I will be the first one to say that I think word press is the most insecure platforms on the internet today. However the truth is it is insecure because of how many people actually use it. Because of it’s huge user database, makes it eye candy for hackers. So hackers will focus more of their energy writing malicous scripts for word press based sites then they will for something like Joomla.
I rarely use Word Press, even though this Tech Me Out site and my Ben Dorsi-Todaro site are both Word Press based. I never recommend Word Press to my clients simply because protecting it becomes a challenge and an art. However if you do feel the need to use Word Press due to it’s simplicity or great community support I don’t hold anything against you nor do I even blame you. But I do suggest that you take a little extra time out to learn how to make it more secure. Here I will mention a few things I do to keep my site safe.
People who read my blog regularly know that several times Tech Me Out has been under attack. But many sites get attacked, but the attackers never succeed in there goals. Setting your Word Press site up to use Two Factor Authentication will make it more difficult for attackers to gain administrative access. Authy is a great Two Factor Authentication tool that now offers an easy to install Word Press plugin.
Simply install the plugin. Signup to the Authy site to obtain the developer API key and then provide your cell phone number in the user section of your word press site. Then every time you go to login you will need to enter the code that Authy sends to your cell phone in addition to entering your username and password. This means that in order for a hacker login to the backend of the word press site they will also need to have access to your cell phone.
Akismet is actually promoted and pushed heavily by Word Press. Akismet prevents commenter spam on your site. Because so many people use word press, so many uncurtious marketers search for word press sites to comment on the post to solicit their own services. The Tech Me Out site gets so much of this spam on a regular basis it really is overwhelming to manage. Akismet makes dealing with this spam easier. It filters much of the spam out so you never have to even know it is coming to you.
Akismet is great because they pretty block spammers who are active and already have a bad reputation of being spammers. It isn’t full proof.
Another recommendation is to make sure that all comments require approval before they go public. This way in order for the marketers to get revenue from their comments, they will need to wait to make sure you approve the comment. I myself don’t mind people advertising there services or products on my sites, as long as it is part of the topic. So if posting a comment in a post I wrote about Android and they are talking about how great the site is while providing a link to Nike shoes I wont accept it. However if they post a comment that shows they actually took the time to read the post and they are providing a link to their product which has something to do with what I talked about I will approve the comment.
I would also recommend adding a captcha, that commenters need to solve in order for them to submit the comment. This will weed away any bots attempting to comment on your site.
It is always advisable to always make backups. This is the case if your a Word Press site owner or any other site owner. And even if you don’t own a site you should always backup your system.
And even though this isn’t always a full proof way since you will only have the data from the last time you made a backup. It still good to have most of your data even if it means the data you have is older and requires to to do work you where doing over again. No one wants to rewrite an entire book, or recreate a program that consist 500,000 lines of code. But if you had to rewrite the last 30 pages of your 500 page book it is a bit more reasonable even though it is something you rather not do.
There are many great plugins for Word Press that make backing up your word press site easy. And I would highly recommend you use them just in case you need to reinstall a fresh copy of word press.
But not only would I recommend those plugins I would also recommend backing up the database itself. From outside of the word press interface.
It never hurts to have peace and mind about your sites security. You never know what the case could be. You could have recieved a file infected with a Windows based virus from a friend, and you wanted to upload it to your website. Because you trust your friend who honestly didn’t know the file was infected you didn’t bother to scan in on your Mac computer before uploading it to the website.
Or maybe your password was scraped from a phishing site, or your browser was hooked, and all your information was stolen allowing for hackers to gain access to your sites.
Either way Sitelock ensures your site is always in a healthy state. They run scans on your site on a regular basis, and preform backups. They also notify you of anything they find. This is good because getting your site blacklisted from Google can be a pain, and becomes difficult and more unneeded work is involved to get un-blacklisted.
Of course knowing what you can about your site is always great. And having both a Google Web Masters Tools account and a Google Analytics account can help alot. Google Web Masters tools will tell you what pages of your site it has crawled, what pages are missing if a hacker removed one, what pages are malicious. And Google Analytics shows who is visiting your website. These two tools can help a lot. If Google Web Masters tools detects a malicious page on your site that you know isn’t malicious, you can find out when they detected it as being malicious then go to your Google Analytics account check the traffic of the site for that day and threw process of illimination get a rough idea of who is putting malicious content on your site.
I’m kind of a hypocrite with this one. It is highly recomended to get an SSL certificate for your website. The standard HTTP protocol sends data over the internet unecrypted. Allowing for anyone who is scanning the traffic to see everything that is happening. This means if you log into your site with a username and password both will be visible in plain text.
This is why it is always advised to provide valuable information to websites without an SSL. Now I provide sensitive information to sites that use HTTP and not HTTPS. I will say not all SSL’s are equal. Some of the best SSL’s will costs about $1000.00 per month.
Many of the things I talk about in this post will work with Word Press as well as any other types of site. However I did reference Word Press a few times simply because it is a very popular platform. And that being said I see many people using Word Press to build all different types of sites.
Yes you can build a shopping site with Word Press or even a Social Network with Word Press. But doing this causes more problems. Remember Word Press is a blogging platform. It was developed to be able to write blogs. Over time many people started treating it as a CMS. But this doesnt change the fact that it is meant to be used for blogging.
If your going to have a Forums site then use a platform that is appropriate for it. If your going to have a shopping site use a platform meant for shopping sites.