Tech Stuff: WordPress Security
If you have a blog, what, if anything, do you do to ensure it doesn’t get hijacked by nefarious web characters? Well, mostly I’ve trusted WordPress to publish solid software and used a strong password.
Then earlier this month, I was wandering around on the FTP site of my site and noticed some files that looked suspicious on several of my blogs. I grew concerned. One one of my private blogs, I installed a WordPress security plug in called WordFence. It only found a generic problem — one file differed from the original WordPress installation file, but it had been modified by my hosting service. Each of the sites that had the strange files were sites I’d used the lazy way to install (and have sort of regretted ever since), meaning I let the hosting providers script service install the sites. There’s nothing wrong with this, but every once in a while, I have to log in to the service from my cPanel and tell it which version I’ve already updated the site to from my end.
Even though my installs were mostly clean, I like the idea of WordFence keeping an eye on things. In fact, the day after I installed it on my primary site, I looked at the login attempt statistics and saw that someone in Italy had been repeatedly trying to login to my site using the Admin username.
Now, you’ve probably heard the advice to never use Administrator or Admin as your administrator username. Um. Yeah. I have too, and until I saw those hits, I’d not done anything about it. When I saw that, I made the change right away. And I am using the WordFence plug in to block anyone who tries to login that way in the future.
What does WordFence do? The free version does quite a lot. It will scan your site and compare the WordPress and theme files against known good ones in the WordFence repository for signs of tampering. If WordFence detects differences, it will let you know. You can compare the original reference file with the version on your site and tell it to ignore or make it match. If you have the paid version, you can schedule these scans. In the free version, you must run the scan manually (click a button to start the scan).
You can look at live traffic on your site. You can block IPs. You can activate a caching option to speed up your site. Premium members can activate two-factor authentication via their cell phones.
Generally speaking, so the individual or very small business owner using WordPress, the free version of WordFence should be fine, but the premium features may be worthwhile to you, depending upon your traffic or level of comfort with risk.
You may or may not decide you need additional security help for your site, but, please, if you’re using Admin or Administrator for the username on your admin account, fix that but quick.
Thanks for this advice.
I’ve not heard about website/blog hijacking. I have the free version of WordPress. Where would I find out my Admin password information.
Connie, you can find it in the User area. Create a new account with a different name and admin rights and a good password. Once you’re comfortable it is working, you can delete the admin account.
Ah, yes. WordPress.
You can change your username in the free version. Just don’t forget that you’ve done it! (Voice of experience.)
I never let anyone see my actual admin username. It is long, complicated, and uses both letters and numbers. I never attribute posts to the admin “character.” I’ve made a separate account that has only author privileges, and that’s the account that posts. I never use the admin account name or email address when I comment on other people’s blogs.
Oh, and I disabled the upper and lower info lines on the posts on my site, so that even if I forget to attribute the posts to the author character, no one will (I think) know who posted, anyway.
You bring up an important idea: the themes that we (I) have stored onsite. There are a couple that seem to update every couple of weeks. Since I’ve given up the idea of changing themes (I use the one you use, Jean), those unused themes are doing nothing but offering evildoers a crack in my dilapidated wall. Thanks for mentioning it!
Hope you all had a Merry Christmas and expect you to have a Happy New Year. 🙂