by Laura Hartwig
Last night I attended a wonderful lecture by D.K. Smith of WPSecurity.com. He did a wonderful job and gave me lots of great tips to help keep me and my clients sites more secure. Usually I don’t discuss security because it’s not my specialty, but I can’t emphasize enough how important it is. The simple tips I’m going to list below are things anyone can do and everyone should.
1) Passwords should be 14 characters and should include characters, not just letters and numbers. Use upper and lower case and change your password often. D.K. didn’t recommend it, but for the average person, LastPass can be a very good solution to help you remember all those crazy passwords and not worry about changing them.
Also, don’t use “admin” as your WordPress username. That’s a whole other part of the password game that you don’t want to just give to the hackers.
2) Don’t email passwords. Use something like PassPack.com or Basecamp to give your customers their passwords securely, or better yet, call them. Email is easy to infiltrate.
3) Use a reputable host. If your hosting service isn’t secure, it doesn’t matter how secure your site is. D.K. recommended HostGator.com. They have quality hosting at a good price and their support staff is there when you need them- 24/7. He also recommended NameCheap.com for domain names rather than GoDaddy. My personal recommendation for hosting is SiteGround.
4) When using FTP, be sure to use SFTP if possible. FTP sends passwords in plain text. Good hosts like HostGator.com offer SFTP.
5) Buy an SSL certificate. They are very cheap now and help make your site more secure. You should also use an HTTPS plugin for your browser that will force https when available. Google is now also giving ranking preference to sites who use HTTPS.
6) Delete all plugins and themes you are not using. Any of these can be a potential gateway for hackers and also slow down your site. The only possible exception is keeping the twenty-ten theme as a tester, but it can be easily downloaded if needed. Also, don’t use plugins that are not in the WordPress repository. They have not been tested thoroughly. Also, be very cautious of free themes.
7) Use screen captures to take a picture of your plugins, the way your site looks, etc. That way, if something happens, you’ll at least have a starting point. They don’t take up much room in your files and can be a life saver. I recommend the Avairy add-on for both Firefox and Chrome.
8 ) Make sure your computer is secure. Protect your system with AVG Antivirus. D.K. also recommended Malware Bytes, Hijack This, Comdo Firewall, and Zone Alarm. Make sure your computer is updated with the lastest software and that your browser is updated to the latest version. If you are using a wireless router, use the more secure WPA or WPA2, not WEP.
9) Backup. Backup somewhere not on your site’s hosting, and before using it to restore, make sure your backup is not infected as well. Once you restore your site, be sure to close as many vulnerabilities as possible so the hacker does not get back in.
10) Plugins. There are some great plugins out there to make it simple to secure your site. Here are just a few of them.
a) WordPress Firewall 2
b) WP Security Scan (Download, run, then delete)
c) Many recommend iThemes Security. D.K. suggested that it was too bulky of a plugin, but still good for novices.
Overall, there’s no way to completely 100% protect your site. If a hacker wants in, they can get in. The idea is not to make it an easy target. Be sure to follow these suggestions – at a minimum.