In process of redesigning this site a thought struck me. WordPress is quite easy to start with – load up a theme, install some plugins, write some posts – but what about WordPress security basics? Is there a set of rules for WordPress security?
Well, there is a number of things I do to ensure my blog is secure and you can do them too.
If you don’t have these three bases covered with the following plugins then you’re probably commiting a WordPress security cardinal sin:
Lockout unwanted attackers with Login LockDown
The login lockdown plugin will protect your blog from brute force attacks on the login page. You can also lock out non-registered logins which is handy if you follow the tip right at the bottom of this post.
Backup regularly and automatically with WordPress Database Backup
The last thing you want to find when you’ve been attacked and need to re-install your blog is that you don’t have a current database backup. WP-DB-Backup plugin lets you schedule backups and send them to an email address.
You should also be backing up your site’s files on a monthly basis at least.
Protect your site from spammers with Akismet, WP-SpamFree & Invisible Captcha
I consider Invisible Captcha one of the hidden essentials and a little known plugin that deserves a much bigger audience. I find it invaluable. Don’t worry, your users won’t even know it’s there, it works by stopping the bots.
Speaking Of Spam, They Can’t Spam What They Can’t See
Use the Bad Behaviour plugin and WP-Ban plugin to lockout intruders for good. These bad boys can be dangerous if you’re a bit of an amateur because you can do silly things like banning yourself from your own blog.
Among a host of things they’re useful for banning IP addresses and ranges of IP addresses. People can’t spam you if they can’t access your website.
A Sneaky Fourth Security Tip
Pick a different name for your administrator other than “admin”. The default installation of WordPress uses “admin” as the default user. But you can add another administrator account and use that account to delete the original. This tip combined with Login LockDown’s lockout feature for non-registered users will thwart the script kiddies.
Some Friendly Advice On Server Choice
Finally, choosing an appropriate host and upgrading yourself from standard hosting. Get your own IP and virtual machine if possible. Bluehost have a premium account for only $14.95 a month. Sign up for the standard account then sign up for the premium upgrade via the console. You get SSL for conducting proper eCommerce plus you will receive your own IP address and your own virtual machine.
Do you have any security tips to add? Have you written a handy plugin that you think should be on this list? Leave a comment below.