Ads 468x60px

[Mistakes #10] Five Common WordPress Security Mistakes … and How to Fix Them - DailyBlogTips

[Mistakes #10] Five Common WordPress Security Mistakes … and How to Fix Them - DailyBlogTips


[Mistakes #10] Five Common WordPress Security Mistakes … and How to Fix Them

Posted: 07 Feb 2014 09:00 AM PST

This is the tenth post in our Mistakes series, a guest piece from freelance writer and blogger Raspal Seni. (You'll find his bio at the bottom of the post.) 

You just created a new WordPress blog, and are excited to publish posts. Or, you’ve had a WordPress blog for a while, but don’t know how to secure it.

Below, I talk about 5 common security mistakes bloggers make when installing and using WordPress. Check to see whether you make any of these mistakes, and fix them if you do.

Mistake #1: Not Using Strong Passwords

Creating strong passwords is the first step to make any program secure, and WordPress is no exception. If you use easily guessable passwords or the same password for everything (e-mail, forums, bank accounts, online registrations and even WordPress), your WordPress installation will be vulnerable to attack.

Fix it: Starting with version 3.7, WordPress has a smarter password strength meter. Use it to make a stronger password. You can’t remember many passwords, so use a password program like LastPass to remember them for you. It’s free, and I’ve used it for many years.

strong-passwords

Mistake #2: Not Updating WordPress, Themes and Plugins

Do you update your WordPress installation, themes and plugins regularly?  If you have old versions of these, you risk your blog getting hacked. These programs are updated regularly to fix any security holes (in addition to adding new features and fixing other issues they may have). If you don’t already update your WordPress, themes and plugins, you should do it regularly, preferably once a week.

Fix it: Login to your WordPress Dashboard as an administrative user and update your WordPress installation if you see a message telling you to do so. On the same updates page, you can also see if your theme and plugins have updates available. If they do, update them too. It just takes a few clicks.

You can also enable WordPress to auto-update itself by editing WordPress installation details in Softaculous, or  by editing your wp-config.php. More information here.

Mistake #3: Having the ‘admin’ User and Publishing Posts by This User

delete-wordpress-userBy default, WordPress creates a user named admin (with the default password set to ‘pass’), if you don’t specify another username. Many lazy people don’t change this username and password, when installing WordPress. So, If someone can login as admin, they can do anything to your blog/website.

Create a username which people can’t easily guess. If I use a username such as raspal, anyone can easily guess it after a quick look at my blog.

A bigger mistake is to tell the world that you have a user with administrative privileges, named admin. How do you tell this? By publishing posts by this user. Instead, create another user to publish posts on your blog. Login with the administrative user only when needed (for example, to install updates).

Fix it: If you have the user named admin, login to your WordPress Dashboard with this user account. Then, create another administrative user, with a username which others can’t easily guess. Also provide a strong password for this new administrative user.

Next, logout from the Dashboard and log back in with this new administrative user. Now, create another user, but this time with editor privileges. This is the user you should use to publish posts.

Finally, remove the old administrative user named admin. When you remove this account, WordPress will give you an option to assign any posts published by this user to another user. Assign it to the user with the editor privileges, you just created.

Mistake #4: Not Removing the Default META Widget From Your Blog’s Sidebar

By default, WordPress installs a few widgets into your blog’s sidebar. The META widget is one of them. It contains links to log into and logout from your WordPress Dashboard. But, it also makes a hacker’s task easy by providing the login link.

meta-widget

Fix it: Login to your WordPress Dashboard with an administrative account. Click Appearance -> Widgets and delete the META widget from the primary sidebar.

Mistake #5: Not (Regularly) Backing up WordPress and Database

When was the last time you backed up your WordPress and database? Are you struggling to remember? You might think this doesn’t have much to do with WordPress security … but backing up regularly is included as one of the 4 best security practices in WordPress Security 101  at iThemes (owns the WordPress plugins named Better WP Security and BackupBuddy).

You should also automate the backup process. If you backup manually, you will certainly forget doing it.

Fix it: Use one of the following tools to backup your WordPress installation. Two good, free tools to automate WordPress backups are Softaculous and BackWPup plugin.

 

Have you seen any other common WordPress security mistakes? Let us know in the comments…

Raspal is a Freelance Writer and Blogger at RaspalWrites, where he has just published a follow-up post to this, 5 Additional Comment-Related Mistakes to Avoid. He enjoys helping people, is interested in technical content writing and blogging and available for hire. You can follow Raspal's personal and business ramblings at @raspalwrites.

 

Wanna learn how to make more money with your website? Check the Online Profits training program!


0 comments:

Post a Comment