Basic WordPress Maintenance & Security: Do the small things or face a large headache
WordPress, in its first decade of existence, has cultivated a user base of more than 60 million users around the world. It is so popular I get phone calls from potential clients who ask for it by name. When I ask them why they want WordPress, they say “thats what everyone else is using.” The problems is that users want the ease of the CMS, but don’t consider the WordPress maintenance that goes along with it.
While most of these users know what to do in order to keep their installation updated and secure, the more WordPress sites I work with, I see out of date core and plugins, just waiting to get hacked. The sheer popularity of this software, combined with the massive amount of information that it can control and process, absolutely requires attentive care and maintenance to ensure that a malicious community of hackers and malware programs can’t gain access to the WordPress Dashboard and wreak havoc on a website’s operation and information. With built-in tools, the WordPress software makes this quite easy.
The First Step: Make Sure Everything is Kept Up-to-Date
WordPress 3.0 brought significant usability improvements to the Dashboard control panel, notably enabling the one-click update of both the WordPress software itself and all of the plugins a user has installed in order to make their site function perfectly. Updates are indicated in both the sidebar and the top navigation bar of the Dashboard when they’re available; the number of updates is placed into a circular “badge” next to the “Updates” link in the sidebar, and next to a rotating “refresh” arrow in the Dashboard’s top bar.
To update any outdated components, simply click on that badge and navigate to the “Updates” control panel. If a WordPress update is available, this will be announced with a button that can update the software automatically. Plugin updates are placed into a list with checkmarks, and each plugin to be updated should be checked off before the “Update Plugins” button at the bottom of the page is clicked. Keeping plugins and the WordPress software itself up-to-date ensures that any major security flaws or potential exploits are fixed and a website’s security is maintained.
Some users worry about what will happen when they click “Update”–”Should I back up?”, “What if it makes my site look different?”, “I will do it later.” What you should be worried about is performance and getting hacked.
Remember that Frequent Backups are the Key to Peace of Mind
The servers on which WordPress installations are hosted can fall victim to any number of things, whether it’s a hacking attempt or a mere hardware failure that causes data loss. This is tragic, but it can be avoided by adhering to a policy of regular backups. While I provide this service myself to WordPress users, it’s also possible to use the hosting plan’s control panel backend (typically cPanel or Plesk Panel) to create a backup of the entire contents of a web hosting package. That backup can be downloaded in a highly-compressed format, able to be easily uploaded and decompressed by the server if the need arises. Just like frequently saving a Microsoft Word document protects against software crashes, creating regular server backups protects against server software or hardware problems.
Control Panel Tips: A Good Password and Strict User Permission and Creation Policies
On the front lines of a WordPress installation’s security are the user passwords which protect the WordPress administrator account and the FTP account which contains the site’s files. These passwords should be appropriately strong, with upper case and lower case letters, combined with numbers, and no “dictionary” words. Hackers have tools which can easily run through the dictionary and guess the words which make up an administrator’s password, so creating a truly cryptic password is a way to defy the odds and keep those users away from the site’s files and content.
All users involved with a WordPress installation should have strong passwords as mentioned above, but they should also be placed into restrictive permission groups that curtail their administrative access within the Dashboard interface. Only a sole administrator should be able to change site settings, delete entries or pages, and perform other major tasks behind the scenes. Ensuring that other contributors are only able to write posts and edit their own work is a way to greatly reduce the risk incurred by a website over the long-term.
Finally, Keep all Computers Free of Viruses and Malware
A solid antivirus solution is the key to a secure WordPress installation, and it’s also the key to an optimal computing experience in general. Malicious pieces of code can gain access to WordPress and compromise its integrity even if a password is cryptic and well-hidden. These programs have access to all of a computer’s files, including cookies and caches, and that can be dangerous for site administrators. Keep an updated and effective antivirus solution running at all times, and this threat can be virtually eliminated.
Beyond that, attention to detail and the creation of strong passwords are the best ways to ensure that WordPress’ security is never compromised. Remember to keep the software and plugins updated, and never give any users too much control over the site’s features and settings. Keep a regular backup on hand in case of an emergency or worst-case scenario and, once that backup is created, breathe a sigh of relief and enjoy all the bells and whistles that WordPress has to offer.
These are simple basic actions to keep your site running well. If you are looking for more advanced WordPress security, check out these links: