Mike Macartney's Blog - Posts Tagged "security"
Website Security
Goodreads is a book social site, but many here have their own websites, and many of those sites are Wordpress web sites.
Here are some ways to protect you Wordpress site from hacking, things I have learned the hard way. Wordpress is hacked constantly and there are holes in it that hackers exploit.
These are easy things to do and habits you can also carry to your other activities online as well.
+++
If you run your small business on a Wordpress site here are a few things you should do to secure it. Mine was hacked recently so I rebuilt it with security in mind.
First step - harden your password. Use 10+ characters with capital letters, numbers and symbols in it. Like (MdefoS567!( -- You can remember it easily as "Open"-My-dog-eats-fleas-on-Saturday-567"bang""Open" (Write down your passwords and login info in applications like "DataVault Password Manager" or something similar to store on your computer - if you use a spreadsheet and somebody gets a virus on your machine they can find the file and know all your passwords. Apps like DataVault are encrypted and you only need to know one password to get into them - make it a hardened one!)
Get rid of plugins. Plugins are insecure so only use a few. Pick ones that have a good history and rating. Don't just add a plugin because it looks like fun. Plugin "toys" can cost you your website.
Security plugins to use are "Hide Login" "Secure Wordpress" "User Security Tools" "Wordpress Firewall2" and "AskApache Password Protect" (There are others, but these are top rated and recommended by security sites.)
If you do not use things like login redirect anybody can get to your login and brute force their way into your site in a few minutes. Just write down your new login address before you enable it or you will not be able to get into your own site.
Make sure you backup you own site and database on your own computer backup drive that you can touch with your hand. If your database is hacked your site is gone and cannot be restored by your host company. It will have to be re-installed from scratch.
Note. You should have two backup drives for your computer with regular backups on them. I just lost my backup drive when it crashed the disk and had to have a data recovery firm pull the data off it. Drives are cheap compared to what you can loose. There are cloud backups now, but they can be expensive if you have large amounts of data to store. The cloud sites, like Apple get hacked also. Here is a real story of just that. http://www.wired.com/gadgetlab/2012/0...
Turn off comments if you do not need them.
Turn off all guest accounts so that only you can log into your site.
Modify your wordpress theme (and widgets) to get rid of the link to the "Meta" for site admin that appears on pages or footer of some themes.
Change the name of "admin" and never use defaults for anything - like post storage names.
If you don't need a contact form for people to fill out, don't use one - let people contact you directly or through other sites like your twitter or facebook pages. If you use a contact form pick a secure one and install the tools above first so that the form locks out users who try too many times to register for comments. Moderate comments and only allow previous approved users to post directly. (Wordpress setting)
These are a few things to start with as a minimum.
Just write everything down as you go so you do not lock yourself out of your site or forget how to get in.
Here are some ways to protect you Wordpress site from hacking, things I have learned the hard way. Wordpress is hacked constantly and there are holes in it that hackers exploit.
These are easy things to do and habits you can also carry to your other activities online as well.
+++
If you run your small business on a Wordpress site here are a few things you should do to secure it. Mine was hacked recently so I rebuilt it with security in mind.
First step - harden your password. Use 10+ characters with capital letters, numbers and symbols in it. Like (MdefoS567!( -- You can remember it easily as "Open"-My-dog-eats-fleas-on-Saturday-567"bang""Open" (Write down your passwords and login info in applications like "DataVault Password Manager" or something similar to store on your computer - if you use a spreadsheet and somebody gets a virus on your machine they can find the file and know all your passwords. Apps like DataVault are encrypted and you only need to know one password to get into them - make it a hardened one!)
Get rid of plugins. Plugins are insecure so only use a few. Pick ones that have a good history and rating. Don't just add a plugin because it looks like fun. Plugin "toys" can cost you your website.
Security plugins to use are "Hide Login" "Secure Wordpress" "User Security Tools" "Wordpress Firewall2" and "AskApache Password Protect" (There are others, but these are top rated and recommended by security sites.)
If you do not use things like login redirect anybody can get to your login and brute force their way into your site in a few minutes. Just write down your new login address before you enable it or you will not be able to get into your own site.
Make sure you backup you own site and database on your own computer backup drive that you can touch with your hand. If your database is hacked your site is gone and cannot be restored by your host company. It will have to be re-installed from scratch.
Note. You should have two backup drives for your computer with regular backups on them. I just lost my backup drive when it crashed the disk and had to have a data recovery firm pull the data off it. Drives are cheap compared to what you can loose. There are cloud backups now, but they can be expensive if you have large amounts of data to store. The cloud sites, like Apple get hacked also. Here is a real story of just that. http://www.wired.com/gadgetlab/2012/0...
Turn off comments if you do not need them.
Turn off all guest accounts so that only you can log into your site.
Modify your wordpress theme (and widgets) to get rid of the link to the "Meta" for site admin that appears on pages or footer of some themes.
Change the name of "admin" and never use defaults for anything - like post storage names.
If you don't need a contact form for people to fill out, don't use one - let people contact you directly or through other sites like your twitter or facebook pages. If you use a contact form pick a secure one and install the tools above first so that the form locks out users who try too many times to register for comments. Moderate comments and only allow previous approved users to post directly. (Wordpress setting)
These are a few things to start with as a minimum.
Just write everything down as you go so you do not lock yourself out of your site or forget how to get in.
