Recently I attended WordCamp Chicago (basically summercamp for WordPress nerds like me), and one of the sessions I attended was titled “WordPress Security: The Nitty Gritty” by Tony Perez of Sucuri Security. Tony’s presentation supported the title and reinforced some web security basics that anyone with a WordPress website can implement in under an hour.
Back Up First!
Like all major changes performed on a WordPress site, be sure to completely backup your files and database before proceeding with the following basic security tips:
- Limit accessing your site with administrative power by setting up a generic Editor role for day to day publishing and comment management. Most of the time, you do not need to log into your WordPress site with full Administrator privileges, and an Editor role has the ability to assign posts or pages to any author on a site.
Tip: Sometimes the author meta box isn’t visible in the post editor so just click on “Screen Options” in the upper right corner of the screen and check the author option to make it visible. Once the author box is visible near the bottom of the post editor, you can change or assign pages and posts to any author.
- Use strong passwords, preferably 10 characters with a mix of uppercase and lowercase letters, numbers, and symbols. This seems like it should not need to be stated, but time after time websites (not just WordPress) are compromised by weak passwords. I know that complex passwords are hard to remember so take a look at password management tools like 1Password or LastPass.
- By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. To help prevent this install the plugin Limit Login Attempts which blocks an IP address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
These three tips are simple to implement, and can definitely help keeping your WordPress site secure.