• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Minima Designs

Online Business Strategy | Web Design Mentorship

  • ABOUT
  • PRAISE
  • WORK WITH ME
  • DESIGNERS
  • BLOG
  • SHOP
  • FREE
  • Contact
  • GET THE NUGGET

WordPress security – why changing your username isn’t enough

This week there’s been a lot of buzz around WordPress security and botnet site attacks. Truth is, these types of issues have been around a long time and simply changing the default admin account and your password isn’t enough to keep you secure.

WordPress, while easy to install and use, is NOT set it and forget it. You must be vigilant and keep it up to date. While no solution is 100% foolproof, taking a few precautions will go a long way towards protecting your online business.

The Basics

1. If you only do one thing, do this – invest in Sucuri.net. For less than $10 a month, you can have a yearly subscription to this service that scans AND cleans your site if malware or other security issues arise. With your subscription, you also get a great WordPress plugin that provides 1 click options to “harden” a number of default security issues.

2. Delete the default admin account – Whenever I setup a site, I always use a custom unique username INSTEAD of “admin”.

3. Use a strong password – I like to use a password generator to create unique passwords for every site and account. Change your passwords on a regular basis. Using admin123 or some variant? CHANGE THIS IMMEDIATELY.

4. Don’t reuse your passwords for multiple accounts.

5. Don’t email your passwords – share passwords with a system like lastpass.

6. Backup and update your site on a regular basis.
(I like to use a great plugin called BackupBuddy and I store backups locally and in a cloud service such as dropbox). You can also invest in a monthly service such as vaultpress.

7. Make sure the computer you’re working on is free from viruses! Sites have been known to be compromised if you’re working on a pc/mac that has a virus and the virus uploads via FTP.

8. Use a specialty wordpress host such as ZippyKid or WP Engine – I’m also a huge fan of MediaTemple.net. If in the budget, get a dedicated server (a number of issues can arise when using cheap shared hosting).

9. Add your site to google webmaster tools – you’ll get notified if google spots malware on your site.

10. Not running a membership site? Turn off “anyone can register” under general settings.

Plugins

Plugins extend the core functionality of WordPress – however, not all plugins are created (or coded equally). Before you install ANYTHING onto your site, take a few minutes to review and evaluate it.

1. Review the plugin first in the wordpress repository – plugins MUST be tested before they are included in this directory.

2. Evaulate why you need the plugins – are you just installing them willy nilly or do they serve a specific purpose?

3. Questions I ask BEFORE I install a new plugin:
• When was the last time the plugin was updated (Longer than 3 months? I’d be wary)
• Are there multiple outstanding issues in the support threads?
• Is the developer active on the support forums? (If not, take heed)
• How many people have downloaded the plugin? (100? or 100,000? – More downloads typically infers a well-supported and working plugin)

4. Delete (don’t just deactivate) any plugins you aren’t using (even deactivated plugins can cause issues)

5. Install the Sucuri plugin and perform 1-click hardening on your site

WordPress Themes

1. Use a solid framework such as Genesis that is regularly updated – while it can be tempting to use a “pretty” theme made by a one-off designer, in a year or two it is likely that there will be no support – and there’s no guarantee that free or low-cost themes are free from malware or suspect code.

2. Update your theme framework AND WordPress when prompted

3. DELETE any themes you are not using (often people like to “test” different themes, and then leave them in the themes folder (or some host have themes pre-installed). Often these “test” themes don’t get updated, leaving your site vulnerable to attack.

