Often you hear the question, “What plugins should I use for WordPress Security?” It’s a valid question, but I don’t think it’s the best approach if it’s the only question you’re asking, or the only action you’re taking. If you’re leaving the security of your blog to a plugin from a 3rd party alone, you’re doing it wrong!
It’s Everyone’s Responsibility!
It starts with you. Follow these steps and you lower your risk floor significantly (without the use of a lot of plugins! :
1. Keep software updated
Has your site died on upgrade? Has your plugin author or developer told you not to upgrade because the site will break? These may be signs that a theme or a plugin enabled on the site may not have been developed with the WordPress Coding Standards in mind. It could be a theme/plugin that is deprecated and not compatible with the upgraded version of WordPress. Whatever the case may be, this is not ideal and it may be time to find a suitable replacement. Just ensure you research and review, and ensure the theme or plugin is being actively upgraded & supported by the author.
2. No Soup Kitchen Servers
Ever install a dummy WordPress instance for testing? Then you leave it there and it sits for a couple years? Ya, don’t do that. You end up putting every website on the server at risk of cross-contamination.
Attackers will find a weakness and continue to exploit it, they will then infect everything in your shared space. If you don’t clear the vulnerability, you can clean until your finger tips fall off, they will infect it again. This happens because often shared servers allow for the same root account owner to add multiple websites in their hosting area. You infect one, you infect all! If a site is not in use, remove it. At minimum refer back to step one above.
3. Reduce access
Give folks enough access to do their job, nothing more; remove it when they are done! This is the practice of least privilege, and you should be practicing this across any type of information system. This means WordPress, FTP, evens your databases, and any other logins. It comes down to proper management and use of roles and capabilities. If the user’s responsibility is to edit content, why would they need administrative rights? Use an administrator account only when performing administrative tasks like upgrading WordPress, or adding/removing a plugin, a theme or widgets.
Another access control risk website owners face is brute force attacks on their WordPress login page – /wp-admin or /wp-login.php. Check out the Google Authenticator Plugin if you haven’t already. It works great and if you’re already using Google Authenticator you know it works across a lot of your existing tools and devices.
4. Pass-phrases over Passwords
Did you know that “password” is still one of the most widely used and active passwords across the internet? If that’s public knowledge, don’t you think attackers know this? They do! Attackers looking to brute force your WordPress admin access, or even your SSH credentials will enumerate using known passwords like this. The most important thing I want you to take away from the password discussion is to be unique!!!
Instead of short passwords, use long pass-phrases like the lyrics to your favorite Notorious BIG song. Use different pass-phrases across your different logins. Another great approach is to not know your passwords at all and let a password management tool like Last Pass do the heavy lifting. It stores them securely, and even helps make them for you without you even knowing them.
5. Institute a Backup Schedule
If you don’t have an active backup schedule and solution in place, you’re not right! Countless are times we have been approached to clean a site and we quickly determine the attacker has wiped out crucial data components or a ton of their theme files. Come to find out when we ask for a backup of the data or files that they don’t have one, and their host doesn’t have one. It’s like it never existed.
The Quick Close
Sometimes less is more, and with a lot of the plugins out there today, there is a considerable amount of overlap. I do like taking a defense in-depth approach so overlap can be a good thing, just don’t go crazy installing everything under the sun. It’s valuable to understand that the more you add, the more you have to maintain, and more potential vulnerabilities can arise. Keep it simple, kill the noise, and think risk reduction!
Images Courtesy Shutterstock:
(Update, secure WordPress site, reduce access, login password, data backup)
About The Author: Kelly is a writer/blogger. She loves writing, reading and traveling. She contributes for Betaout.com
10 Best Free & Professional Premium WordPress Themes:
- Top 25+ Premium Responsive Free WordPress Themes 2013
- 25 Best & Latest Free & Premium WordPress E-Commerce Themes For Oct 2012
- 25 Free & Premium Responsive Magazine WordPress Themes For Bloggers | 2012 Edition
- 20 Best Free & Premium eCommerce WordPress Themes For Selling Footwear & T-Shirts
- 15 Best & Simple Premium Magazine WordPress Free Themes For 2012
- 20 Simple Yet Elegant Free & Premium WordPress Portfolio Themes For Designers & Photographers
- 15 Corporate Professional Business Premium WordPress Themes of 2012
- 20+ Best & Professional Free Corporate Business WordPress Themes of 2012
- 15 New Blog / Magazine Best WordPress Themes 2013
- 20 Best Free Responsive WordPress Themes 2013 With Premium Features