Chances are, the basic actions you took based on my last security post will initially serve you well in keeping your site secure, but once you get into the tens to hundreds of commenters and/or start using guest posters on your blog, you’ll be big enough to capture a hacker’s attention, if only to try to force a redirect to that porn site.
And if you want to add courses and have members who login with their own email addresses and passwords, your site will definitely be more vulnerable.
You may want to add some more armor to your login page or comments feature, and possibly add an all-inclusive anti-malware/firewall system to your site. Here’s what I learned.
I’m Not a Robot
Google’s CAPTCHA and reCAPTCHA functionality is NOT a comprehensive security system for your site. It is specifically designed to keep bots (little bits of automatic software) from logging in to your site as subscribers and using that entré to start sending you spam. If you let Akismet filter your spam, you shouldn’t really need the reCAPTCHA feature (which can get a bit over-zealous for certain countries, like Russia and China), but it is one more anti-spam tool you can use, especially if you have a lot of blog followers.
If there’s only one user (you), that’s cool. But if you have regular guest bloggers who post for you, or membership functionality to access premium content or courses, or you are managing a site for an organization, you will need to protect your site from any intentional or accidental issues that might be caused by multiple users (somebody has a weak password, etc.).
In Settings/General, you will see a Membership check box option called “Anyone Can Register.” If you are the only user of your blog, and you are getting subscribers to your posts through an email service (Mailchimp, Constant Contact, etc.), then you can leave this box unchecked and cut down on attempts to log in to your site. You can also still add folks as users yourself if you are working with a small team and still not open up registration for everyone.
But, if you do want to track subscribers through WordPress or have a decent number of regular contributors, then you will likely want to check that box. Just make sure you have your New User Default Role option set at Subscriber. Each of the roles in the drop-down list (Subscriber, Contributor, Author, Editor, Administrator) has specific permission levels that (except for the all-powerful Admin) keep them from making changes to the site or from seeing other management things on the site like statistics, etc. For a detailed comparison of what each role can do, check out this infographic on user roles at WPBeginner.
Finally, if you want a security system for your WordPress site that includes the kinds of things you are used to having in your computer’s main security software (anti-malware, firewall, etc.), then you can opt for a WordPress security plugin. These plugins range from the free and basic to the comprehensive and expensive. Keep in mind that what you need for WP site security will depend a lot on what you want to do with your site (ecommerce, for example) and how much attention it gets.
But before you shell out money for a premium WordPress security plugin, do check with your web host (the place you pay to have your website’s functionality and files located, like Hostgator, SiteGround, Bluehost, GoDaddy, etc.). Most have some kind of built-in features to foil brute force login attempts or denial of service attacks. You can always ask in their help system if you are not sure what’s covered, although most hosts advertise that they have these capabilities and may have settings on your site dashboard for them.
Also, WordPress’s basket of premium plugin features called JetPack also has some security enhancements that require you to pay. It looks like the free aspect of this service is limited to brute force login attempts.
If you want to explore a good comparison of both free and paid security plugins, head over to WPDean. You can also get a great basic security rundown and recommendations for paid plugins at WPBeginner, but they definitely have a paid favorite that they promote (Sucuri).
I am currently testing WordFence and All in One WP Security plugins on a couple of my sites and will report back on them in the next security post.
In the meantime, check and update your site(s) regularly and stay safe out there!