If you are running WordPress, Drupal or any other website software, we cannot emphasize enough how important it is to keep your core files and plugins up to date. Over that last couple months we have seen several sites hacked due to sites that were not updated regularly. If you are a website owner you need to make sure your updating regularly or you have someone to do it for you. Cleaning up a hacked site takes time and your site may be shut down during the process.
You should check with your designer and your host to find out if there is a maintenance service available or to ensure your already covered. Do not assume anything.
WordPress is a great tool for website owners. Its easy to learn, easy to admin. However WordPress is also so popular that it is constantly being probed and hacked. Due to its popularity WordPress developers are constantly having to put out updates to fix security issues, bugs and add things to WordPress. Below I will list some basic things you as a WordPress administrator need to do to keep your site from being hacked. When I say administrator that means anyone who has a website and has WordPress installed.
- Most important!!! on the list is “Keep wordpress and its plugins updated”. There are pretty much wordpress and plugins updates weekly. Sometimes it seems they are coming out on a daily basis. These updates contain security fixes that help keep hackers at bay.
- Change the default admin username to something other than Admin. The easiest way to do this is create a new user account in WordPress (give it admin access). Then login with that username and delete your old account.
- Remove the “Hello World!” post that is installed by default. This post leaves discussion open and is generally getting spammed by bots with comments.
- Install one or all of the following security plugins:
All In One Security and Firewall – GO through this plug in and read everything and follow recommended setup.
Project Force Field – Read the plugin description for details.
Use strong password. After installing All in One Security and Firewall you can use it to determine the strength of your password by going to WP Security - User Accounts
Click on the Password Tab.
Change the Nick Name in your user profile to something other than your login username. - If your website is not a discussion based blog then it is highly recommended that you turn off commenting. As there is no real way to turn this on or off you simply go to Settings/Discussion and Check Mark “Users must be registered and logged in to comment”
Keep in mind some general ideas while considering security for each aspect of your system:
- Limiting access
- Making smart choices that reduce possible entry points available to a malicious person.
- Containment
- Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
- Preparation and knowledge
- Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
- Trusted Sources
- Do not get plugins/themes from untrusted sources. Restrict yourself to the WordPress.org repository or well known companies. Trying to get plugins/themes from the outside may lead to issues.
This helps tremendously with keeping your site secure. If you need help or would like us to handle this for you let us know. The list above is just some basic steps, there are numerous additional advanced ways to secure your site.
If you need help with updating your site let us know.