Those of you that have been reading here for awhile know that I’m a believer in building your business website on the WordPress framework (and strongly recommend the Headway theme). But articles like this one that I read this morning always prompt people to ask, “Is WordPress Safe…is it Secure?”
My answer ? Yes, absolutely. So how do I explain 30,000 websites being hijacked as the above mentioned article described? A combination of sloppiness and lack of knowledge.
Because WordPress makes it super easy to create a website, tons of people are doing just that, but unlike self proclaimed geeks like me, they aren’t aware of some of the simple things that you must do to secure your site. It’s not a weakness in WordPress, but rather sensible ‘housekeeping’ type tasks that should be done on every installation.
1. Create a unique username. Don’t use the standard ‘admin’ user name. If it was created automatically, create a new user with administrative privileges with a more unique username and delete the admin account once you’ve logged in with the new one. For even more security in your username use upper and lower case letters and a symbol or two thrown in for good measure.
2. Create a tough password. It should be at least 8 characters in length and a combination of upper and lower case letters, numbers and a symbol or two thrown in there for good measure. Refrain from using family names, names of pets or birthdates as this information can usually be discovered pretty easily.
3. Change the Database Tables Prefix. With most WordPress installers, the SQL database name has the default prefix of wp_xxxxxx. Hackers know that and that’s why many of the security attacks that take place exploit this default. Changing the prefix protects you from this type of infiltration. An easy way to do this is to install Website Defender WordPress Security Scan and Secure WordPress. Not only will they help you change your prefix, it also allows you to address a host of other small items that can help make your site even more secure.
4. Check your file permissions. Different files and directories have permissions that specify who and what can read, write, modify and access them. WordPress needs access to some files to work correctly but you don’t want to leave them open to some unscrupulous hacker. Make sure none of your files are set to 777 which basically gives the world permission to access and change files.
5. Be sure the theme you are using isn’t opening security holes. If you’re like me, when I first saw all the choices I had for themes I was like a kid in a candy store, but be careful. Many of the themes that show up in searches for free WordPress themes hold hidden security dangers. One of the reasons I prefer using a premium theme is the attention the developers take with the security aspects, including updates when they become aware of new vunerabilities.
6. Keep WordPress, your theme and plugins up to date. The reason for the updates are often because a new security vulnerability has been found and fixed in the new update. This is why it’s important to do regular maintenance on your WordPress website.
By taking these six relatively simple precautions you close the door to security breaches and can breathe easy building your website on WordPress. But what if you’re not the one building your site? I’m sure there are plenty of people that have paid good money to have someone design a WordPress site for them only to have a security vulnerability take down their site months or even years later.
Make sure you ask whomever is building your site on WordPress what kind of security precautions they take in the building of your site. They should quickly be able to explain how they address the first five items on the list above. If not, you may be dealing with someone who’s building sites on WordPress without understanding how to insure your website security. Building any type of website without taking security precautions is just sloppy. If you don’t want to have to deal with updates, you may want to find someone who offers maintenance for WordPress sites like I do.
Regardless of those 30,000 hijacked WordPress sites, you can be assured with a few small precautions it is a safe and secure choice for your site.