popular. Hackers and spammers all over the world make it a point to attack sites that use WordPress, hoping to take advantage of new webmasters. Once these folks find a hole, they will exploit it as much as they can, often taking over the site while the owner is not even aware of it.
Step One: Get rid of the user name ‘admin’.
Every WordPress site defaults to the main user being named admin. Even with a secure password, leaving that username in place means that a hacker already has 50% of what he needs to access your site. Add another user, keeping in mind Step Two coming up, and make that user admin. At that point you can delete the original username ‘admin’. Hint: You need to assign the admin role to another user before you can delete the user named admin.
Step Two: Name the user with admin rights something other than any user who can post.
If you post under the name Jane Doe, don’t assign admin right to that user (usually you). When someone reads your posts, they could assume that Jane Doe is the admin. As in step one, if Jane Doe has admin rights, they already have half of what they need to gain access to your site. Change the admin user name to something completely different, something that can’t been found on your site.
Step Three: Keep your WordPress installation up to date.
This goes without saying but we’re saying it anyway. WordPress is constantly being updated, with security loopholes constantly repaired and additional features added. Make sure you keep your installation fresh by updating it whenever WordPress prompts you to do it. We use the automatic update and the whole process takes about a minute. Make sure you do the same.
Step Four: Keep your plugins up to date.
Update notifications are right in front of you as soon as you log in to your site. These include updates for WordPress as well as the various plugins you use. Make sure you keep everything up to date, including those plugins. Once an exploit has been uncovered, plugin creators change the bits and pieces that make up the software and then release an update. WordPress tells you instantly when an update is available so there’s no reason not to take a moment and update everything.
Step Five: Use Akismet to filter spam.
Akismet is free and using it is a no-brainer. We get thousands of spam comments every day here on Computers Made Simple. If it wasn’t for Akismet our site would be a mess of ridiculous comments that would steer users away from our site. We’ve covered installation of Akismet before in our WordPress installation series.
Step Six: Make sure all comments must be approved by your admin user.
As with the use of Akismet, this goes without saying. If a spammer’s comment is missed by Akismet, and that happens frequently, you must make sure that you can report it as spam before that comment shows up below a post. We all know that some sites, actually some big name sites, don’t filter out these comments but make sure that you do. Any savvy reader will be able to spot a spammer’s comment and will naturally think less of your efforts. To them, it might seem that you want these spam comments visible, as if your site was more popular than it actually is. Don’t fall into that trap. Change your discussion settings and moderate all comments.
Step Seven: Don’t inhibit comments.
We had a spammer attack our site a few weeks back. Every day we’d get twenty or thirty comments that Akismet was missing for some reason. To us, the comments were obviously spam but to Akismet, they seemed legitimate. What to do in this situation? We thought that adding a captcha (Completely Automated Public Tuning test to tell Computers and Humans Apart, believe it or not) device to our site. You’ve all seen them, the little photos of pictures and/or numbers that you have to type in to prove you’re human. Well, we tried but the results didn’t work out well at all. For the duration of the ‘attack’, we simply marked those comments as spam and, over time, Akismet either recognized them as such or the company which was commenting gave up the battle.
Please Note: If you want to comment on our site, all you have to do is give us an email, a name and a comment. The email is never published, it doesn’t even have to be a real one. The only reason we ask for it is to make sure you get our reply to your comment, not to spam you. We don’t even really see your email, except when we reply. At that point a WordPress plugin sends our reply to you automatically.
Step Eight: Use one admin, no more.
Even if you assign user accounts to other writers/posters, don’t assign anyone else the admin position. Anyone with the admin designation can change any setting in WordPress, even to the point of locking you out of your own site. Don’t do it. Keep the admin rights and keep your site safe.
Step Nine: Don’t let anyone access your site for whatever reason.
Again, this is from personal experience. We purchased a theme and, after installation, found that there was one setting that was causing us problems. After a few emails back and forth with the theme creator, he suggested that we give him our password and let him see if he could fix it. Our warning beacons went off immediately. Yours should too. Let’s say we did allow this person to access the site then changed the password immediately afterwards. In case you didn’t already know this, all WordPress installations are made up of a vast array of php scripts that work behind the scenes, controlling every part of your website. Unless you are a very smart programmer, you would never know what this person might have changed deep inside your WordPress installation. No matter how innocent a request for access is, don’t do it. If something needs to be fixed, there are hundreds of very helpful people and sites out there to assist you.
Step Ten: Take control of your own site and your own destiny.
WordPress is complicated, we all know that, but it’s not rocket science. If you’re in the blogging game, you have to expect some confusion and you have to allow some time for learning about things other than what you’re blogging about. We are assuming, of course, that you own your own domain name and are using a hosting site for your WordPress installation. None of the steps above apply to bloggers using a community blogging site, but if you’re reading this, you probably already know that. Take the plunge, buy a domain and get a cheap hosting account. There are vast amounts of WordPress resources out there to help you along the way. Good luck!
Finally, we’re not WordPress experts in any sense of the word. We get things done and we have always learned to do things by actually doing them, after reading up on the topic, of course. The worst thing that could happen is that your site might be down for a bit. Hopefully, your frequent readers will realize that glitches happen and will come back another time.
Thanks for reading! Comments and questions are welcome. Like us on Facebook and you’ll get a direct path to us for relatively instant updates and solutions: Computers Made Simple on Facebook