Having been working with WordPress for a long while now it’s second nature for me to update the security of both my own and my client’s installations. This needs to be done on a regular basis in response to evolving threats that exist in cyberspace.
On of the simplest methods, any WordPress site owner can DIY, is to do with the login name and password. Changing the login username from Admin is the first step towards securing your installation, but how secure is your WordPress password?
Why do hackers want to gain access to WordPress?
A hacker is ‘someone’ who seeks to gain access to your website without your permission. Contrary to popular belief, hackers are most unlikely to be people with a grudge against you. Rather, hackers are likely to be automated bots that roam the web identifying installations, not being maintained by their owners, where ‘weak spots’ create vulnerabilities they can exploit to gain entry.
4 issues caused by hackers
- Stealing data. Login credientials etc.
- Placing of links in your content or via your comments which would take someone to a website which would result in the user’s machine being infected with a virus.
- Defacing of your website/blog to damage your business reputation.
- Insertion of bad code/links into your database which could result in your website/blog being banned from Google Search results.
How you can keep your website safe from hackers
With all my clients the first level of security I stress is the importantance of having strong passwords, using a combination of upper and lower case letters, numbers and symbols.
Of all data-base driven websites WordPress is a particularly popular choice these days. However, many people are using a ‘one-click installation’ set-up method for WordPress.org without awareness of ‘best practice’ set-up and ongoing security required to keep their installation safe from hackers.
In delivery of a WordPress course for the eBusiness club, delivering online training for businesses, I’m often surprised at the general lack of awareness about the need to ensure secure access is enabled for a WordPress.org, or really any self-hosted database driven website/blog. This is one of the reasons I deliver training courses in WordPress.com, rather than WordPress.org.
Setting up and learning how to drive a WordPress installation over the course of one training day leaves all attendees pretty brain-weary at the end of 6 hours. Expecting them to take security aspects on board is too high an expectation, so WordPress.com provides the perfect solution. I know everyone will leave the course with a WordPress site up and running but with no nasty ‘security’ surprises lurking further down the line.
Differences between WordPress.org and WordPress.com
WordPress.com and WordPress.org share many common features, in terms of operation. The big plus to starting with WordPress.com for teaching purposes is that it doesn’t have ‘security issues’ because the website/blog is hosted on WordPress servers, so they take care of everything for you. This is in complete contrast to a WordPress.org installation which has to be hosted and maintained/updated by the website/blog owner.
The beauty of WordPress is that you can learn on WordPress.com, which is safe as houses, then later migrate your site content to WordPress.org if you want to develop functionality options than are unavailable using WordPress.com. The switch is quick, easy and fairly seamless. Read more about the differences between WordPress.org and WordPress.com to decide which might best suit your needs.
Tools to check the security strength of passwords
The links below are to tools I’ve tried, which you might like to try out too? The results they give may nudge you to change your passwords to provide better protection than at present.
How to keep in touch with future updates
In the coming months I’m going to be writing more blog posts about WordPress security, so why not consider subscribing to this blog to make sure you don’t miss out. Leaving your email address in the box in the right hand column will mean you’ll receive all new posts, nothing else, direct to your inbox.
Other blog posts you may find useful: