Safe by Design: How to Boost Your WordPress Site’s Security
For anyone who designs, owns or runs a website, the threat of getting hacked is a constant reality whether you’re a mega-corporation dealing with millions of users or just a one-person blog shop promoting products or services. And while a hack is rarely fatal—WordPress thrives on the fact that it’s easy to backup your data and information, so getting up and running after an attack isn’t too painful—it is a gigantic hassle that costs you time and, occasionally, money.
Thanks to the popularity of the WordPress platform, the associated community of designers and supporters are always coming up with new ways to beef up the security of the content management system for all users. From adding features to plugging potential holes in plugins and themes to giving valuable advice on what not to do when choosing new features, a group of dedicated WordPress enthusiasts always have your back.
So what are some quick and easy things you can do to ensure your site’s security is up to snuff? Here are five ideas that you should definitely be thinking about and implementing as soon as possible.
- One of the great things about WordPress is the massive amounts of plugins—programs that add functionality options to your site—are available, most of them free. Unfortunately, it’s inevitable that, with so many add-ons available, there’s bound to be a few that have security issues. So only download plugins from trusted sources. And if you’re not sure whether a source is safe or not, do some research. Look up reviews of the program, check to see if backend support is provided and if the creator of the plugin is communicative with users (this signals that there’s a responsible human being behind the product).
- WordPress pros preach this unceasingly: keep your site’s core program and all the plugins and themes updated! Security leaks are detected all the time by designers, users etc. And once a leak is discovered chances are someone is immediately working on a patch to fix the hole. However, if you don’t stay on top of updates you won’t get the patches and your site becomes vulnerable to nefarious hackers looking to steal data or just cause mayhem. There’s a time commitment to the process of course, but just consider the alternative and it becomes obvious how important updates are for overall site security.
- Don’t let anyone browse the directory of your WordPress website. When you host server can’t find a specific file, by default it will display a page showing the contents of your directory—installed plugins, themes and the like—that’s easily readable by anybody. So check to see if this browsing option is enabled by creating a new folder on your site (a simple text file will do) then visiting your directory via your web browser. If you see a link pointing to the file you’ve created, directory browsing is enabled. Disable it by adding to your “.htaccess” file a line that reads “Options All – Indexes.” Be sure that your “wp-content/themes” and “wp-content/plugins” folders have a blank “index.php” file contained in them as well.
- Trackbacks and pingbacks are notifications that your content has been linked from another web page, yet most users ignore these alerts. However, a hacker can use trackbacks to cause huge problems through “denial-of-service” attacks (DDoS). So it’s important to disable this feature by visiting “Settings, Discussion” and unchecking the “Allow link notifications from other blogs” option.
- Keeping track of your login user names and passwords is, of course, a pretty important part of running a website. And yet too many users rely on login “hints” that give you options for accessing the site—password reset links, username clues etc.—when they forget their login information. This is prime territory for hackers, who know ways to manipulate these programs. So get rid of such of information by disabling the login hint option. Enter a script within your “functions.php” file. That script will cause a message appear to someone attempting to access your site with the incorrect login information and will ditch the login hint cues.