Any time security is brought up with WordPress, the first thought is external sources that could be used to protect your website. But in fact hardening WordPress must start with the install and the administrator of the website. Websites are no longer like sheets of paper, they are dynamic and like software that require strong protection that has to start with the most basic things.
That’s what we are writing about here. Many of these issues arise when we, Element 502, take over the security, SEO and administration of a WordPress website.
Don’t use “Admin” as your username
Usually on hosting platforms that are not “Managed WordPress Hosting,” the fresh install of WordPress includes some defaults that they give you to get you started. Such as a default user called, “admin.” Now with recent versions of WordPress (post 3.0) however, the installation process is much more reliant on the user picking their username. Still it can result in a new user creating the name “admin” or “administrator.” No matter the urge you have, don’t do this. When a hacker wants to crack into a website the first thing is to look for not so savvy users that would create such an account for a login.
Pick a strong password
Along with the user begin created upon installation is WordPress’ password generator. It’s designed to avoid the typical passwords, like your dogs name or your first crush. Gone are the days of using passwords without number, symbols and letters. Passphrase’s are ok, but again, with a little extra digging into your Facebook profile or other public info, “I Love my dawg” (with spaces) doesn’t work well either. The best solution is two-step authentication or using a password service to manage the auto-generated passwords as they are completely random on purpose.
Don’t set your new users to the default of anything but “subscriber”
I’ve actually debated on whether or not to include this one, until we started migrating a few sites this year. I found several of the sites with the new user default setting to “administrator” not the “subscriber.” When creating users to login to your website, you have by default 5 access levels. Here they are in the order of authority and what they do:
Administrator: Nothing is off limits. A user with this level of access is granted to all the sensitive places on a WordPress website.
Editor: Create, edit, publish, and delete any post or page, as well as moderate comments and manage categories, tags, and links.
Author: Can create, edit, publish, and delete only their own posts, as well as upload files and images. Authors cannot modify or create pages and can edit comments made on their posts.
Contributor: A Contributor can create and edit only their own posts, but cannot publish them.
Subscriber: People with zero editing ability and who have signed up to receive updates each time you publish a new post.
So you can see by the list above that the default should always be “subscriber” and if you are managing a team at your business, don’t assign everyone as “administrator.”
You can read more about user roles here.
Keep your plugins and WordPress version updated
Perhaps the largest security offense committed by website owners is neglected to keep their version of WordPress updated. One cannot stress enough how important this is to maintaining the stability and reliability of your website.
Delete any plugins and themes you are not using
When talking to people about WordPress and using for their websites, what usually comes up is maintenance and plugins. I’m amazed and thrilled to see users inquire about this, because it gives me an opportunity to clear up misunderstandings and myths about WordPress and plugins.
Plugins are what extend the functionality of WordPress, but if you would like to read more I’ve written about them in another article. For this section I plan to focus just on plugins and why you shouldn’t just install any plugin or theme.
With approximately 49,242 plugins with 1,594,416,640 total downloads currently, it can be daunting to find a good plugin. WordPress does a few things to help users decide which plugin is best by offering on each plugin detail page download amounts, star rating, user reviews and the author. These are important when deciding, just like you would decide on Amazon what’s the best buy.
But after you install the plugin (or theme) and find that you don’t need it, you should delete it. Old plugins that you’re not keeping updated, though inactive, can still be a problem. Unused plugins in the admin screen can make it inconvenient to scroll through the list and troubleshoot any conflicts. They also simply pose a security risk if they’re not updated.