Basic Security Tips For WordPress Blogs

Posted: October 25, 2013 in Articles
Tags: ,

Wordpress VulnerabilityWordPress has become the most popular content management system on the internet through a combination of ease-of-use and flexibility. Unfortunately, the proliferation of WordPress has also led unethical hackers to target WordPress sites.

Basic security practices for WordPress blogs can mean the difference between having an operational website and having your website infected with malware. Taking the following steps takes very little time, but makes a significant difference in the security of your site. By spending a few moments on basic security upfront, you can save yourself hours of headache from a compromised WordPress site in the future.

Delete the Default “Admin”

Every WordPress installation includes a default Administrator account named “Admin”. Since the standard installation automatically installs “Admin”, an unfortunate number of WordPress blogs rely on the same username.

Worse yet, the “Admin” account has Administrator privileges. With the highest level of security, “Admin” can delete blog contents, insert malicious code into raw HTML, and otherwise perform irreparable damage to a website.

The standard model of WordPress login security relies on a username and a password to prevent unauthorized access. If your blog still has “Admin” installed as an Administrator, then half of the security protocol has already been breached.

Hackers know that the majority of WordPress users do not change the default Administrator username. As a result, freely-transferred hacker scripts often probe thousands of WordPress sites for the user “Admin” and attack a blog with repeated attempts at password generation.

Deleting the default “Admin” user is the single most important factor in making your WordPress installation more secure.

Update WordPress Plugins and Themes Consistently

One of the largest benefits of WordPress is the plethora of plugins and themes available across the internet. Many of these plugins and themes are offered free of charge and site administrators can add functionality or change design at the click-of-a-button. Unfortunately this also poses a risk to the WordPress community.

Frequent updates of the main source code of WordPress also necessitates updates to plugins and themes. In addition, a wide variety of coding styles and programming methods make it difficult for every plugin or theme to work well together.

As hackers discover new vulnerabilities in online sites, the team behind the WordPress software patches security flaws in the back-end software. Unfortunately, these updates must be installed manually across every WordPress site to maintain a basic level of security.

WordPress has a built-in function to update plugins and themes, but site administrators must manually start each update process. Plugins and themes can be updated one-at-a-time or all at once through the administrative dashboard. However, without a user manually beginning an update, none of the plugins or themes are ever updated.

The security of a blog is severely compromised by out-of-date plugins and themes. Even a single old version can provide a gaping hole for hackers to exploit your site.

Frequent updates do not ensure a secure WordPress site since so-called zero day vulnerabilities always pose a threat. But updating plugins and themes on a regular basis is a bare minimum requirement for having proper site security.

Implement Secure Passwords For WordPress Accounts

Every WordPress installation relies on two unique items for login security. Each user has a unique username and each username should have a unique password. Unfortunately having a unique username and password is not enough to ensure security.

Passwords vary tremendously in length and security. The worst passwords are common words that many people (unfortunately) use for multiple websites. “Password”, “123”, “qwerty”, and “mypassword” are some of the terrible choices common across the internet. With these weak passwords, even the least experienced hacker can break into your WordPress account.

For site administrators, a single user with a weak password can pose a dangerous threat to the entire site. More sophisticated hackers often use access to a lower-level WordPress account to get information on the site. Then, posing as the compromised user, these hackers can gain access to higher and higher levels of authorization.

Through this combination of bad passwords and bad user security, hackers can quickly move from a comprised Subscriber account to a compromised Administrator account. Once the internal accounts have been compromised the entire site architecture is at risk.

A simple solution for site administrators is to require every use to have a long, complex password. The more characters in a password and the more unique characters included in the password, the more likely that the password will stand up to repeated hacking attempts. By forcing every single user to employ secure passwords, WordPress administrators can make the entire site a little more secure. Ensure Your Online Partners Know WordPress

Unfortunately, having an internal team that practices proper security protocols is not sufficient. The marketing and consulting firms that provide services to your website administrators are also a critical piece of the security puzzle. Since every website is different, the firms you choose to work with should be experienced with your specific site architecture in order to ensure the highest level of security.

Often, design firms not familiar with WordPress architecture leave glaring security holes when re-designing a theme. A terrific graphic artist who is not familiar with working in WordPress might not realize the importance of specific php scripts within a given theme.

More common is a marketing firm that installs multiple plugins of varying utility. Some of these plugins, whether because they are outdated or because they are simply insecure, pose a risk to the website.

Professional marketing and consulting firms like Argon Marketing that are experienced with WordPress sites employ designers and programmers who are knowledgeable about basic site architecture. Even when performing a full site re-design, a good firm will know how to secure current themes and avoid insecure plugins.

Any outside company working on your website should also practice basic security practices. Long, complex passwords, unique user accounts for each staff member, and a formal process of dealing with site security are a must for any firm working on your website.

This article was written by Nolan Kido. Nolan works in the technology industry in Honolulu, Hawaii.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s