WordPress Tips – Security Basics

Welcome to my new series of WordPress tips!  Let’s start this topic off with a bang and talk security…

If you run a WordPress site, it needs ongoing protection or sooner or later you’ll run into difficulty.  As hackers, spammers and bots get more sophisticated, there are always new ways they may attack. Since WordPress is open source, WP sites are a common target for all of the above.  Ack!  Depending on your host, you may have a good security solution in place already. So, choosing the best possible hosting package for your site is important! However, be aware that even a good host is not 100% responsible for securing a WordPress site. Another layer of security around WordPress itself is necessary. Managed WordPress hosting plans take care of this for you, but are quite expensive. This article will help you become more familiar with some of the basic security issues and terminology specific to WP.  Above all- never fear, there are tried and true solutions to control this beast ;0)  So, starting with the basics let’s dig in to the details…


How Can a WordPress Site Get Attacked?

Spammer or hackers commonly come through in the following ways, and all of these areas need to be protected:

WP-Login Form > spammers/hackers often break in here

Comments on Post, Pages and Media Attachments > obnoxious messages and links

Trackbacks and Pings on Posts > links to junky, insecure sites

Email Sign Up or Registration Forms > spam email signups, often with numbers in the name field (which usually indicates a spam-bot) and fake email addresses.

Contact Page Form > spam messages and email addresses with links

WP Database > hackers injecting spam links, crashing your site by replacing your content, and creating new usernames

Cheap Shared Hosting plan at large host >  If this describes your hosting situation, your WP site is at risk



<<TIP: If your site is under attack right now, the first step is to temporarily disable the part of your site that is receiving spam. Deactivate the form(s). Disable commments. If a hacker has compromised your site, disable all user logins or call a web professional to do this -i.e. your host or a web developer. >>

Even if your site hasn’t been hacked or spammed, the following tactics are important to fend off attacks in the future. Yes, the steps here can feel a bit tedious, but it is worth it!


Simple Security Checklist 

☑  Update your WP theme and plugins often. If a plugin developer doesn’t release an update for over a year, find a replacement plugin that is more current. Updates often have important security fixes.

☑  Install a highly rated spam plugin. Make sure the plugin supports your specific contact forms and email sign up forms. Avoid adding a URL blank on your contact form unless absolutely necessary.

☑  Install a security plugin with a firewall (If you have a very secure hosting package you may be ok, but highly recommended otherwise)

☑  Disable comments on pages, media attachments and optionally on posts (manually or with a plugin). Review your Discussion menu settings.

☑  Create a secure username/password for your login that is an unrecognizable combination of letters + numbers that is at least 10-12 characters long. Type in a nicename/nickname that will show in place of your username on posts.

☑  Consult your web host or a web developer for further security methods for your site ( SSL, more secure hosting plan, …) Google now labels sites as ‘insecure’ and lowers the ranking for sites that do not have an SSL. Also, verify an SSL is installed right. A padlock will appear on all pages of the site if it is.


Final Tips

? Download a backup of your site as often as you feel is necessary. This will be your lifeline if your site is hacked or the host has technical difficulties. Sometimes sites break after updates that don’t install right – your backup will come to the rescue.  If you don’t know how to do this correctly, install a backup plugin and set it to email you a backup.

? Resources- When searching for free tips/articles, rely most on recent posts in the last year or so. Keep in mind that web development info becomes outdated fast.

? Recommended products- As an independent designer, I don’t usually endorse a list of brands/companies on my blog. In my experience, things can change rapidly and it’s best to see first hand what works well!  When searching for hosts and plugins, research actual user’s recommendations. There are a lot of paid marketing articles on the internet.


If the above sounds overwhelming or you would like professional advice about your site, I welcome you to contact me for a free 15 minute consultation. 

+ Follow this link to learn more about my Graphic/Web Design Services


NOTE: If you are one of my existing or previous clients, these basic security tactics have already been set up on your site!  If it has been a while since we launched your site, contact me for a maintenance update. Also- If SSL is not yet be configured for your site, I will be in touch soon. 🙂