I have received several questions lately about the safety and security of WordPress – and then I read about the same issue on a forum I am active on, so I thought I should address this since a bulk of my clients are built on WordPress.
WordPress Is Safe!
But, like any website it takes care and maintenance to keep it safe. Remember hackers and spammers are relentless – you give them a new wall, they will try and knock it right back down.
How Most Hacks Happen On WordPress
There are a few reasons why hacks happen on WordPress.
- It is the most popular CMS with an estimated 59% of websites being powered by it. That in itself makes it a huge target
- Poor hosting like GoDaddy or Bluehost which often lacks in proper security measures to keep your server safe
- Use of “admin” as username
- Too easy of a password for your WP admin
- Using compromised plugins – over the years many hacks have happened because of compromised plugins – by minimizing your plugin use and keeping them updated you can prevent hacks
Tips For Keeping WordPress Hack Proof
1) Get a GOOD host. Some hosting companies are open to more vulnerabilities than others. Most of my clients who have been hacked host with GoDaddy. At one time GoDaddy admitted one of my clients hacks was their fault – the server wasn’t secure enough. If you host with me you will know that if anything the hosting company I have my server with Liquid Web, is sometimes too secure resulting in 404 errors. Although this is a pain, it is good to know your files are safe! There is an old saying – you get what you pay for, this is so true with hosting.
2) Once your site is launched REMOVE the default login username of “admin” – make sure you set up a new user with your name and a great password – this doesn’t mean your birthday, your pets name etc…use capitals and numbers, lowercase and uppercase. One of my clients got hacked because of this issue – she was using the default admin/admin combination. BIG NO NO!
3) Keep your WordPress version updated! Before you hit the update button though – drop in on the WordPress forums to see if the latest version has any issues…if so use caution.
4) Keep your plugins updates too! There is a reason updates are done – don’t ignore them!
5) File permissions are important! Depending who created your website will depend if it has been properly done. You will have to go into your hosting account or access your files via FTP to do this, or ask your web designer to ensure it has been done! Basically your permissions should be set so that no one else can write to them. By giving your files permissions of 777 you are telling the world it is OK to come on in basically – so you should keep many of your files and directories at either 755 or 644 depending on the nature of the files. You can get more detailed specifics about permissions at http://codex.wordpress.org/Changing_File_Permissions
These are a few things that will get you started with keeping your WordPress safe!