WordPress Security Tutorial

WordPress Security Basics

From Web and database servers to plugins and themes there are many things that go into WordPress best practice security efforts, in this wordpress security tutorial I go over the main areas that you must make sure are covered to help keep your site safe.

No Such Thing as a Secure Site

WordPress security is ever changing and something you must stay on top of if you wish to protect your site from the thousands up thousands of threats that are out there. Scared yet? A Web site is only as secure as the known threats it is protected against. However there are some basic areas you can focus on to help ensure your site is as protected as possible. This wordpress security tutorial  goes over these high level points.

What the Video Covers

  • Passwords
    Ensure that you use passwords for FTP, MySQL and the WordPress admin that are 12 to 15 characters in length and include a mix of character cases, special characters and numbers. Ensure that you do not use any words, names or geographic locations as theses are easily guessed by hacking systems.
  • WordPress core, theme and plugin updates
    Get your themes from a reputable source and ensure you keep them up to date. Also keep the WordPress core and plugins up to date to ensure you have all the latest security patches available.
  • NEVER use the name ‘admin’ or ‘Admin’ as you username

Following the best practices in this WordPress Security tutorial will give you a great head start when it comes to website security.

Video Transcript

Let’s talk about WordPress security. There’s no such thing as a secure website. There’s only a website that is as secure as the known threats that are out there. However, we can do our absolute best to keep up to date with everything and ensure that our site is as secure as possible. Let’s walk through all the different pieces that go into this.

In any hosting environment, you’re going to have a web server and a database server. Then, there’s a whole lot more that we have to deal with. Go ahead and remove web server and database server and the reason I say that is because, if you are working with a reputable host, they are going to ensure that the operating systems and the software systems that are running on those servers are kept up to date, and patched, and so on, and are as secure as possible.

However, there’s a lot that we have to do as web site administrators to help keep our sites secure that go beyond web hosting. Let’s start with FTP. Now, when you setup your hosting account or it’s setup for you, more than likely you’re going to be provided a username and password for FTP. This is the most common method to move files between your computer and the host computer.

You’re going to want to make sure that the username and password you choose there or that are set up for you are as secure as possible. You can’t use the word password for your password. 1-2-3-4 is not secure. You’re going to want to make sure that the password used is between 12 and 15 characters of variable case and use of special characters. That’s the best practice for setting up an FTP password.

Same goes for the my SQL database. When you set up your WordPress web site, you had to provide username and password for the database. It’s the same thing here as the FTP. You’re going to want to make sure that that is a secure password. It’s not something that’s easily guessed. For both of these, you’re going to want to make sure it’s no words that can be found within any dictionary; no names, no names of cities, geographical locations, and so on, are used because these are easily guessed by hacking systems.

Now the WordPress core, the good folks over at WordPress do an incredible job of keeping things up to date as possible when a new version of WordPress is available, it’s usually noted within your WordPress admin area. Now as soon as a threat is made known to WordPress, they’re going to release a security update.

However, your website is only as secure as the last update you made. So it is absolutely critical that you stay up to date with WordPress updates, so that you can take advantage of all the security protection that comes with each one of them.

So the WP admin, or the WordPress admin, basically, is how you’re logging in and administrating your website. The same thing with the FTP and my SQL password. You’re going to want to make sure that the password is strong. However, there is an important point to make here. If your username is admin, I want you to hit pause right now and go change it immediately. The reason why is that there is a very large known threat to WordPress websites out there, that attack sites where the username is admin. In fact, if you think about it, if your username is admin, I’ve already guessed 50 percent of your access information. So, go ahead and change that.

Themes. Themes come from many different sources. There are those free ones that you can download from WordPress. There’s a lot of websites out there that provide free themes. There’s premium themes that you have to pay for and then there’s custom themes that maybe you hire a developer and designer to build for you. Themes interact with the WordPress core and the database and so they must be made to be secure and they’re only as secure as the developer who built that theme.

A reputable developer will publish an update to their theme when a security threat is found. However, if you were to go out there and Google
“WordPress themes security threat”, you’re going to find a lot of articles about how people provide themes, either free of cost, or even ones you have to pay for, that included security exploits purposefully. Now, I think if you’re downloading your themes from reputable sources, you don’t have a whole lot to worry about.

I’d just be careful where you get your themes from. The other thing is, make sure you stay up to date with the themes. Some themes notify you within the WordPress admin, but some theme authors post it on their web site and so on. It’s worth keeping track of which theme you’re using and checking for updates on a regular basis.

Next, are plug-ins. Plug-ins, it seems like every time we login to our WordPress web site there’s a plug-in update available. You’re going to want to stay on top of these. Plug-ins also interact with the core. They interact with the database.

There’s plenty of room for security exploits to be made here. In fact, there are some very reputable plug-ins out there that had recent history of some major exploits found within them. It is absolutely critical that you stay up to date with all your plug-ins because a lot of the updates include security patches.

So that’s basically, the overall how to keep your website as secure as possible from an administrative standpoint.

photo by zodman / cc