WordPress – Security and Safety

The online world has become a hostile place, not only for people but for websites and online resources.  Blogs such as mine, and yours if you have one, are subject to constant attempts from all over the world to access the system and steal information, or just to disable a blog for the sake of doing so.  While WordPress is, on the whole, a fairly secure system, I have learned that there are still many ways that people can disable a site quite easily, and wanted to share a few thoughts with you on how to ensure that your WordPress blog is safer from such attempts.  I can tell you, thanks to one of the tools that I’ll list below, that my little site has drawn enough attention to have been attacked at least 100 times in the month of July alone.  Thankfully…  none have been successful – yet!

One of the easiest ways to secure your site is to avoid the use of the default ‘admin’ username for your primary administrator account.  Most of the attempts to access my site have been based on the username ‘admin’.  Of course, there is no such user on my system, so such efforts will fail no matter how many attempts are made to login with that username.  It’s a simple process to create an alternate user for your administrator access, even if you’re already using ‘admin’.  Follow these steps…

  1. Login to your admin account
  2. Go to the Users tab on the WordPress dashboard
  3. Create a new user – with a name that is almost as complex as your passwords, including numbers, letters, capitals and lower case, and perhaps even some punctuation marks
  4. Grant this user Administrator level access and create a very strong password for this account.  On passwords, keep in mind that phrases of words can be easily remembered and typed (without spaces usually) and will provide a long, secure password for your system.  For example – Thereare7wordsinthisphrase.  It’s easy to remember, easy to type, and will make your site FAR more secure than a one word password.  And no…  my passwords don’t look anything like this, so don’t try!
  5. Logout of the site, and login to the newly created administrator account.  Confirm that you have full access and are in fact setup as administrator.
  6. Return to the Users tab and delete the admin username.  If you have created posts on this account, you will be offered the option to re-assign those posts to another username.  So all of your posts will work as they should.
  7. Congratulations…  you’ve taken a big step to a more secure blog!

wordfenceThe next step to ensure your safety online is to include a security plugin inside of your WordPress blog site.  There are many of them out there, and I’ve tried a few of them, but since finding Wordfence, I’ve stopped searching.  There are several ways that Wordfence helps to secure your site, but I’ll focus only on two of those that provide the greatest level of protection.

First up, Wordfence monitors ALL login attempts, and uses your settings to lockout failed attempts.  It supports a wide range of actions based on login security.  If an attempt is made to login with an invalid account name (like the admin user you just deleted), the source IP can be locked out immediately.  After X failed attempts to login with a valid username, the source IP can be locked out for a specified period of time.  Be careful with this one, as it is possible to lock yourself out!  You can request an unlock email which will unlock your IP upon confirmation, but it’s still annoying to get locked out of your own blog.

Wordfence also scans your complete WordPress installation, looking for changes to code for plugins and themes, and can be setup to alert you by email when there are updates or other issues with your site.  I find that once a week this scan will report any issues and I can act on them quickly as they are reported.  A larger site may require more frequent scans.

Wordfence also has other features, like automated backup, and much more…  check it out at https://www.wordfence.com/ and install it on your blog today!  It’s free to use with basic services, while also available as an annual subscription to include more frequent scans and other features that may be of use, depending on your needs.

The final tip today is not just about security, but also about flexibility.  You can host your blog on WordPress.com for free, and will have a wordpress.com address.  You have some degree of control over the operation of your blog, but there are also some limits as to what you can do.  I have never hosted my blog there, for a variety of reasons, but for basic blogging it’s fine to use the services that they offer for free.

If you want FULL control of your site, your own domain name, and other features that you just can’t get from WordPress.com or other free services, I’d like to recommend the service that I use over at hostpapa.ca.  You can see a link in the sidebar that will take you there, and you’ll see that you can get your own domain, full hosting services, and unlimited access and storage for your own site, all at very reasonable prices.  The current offering is for hosting and domain name registration for as little as $3.95 per year (depending on term)!  Even if you only sign up one year at a time, it’s incredibly affordable, and as a customer for more than 7 years, I can attest to the their performance and support being among the best offered.

If you need a place to host your own site, hit the link and setup your account today!

Be safe, secure and have fun blogging worry-free with these tips and tools.