On WordPress security

So you want to set up WordPress, but you’ve heard issues about it not being secure. Here are some things you may want to consider:

  • Install WP by hand.  Essentially, don’t use those 1-click installs your host provides. Trust me.  Also, make sure you take the steps to add SALT encryption. The secondary benefit of doing it by hand is that  you will feel more comfortable with the install and you’ll know what you named your database. If you’ve never done this before, it will only take you 5 minutes.
  • Make sure it’s always being updated.  This includes WordPress core, plugins and themes. Tip: The plugin Wordfence Security e-mails me whenever there is an update.
  • Be selective about the plugins and themes you install. Pay attention to their popularity, the issues people report, how often they get updated, and the last time it was updated. If you know how to code, peek at the source code.
  • Remove unused plugins and themes.  I tend to keep one WordPress theme, like 2010 or 2011. The reason for this is in case I need to flip to it for troubleshooting.  I’ve only had to do that once with a live site.
  • Back up your site. Make those backups daily if you can and make sure you are backing up the file structure as well as your database.
  • Remove junk installations of WordPress and any other unused software from your server.  If you have outdated stuff on the server, you are making your server vulnerable.
  • Move to a non-shared environment.
  • Make sure you use security plugins. These can obscure your site from looking like WordPress (to a bot), change the location of your admin login screen, warn you if something is fishy with your site, and much more.
  • Use good passwords practices