wordpress security for bloggers

Hey friends! I’m currently on my way back home after visiting D, and I thought this would be a great time to have my gal Alison from Tiny Blue Orange hang out and chat with everyone about security, something I know we could all stand to learn more about! She’s a genius when it comes to these things, so I hope you take away at least one thing from her. Without further ado, here she is! 

Coming up with content for your blog takes some time + energy. Which is why losing all of your existing blog posts + comments would really, really suck. But you don’t have to put your site content at risk every day. If you tackle these 3 areas, you’ll be protected from a truly crappy circumstance if your site {or server} is ever hacked.

LOGIN DETAILS

The most common way for someone to gain access to your site is through the login screen. And thanks to the ease of WordPress, there are a lot of sites using default information. The first major problem with most logins is “admin” as a username + the second is using the built in login URL {yoursitename.com/wp-admin}. The problem with using those defaults is that you are doing the hacker’s job for them by eliminating the need for them to figure out your login URL or username.

I’ll dig into changing the URL in the next step, but let’s start with making sure your username + password are super secure. If you are using admin, your first name or your business name to login, head to the “Add User” section of your dashboard + set up a new account right away. Unfortunately WordPress won’t let you change your username on an existing account, but in a couple minutes, you’ll have a secure account to access your site with. When creating your new account, pick a secure password by using something like this password generator + make sure to store the information securely.

After creating your new login details, log out of the not-so-secure account, log back in using the new one you just made + then head to the user list to delete the one that isn’t doing you any favors in the security department. All you have to remember is to attribute all posts to the new username {don’t worry, WordPress will ask if this is what you want to do before you get too far.}

BRUTE FORCE ATTACKS

There are tons of terms + phrases used when talking about hackers. I think the most important one for small business owners + bloggers to understand is “brute force attack”. It boils down to someone repeatedly trying to log into your site by using a script or program to try hundreds or thousands of login details until they get access. The key thing to know is that hackers often don’t target a site because of who the site belongs to, they are usually looking for easy targets that allow them to do the most damage the fastest. Which means it’s not personal, but also that no one is immune from being a target.

Hands down, the easiest way to protect yourself from brute force attacks is to install a plugin that limits the number of login attempts a user can make in a given time period. For example, your site could limit 4 guesses before a user is locked from trying any other passwords during the next hour. It may sound complicated, but thanks to a few plugin options, it’s an easy thing to do.

My two favorites are “Limit Login Attempts” + “iThemes Security.” The first one hasn’t been updated in a bit, but is a simple plugin that just enables protection to your login page. The second is a pretty robust plugin that also helps you change your login URL {from step 1} along with a dozen other security settings. Both plugins are 100% free, which is the best!

Note: iThemes Security will take a bit of time to fully set up + can feel a bit overwhelming. Don’t get discouraged though, iThemes has amazing tutorials + a guide that walks you through everything you need to do.

BACKUPS

So the worst news of all is that no matter what you do, you can never protect yourself completely from a hacker. The main reason is that the majority of all WordPress sites + blogs are on a shared server – whether it’s a standard shared server or a VPS, which still has other clients sharing space. That means the server is only as secure as the weakest site on it + you are putting the security of all your content into someone else’s hands.

Now for the good news, because I’d hate to end on a low note. There is something you can easily do to protect your site in this type of situation + that is to run frequent site backups. Because if something truly unfortunate happens + your site is hacked or goes down, you will have a backup copy to revert to. Let’s say you run weekly backups. At most you would lose 6 days of work on your site which is 100 times better than starting from scratch.

The biggest thing to keep in mind with backups is that you want to backup everything {not just the database} + storing those backups off your server is best. If the server blows up {a bit dramatic, but you get the idea} backups aren’t going to do you any good if you can’t get to them.

I always recommend BackupBuddy for this sort of thing but it isn’t a free option. It seems worth it to me since you can schedule backups to run without needing to remember them + can set it to automatically store them on your Amazon S3 or dropbox account. Some hosting companies will take care of backups for you but everything is kept in house. Either way, it is worth doing a little research to find a backup solution to protect your site + your hard work.

If you wanted to tackle all 3 steps, I’d recommend setting aside about an hour of your time to get everything set up {especially for setting up iThemes Security + BackupBuddy.} But 1 hour is worth it to do your best to avoid getting hacked + having a plan b in case your site does get broken into.

[Tweet “.@tinyblueorange has a few great tips to help you make sure your blog is as secure as it should be.”]

Want to do a little more to keep your WordPress site safe + sound? Curious about which of these three steps your site is in most need of? Take this free security assessment to analyze which spots are the weak points on your site + learn exactly what you can do to fix it.