WordPress is a very powerful and effective tool for creating both blogs and regular web sites. However, because of its popularity it is constantly being targeted by hackers seeking to expose any weakness or unpatched vulnerability. So for that reason it is a mistake to think of WordPress as a “fit and forget” application. It needs regular attention (e.g. on a monthly schedule) to make sure that it is well defended against the “bad guys”! Here is a checklist for the minimum of what you should do:
- Always make sure that you (or your web designer) install WordPress from your hosting control panel. That way it becomes easier to manage
- Never have more than one WordPress installation for your web site. Perhaps when you (or your web designer) started your web site, you installed WordPress into a sub-directory for testing. However once that’s no longer needed it makes sense to delete it so that it is not available to hackers for exploitation
- Make sure you use a very strong password for your WordPress application. i.e.
- Use a minimum of 8 characters
- Use a mix of upper & lower case
- Use some numbers and also some “special” characters, such as ‘?’ , ‘*’ etc
- Every month make sure that WordPress itself is fully patched to the latest version
- Make sure that any themes and plugins that you use are also fully patched
- Disable and remove any plugins and themes that you don’t need
- Install a good security plugin. We recommend Jetpack
- Unless your WordPress application is functioning as a blog, disable comments for your posts and pages
- If you do allow comments, make sure you have an effective comment spam blocker. Start with the default Akismet spam blocker, but if that is not sufficiently effective, try using a more powerful plugin
- If you do allow comments, regularly empty your comment spam folder.
- Make sure you backup your entire WordPress installation, and that you are able to revert to a number of different backup points (e.g. 1 month ago, 2 months ago, 3 months ago). That way, if the worst happens, you may be able to go back to a version of your web site that pre-dates any problem_. WordPress_ provide information on backing up here: https://codex.wordpress.org/WordPress_Backups.
A WordPress site contains two different elements that both need to be backed up:
- The PHP files and other resources. You could use regular FTP to backup these.
- The MySQL database. You could use a WordPress backup plugin for this. For example WP-DB-Backup (https://wordpress.org/plugins/wp-db-backup/). Ideally you would run these backups at the same time so as to keep both elements in sync.
If you use the Jetpack plugin, there is another option for backup - Vaultpress backups. This option is not free(approximately £5 month), but is very hassle-free .
- Finally - always make sure that all computers that have FTP access to your web site are themselves protected against malware. One path that the bad guys take to gain control of web sites is to piggyback into your web files by controlling a compromised PC that has FTP access!