Other Notes

(This part is a bit more techy – if you’re not sure about these terms or how to do this, I recommend consulting a tech person to do it for you – the Sucuri plugin mentioned above addresses a few of these issues)

1. Add random secret keys/salts to the wp-config.php file

2. Use dyanmically generated strong DB (Database) usernames and passwords

3. Lock down your .htaccess file to allow only certain IP addresses to make modifications

4. Editing your site? Use SFTP instead of FTP

5. Need to modify folder permissions? Don’t set file permissions to 777

6. Other recommended plugins to use

Bad Behavior – Denies automated spambots access
Akismet – Spam blocker
Login Lockdown or Limit Login attempts – Limits number of login attempts by IP
Exploit scanner – manually scans your site for possible exploits

Other General Security Precautions

1. Using gmail? Add two-step authentication to your account
2. Don’t store passwords in your email account
3. Don’t edit your site on an open wireless network

While this post doesn’t fully cover all aspects of what you can do to lock down your site, staying on top of the latest info will go a long way to protect your site investment.

Reader Interactions

Comments

  1. Michael says

    April 18, 2013 at 10:09 am

    This is another great article! So glad I discovered you. My WP site has been acting very wonky lately with posts not “sticking” to my blog page and updates to headers/banners not showing up on browsers until a day or two have passed. I’ve been concerned that in some way my account has been hacked.

    I have a quick question for you. I’d like to follow your advice to delete the automatically generated “admin” account, but I’m afraid that if I do this I then won’t be left with a way to access my wordpress dashboard. Should I set up another account first and then delete the admin account? Will I lose the work that I’ve done to date under my admin account?

    Reply
    • minima says

      April 18, 2013 at 10:25 am

      Hi Michael –
      You’ve got it exactly – if you’re concerned that you might have malware on your site, you can use Sucuri’s free scanner here – http://sucuri.net/.

      To make a new administrator account, login as usual, then add a new user with a strong username and password and assign that user the administrator role (It is critical that you assign the role correctly). Then log out and log back in using the new account and delete the original “admin” account. Make sure that you reassign the work to the new admin before you delete the original admin account (you get this option when you delete a user) and you won’t lose any work.

      Reply
      • Michael says

        April 18, 2013 at 2:32 pm

        Thank you! So very helpful! (And I downloaded the sucuri software this morning–thanks for the link!)

        Reply
        • minima says

          April 18, 2013 at 3:05 pm

          Best of luck!

          Reply
  2. Sondra says

    April 18, 2013 at 10:17 am

    Wow, Michelle, once again an outstanding post brimming with extremely useful information.

    I recently moved to a dedicated, managed server with Godaddy – I know I know, but I’ve been with them since they were an upstart and I can’t seem to part with them. The managed server is very expensive, $159 a month, but well worth the sense of relief it feels to have 24/7 access to real geeks, not call center rookies reading off a script, and scheduled security updates, lickity split speeds on a WordPress site that you just can’t get with shared hosting.

    These security suggestions are really useful for any WordPress DIYer. Thanks for the great work, again!

    Reply
    • minima says

      April 18, 2013 at 10:22 am

      Sondra – I think you made a wise investment! When it’s in the budget, I always recommend upgrading the server.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

FEATURED ARTICLES

Get your site ready for 2023 – free website checklist

Genius time management tips for real people

How to make modern business cards

Kajabi Pros and Cons Review (2023)

Three free tech tools to explain yourself faster

SEARCH THE SITE

business tips for web designers

get the minima guide to launching your website minima designs shop

Footer

MINIMA

  • Speaking
  • Contact
  • Affiliate Disclaimer
  • Terms + Conditions
  • Privacy Policy

OFFERINGS

  • Launch Brain
  • Minima Guide to Getting Paid Online
  • Minima Guide to Launching Your Site
  • Consulting
  • Shop
  • B-School
  • B-School Alumni
  • Time Genius
  • Facebook
  • Instagram
  • Pinterest
  • YouTube

Copyright © 2023 MINIMA DESIGNS

ALL RIGHTS RESERVED ยท Photos by MEOLA

7 FOOLPROOF WAYS to rise ABOVE THE NOISE.

GET YOUR free guide TO UP YOUR DIGITAL STRATEGY GAME AND GET NOTICED ONLINE.
GET YOUR GUIDE