I’ve been hearing a lot lately about website security, with paid plugins and features rising to the surface, along with some common sense measures we can take for free. I’m going to share my research with you here, starting with some basic things you can do, and then get to more robust measures in my next post on this subject.
Security vs. Spam Filtering
But first, what is site security for and how is it different from filtering spam? WordPress provides a pretty good spam filter they call Akismet, which filters out junky proposals that can end up in your post comments or as results in your contact forms (but these don’t mess with your site unless you interact with some of them—most are just annoying ads). You can get Akismet for free, or whatever subscription level you feel comfortable with. They do kind of hint that if you make money from the business your site highlights, it would be a good idea to pay for a subscription. I really have not had a ton of spam since I activated Akismet (you need a numerical “key” to activate it, but Akismet will let you know where to go).
Security for your site is designed to keep people from hacking into it (usually by forcing a login as a user) and messing with the coding behind your site (to, say, have your web address go to a porn site instead, or even take over your site and change it). So, this is what you need security measures to prevent.
Simple Stuff You Can Do
- Keep your site updated. Minor WordPress updates are now automatic, but your plugins and themes need to stay updated as well, so it pays to go and check on your site at least once a week.
- Put some effort into your password. You can go so far as to use generated random strings of numbers, letters, and symbols, but they can be hard to keep track of. I use short phrases (abbreviated, usually) with mixed case letters, numbers and a special character. More importantly, I change them every six months, and I don’t use the same one for everything. My bank passwords are different from the ones I use on other sites, for example.
- For WordPress users, it’s a good idea to change the default login user name of “admin” to something else. I use various short identifiers (e.g., jsmaster) to get away from the generic “admin” thing. You can’t do this in your user profile inside your WordPress website. You will need to go to the WordPress Installer at your web host (your web host will be something like SiteGround, Bluehost, WP Engine, Hostgator, etc.). If you need help to find this, consult your website designer/developer, or you can contact me.
- The other generic element you can change is the URL (web address) for the page that has the login on it. All WordPress sites start with something like http://your domain name/wp-login.php. There seems to be some debate among WP thought leaders on the security value of making this change. CodeinWP advocates a plugin I have not tried for this customization. Meanwhile, Syed, over at WP Beginner doesn’t put much value in making this change for security reasons. I’m leaning in Syed’s direction on this one. A savvy hacker can probably find a way to get to your login page, especially if you have more than one user to start with. If a web page is visited, the address is likely available in some way.
- As Syed points, out, site backup is a real must for security as well as general good practice for preserving your content from technical errors. There are a number of plugins that do site backup (free and paid). Your web host may already provide a backup on their own server, but for additional safety, you can use a backup plugin like BackWPUp.
That’s a big enough security bite for today. I’ll be back next week with my take on more advanced security measures. If you have more specific questions in the mean time, I’d love to hear them. Please do ask them in the comments since others may very well have the same questions, although you can also contact me directly.