Quick, think of three things you are currently doing to secure your WordPress powered site. Don’t worry if you are having difficulty thinking of all three, many site owners wouldn’t be able to either. Today, I’m sharing a few easy things you can do to increase the security of your WordPress site, as well as some advice to improve your overall security awareness.
Why Worry About WordPress Security?
Lets look at what a insecure site means to you and your users, and what the impact it will have on your time and resource investments in your site. A hacked site, for example, often becomes a host for viruses, malware, trojans, and illegal copyright material. Additionally, search engines highlight these insecure sites in their search listings, not to mention the public relations firestorms that these events usually incite. In short order, a hacked site also unravels the weeks and months of effort you have invested into your site’s reputation and authority, further impeding your efforts in SEO.
Three Types of Security
When we’re talking about security online, we are mainly worried with three types of security. They have a little bit of overlap, but they highlight three areas of thought that need to protection to insure a safe experience for you, your users, and your customers. They are:
- Internal: any security measures that are intended to prevent authenticated users from accessing information or functions they are not authorized to access, often called UAC
- Customer: protections intended to protect your customers’ private and confidential data
- External: security mechanisms that are implemented to prevent unauthorized users from gaining access as internal users/administrators
To further complicate matters, all security policies and implementations are either of an active nature, meaning they require user awareness or interaction as part of their protection; or a passive nature, meaning their function occurs without user awareness or interaction. In ideal situations, each security area will use a hybrid of active and passive controls to provide better security. Below, we’ll cover each area, as well as a couple solutions to heighten the protections for your site.
Improving Internal Security
Improving internal security is a matter of utilizing the user roles that ship with WordPress. While it may seem like a lot of work, your site can benefit from utilizing roles that prevent access to areas you have not trusted them with. For example, if you employ guest authors, but do not want them publishing unapproved content, you can add them as Contributors to your WordPress powered site. Now they can author content, but it will have to be approved by an Editor or Administrator before it goes live. This is a very simple passive solution that protects your site from potentially abusive or untrusted content.
Protecting Customer Security
The last thing any site owner wants is a leak of confidential customer data. A data leak and its companion customer exodus, is often damaging enough to make almost any commerce site irrelevant for the forseeable future. The first thing you absolutely need to do is use an SSL. I recommend buying your SSLs for their maximum allowed time, that way your attention can remain on what you do best. You don’t have to worry about encrypting every page of your site. There are HTTPS plugins available that allow you to enable SSL on just the pages that require it.
If your site has a shopping cart that will requre you to store customer data, I highly recommend a solution where you seperate commerce from business. You can either accomplish this through a seperate WordPress site managed through a tool like WordPress MU. Alternatively, you can choose a cart solution that requires a seperate customer database to prevent customer data from being stored alongside your internal data. At the very least, use a WordPress cart solution that implements a unique customer role.
Addressing External Security
There is one piece of advice I have to give to every WordPress site owner I’ve ever met: using your administrator account for every action on your site is dangerous. The only time you should log in as that admin user you created when you first installed WordPress, is to perform updates and make changes to the site itself. Everything else can, and should, be done by a lower level user (Editor, Author, or Contributor). My next piece of advice is to use complex passwords, update them often, and don’t use the same password for every site that requires a login. For that administrator account, use an ultra complex password. When I say “ultra complex”, I mean something along the lines of “3 to 5 groups of 5 – 8 characters consisting of letters, numbers, and special characters; with each group seperated by spaces”. The level of entropy in such a password is extraordinarily high, and its length will put it well outside the range covered by many techniques used by hackers to retrieve passwords.
Since you can’t necessarily enforce very strong passwords on your writing and editing staff, another suggestion is to use two-factor authentication for your site, which will add a verification step between logging in and access to your site.
Some Final Thoughts
By no means is this a comprehensive guide to security, but the items here will do much to heighten awareness, and improve the protections you employ to protect yourself, and your customers, from attacks. Something you might add to security considerations is spam prevention, for which I highly recommend Akismet. It does a very good job of identifying spam, and doesn’t interrupt the user experience with unwieldy captchas. Also, it is never a bad idea to scan your site for viruses and malware to catch problems early before they can do any real damage.
How about you, what are your tips for securing WordPress?