Is your Word Press site secure?

Ensuring your site is safe and secure is a challenging ongoing necessity.  There are steps that you can take to ensure that it remains safe and secure, and reduce the possibility that your site will be hacked. 

How you login to your Word Press site

Many developers and companies will create a generic administrative logins for their sites.  The user name is, typically, some derivative of the "administrator".  Having this type of generic login may make your life easier, but it also makes life easier for hackers!  The first step to security is ensuring that each person who accesses your administrative area has their own login, and there are no generic logins, and certainly no username that is any derivative of "administrator" or "admin"

Ensuring your site is up to date

One of the things about Word Press that has long beat other open source content management systems was the fact that Word Press offers an easy update to the core files (the actual Word Press installation), as well as to all of the plugins and themes that either come with the Word Press software or that have been purchased.   

Maintaining your website's software is a critical piece to maintaining the security of your site. Most software hacks occur because of old plugins with vulnerabilities.  If your web developer has programmed your Word Press site properly, one click upgrading keeps your site up to date and blocks the newly discovered vulnerabilities from being exploited. 

Checklist for doing an in place upgrade

A short checklist for ensuring that your upgrade goes smoothly, and you have a recovery plan in case you discover a problem. Before we get to that, here is an example of why this is so important.  One client utilized one of the default themes that came with their Word Press installation.  Instead of creating a child theme as the software and Word Press codec instruct, they modified the theme directly.  The client's Word Press installation was maintained, and any time they received an update notice (more on that later), or they were creating new content, if they noted that there was a need to update, they performed the update and went on about their work.  One day, they updated the the theme they were losing.  They lost all of the customization that had been made to their site.  Fortunately, they were able to retrieve a backup and restore the theme files without too much problem.  However, their site was still a mess for the 3 days it took to straighten everything out.  

Checklist to be performed when upgrading

  1. Make a temporary backup of your site files and database.  
    1. Generally, this is relatively easy and can be done through your hosting control panel.  Unless you are running a hosted solution, you should have access to your control panel.  If you do not, there are a number of free backup plugins you can install on your site administrative panel to accomplish this. 
  2. Log in to your administrative panel and review the needed updates.
    1. When you log into the Word Press admin panel, in the first panel you will see if your Word Press core needs to be updated, and at the top in the left menu, you will see what other updates are also suggested.
      wordpress-admin-panel
    2. When you see that you need to perform updates, clicking on the "Updates" link in the left menu will take you to the update screen.  Before you update the Word Press core, look at the Plugin Updates.  You will note in the screenshot, that the Plugin updates show the compatibility information. 
      update-screen-wordpress
      Given that there are 4 unknown Compatibility flags for Word Press 3.5.2 with the plugins, there are 2 things that can be done:
      1. Click on the "View Version X.x.x details".  Once you do that, click on the "WordPress Plugin page" to see the compatibility rating that others have experienced. 
        wordpress-detailswordpress-page-compatibility-rating
      2. You will need to make a decision at this point whether to upgrade your core, or wait until the next round of plugin updates to ensure full compatibility between WordPress and the plugins you use. 
  3. When you confirm that the upgrades will run with your version of Word Press, run your updates.  If this is the first time, I strongly recommend that you do the upgrades one at a time and test so that you know if something is going to cause problems for your site. 
  4. Check your work!  If there is a problem, you can temporarily roll your site back (using the database and site files backup you created in step 1).  Generally all you will need to do is to upload and extract the backup you have created and load the database file to your database. 

Maintaining the code that runs your WordPress installation is probably the single most important step you can take. 

Security Software

While security software is not a complete answer to prevent your site from being hacked, it does help.  I have used many systems over the years, but the one that I like best is called WordFence.  This software sets up a firewall, and will scan your site files for changes, and additions.  It is a great product.  They offer both a free and a paid version. 

wordfence-security

Moving your site to a sub-directory

Finally, there is the option to move your site, or set it up, so that it operates in a sub-directory.  You can then use the HTAccess file, and a small modification to your index.php file to make your url display correctly, while keeping your site files effectively hidden.  The full instructions for moving WordPress to its own directory can be reviewed here.

Here is the Cliff Notes version:

  1. Create the new location.
  2. Go to the General panel
  3. In the WordPress address URL, change the address to the new location
  4. Make sure that the Site Address box gives the URL you would like people to see.
  5. Save Changes
  6. Move your WordPress core files to the new location.
  7. COPY -- not move the index.php and .htaccess files from the WordPress directory to the root directory of your site.
  8. Open your root directory's index.php file.
  9. Update the line that says require('./wp-blog-header.php'); to read require('./[directory where you put your WordPress core]/wp-blog-header.php');
  10. If you have Permalinks set up, go to the Permalinks panel and update your Permalink structure.

Conclusion

WordPress is a popular CMS and blogging system.  As such, it will come under scrutiny and attack often.  Maintaining your site is a must to keep it safe, secure and to provide your users with an optimum experience when viewing your site.  

One Web Company offers maintenance services to keep your site up to date.  If you have any concerns about how your site was programmed, it is very important to have the site checked out before you update anything. 

Learn more about our maintenance services and request more information on how we can meet your needs!

 

If you would like more information about this topic and how One Web Company can help you achieve your goals please fill out the form below.