A Quick Guide to Protecting Your WordPress Powered Website

As a designer, I am occasionally asked to peek “under the bonnet” of other WordPress sites, and I tend to go pale when I see a site that has no security safeguards in place.  It’s a bit like keeping your front door locked, but leaving the key under the mat.  Without some security precautions, breaking in is that easy.

There are plenty of lists and posts out there with excellent information on how to protect your WordPress site, but not everyone has the time or the technical inclination to see it through.  With that in mind, here is a list of a few critical steps you should take to protect your WordPress site.  These will take a minimum of five minutes, and no more than 15.  When I set up a new WordPress install, I do not do one click worth of work until I have run through these security safeguards. Make it your own habit to do the same.

• Create a new administrator user with a new login name.  Delete the default “admin” user.
• Use random gibberish passwords of at least 12 characters.  Here’s a helpful random gibberish password generator.
• Install and activate the Login Lockdown plugin.
• Install, activate, and run the Secure WordPress plugin.
• Install, activate, and run the WP Security Scan plugin.  Run its File Permissions check, and change your folder permissions accordingly.
• Install, activate, and run the Maintenance Mode plugin to create a landing page and “cloak” the work in progress.

This audit will provide your WordPress site with a healthy standard of essential security and protection.  The three security scanner plugins do have some overlap, but I doubt you will mind.  If you want to explore more advanced options for protecting your WordPress sites, here are some definitive lists:

• 12 Essential Security Tips and Hacks for WordPress (Six Revisions)
• 13 Vital Tips and Hacks to Protect Your WordPress Admin Area (WPBeginner)
• 9 tips to make WordPress hack-proof (guvnr)

It goes without saying that you should keep your WordPress installs updated to its most recent version at all times.  This summer’s attack wave preyed on sites which still had older installations running.  Newer versions of WordPress allow upgrades with one click; and if your server is like mine and does not like the automatic system, manual upgrades take less than five minutes.

Think this isn’t your problem?

Some might say that you should not engage in security procedures like this unless the client specifically instructs you to do them – and more to the point, pays you to do them.  That’s a dangerous game to play.  When you decided to use an open-source platform for your client’s site, you consented to the fact that you would have to take responsibility for the work going out under your own name.  Open source is not a cash cow which gives you a means to squeeze money out of your clients just to assure the basic running of the software.  If you feel you should be paid extra before doing upgrade work – either as a prerequisite for installation or as an added feature on top – think about what it will cost you in the long run to have your clients’ web sites defaced during a hacking wave because they were not adequately protected.  Being proactive about your existing clients’ ongoing needs – even if there is no pot of wealth in it for you – is what separates the real web designers from the shysters.  Choose where you want to be.