WordPress is one of the great content management tools and it has become very popular in the Internet world. But with success of distribution comes the weakness of becoming a target for hackers. Many of us have experienced what it is like to deal with hacking and malware.
Hopefully most of us haven’t experienced hackers and malware yet. This post will cover some best methods for website management in WordPress. So that hopefully, we won’t ever have to deal with that.
Probably the most predominant no-no that I see is people who manage their sites completely on the production side. Most of the people have failed to maintain a testing system and they test plugins on the production site.
Even worst cases, some of the people see a plugin upgrade available and without testing the upgrade first, they update the live site immediately. It’s good to be on top of updates like that, but don’t let our first experience with a part of code be on our production system. So we need to avoid the functions like add new codes and upgrades in the live site.
A lot of hosting service providers allows us to have multiple domains hosted on a single hosting account. That is fine if we are able to run them under separate users where their folder structures are separated at the user level.
But don’t run our test system under the same user account as our production live system. If one of the site gets infected with malware, there is a good chance the other will be susceptible.
Since we should already be maintaining an off-site testing system, this should be a no-brainer. Keep a clean copy of our production site offline. From our production system or our test system, file transfer should be a one way street. Do not mix the code here. This is our good backup If our production site is hacked. Backup buddy is one of the best backup software.
Nowadays many modern WordPress themes take advantage of the parent-child model in WordPress and a lot of theme authors take advantage of the fact that they can easily distribute updates to their plugin.
But what happens if you’ve make a lot of customizations to your theme? An update will wipe them out and create a lot of work for you. But updates are important as some of them could be security related.
So, keep your customizations in a child theme. This allows us to upgrade the parent when an update is available without wiping out our changes in child theme. You may need to check for compatibilities in the upgrade, and you should be doing this on a test system as described above. But this will make your life infinitely easier when it comes to updates.
If you have out of date plugins, out of date WordPress, you are just asking for trouble. Keep things up to date with the most recent version. This will be good enough for compatibility of the sites.
That brings up a side point. If you were using some obscure plugin from an author that no longer keeps it up to date for WordPress, you might want to reconsider using that plugin. This doesn’t apply to everything because some simple plugins don’t really pose a security risk and need to be updated.
This is just a generalization to say choose your plugins carefully. It’s also good to consider if you really need a plugin or if a simple function in your functions.php would do the job. So we need to test the plugin, themes have updates up to date with current WordPress version.
For a dictionary style attack, WordPress is a pretty easy target if you don’t practice good password management and if you have an admin username like ‘admin’ or ‘administrator’. WordPress has made things better over the years by not creating the initial account as ‘admin’ and giving you a password strength indicator. Take advantage of those.
Dictionary attackers use a file list with common usernames and passwords. They will hit until they find a good combination. If you use something simple like username ‘admin’ and password as ‘password123′ you are wide open to this type of attack.
This list of Best methods are not exhaustive, nor is it the end story on each of the points covered. But following some of these simple rules and considering security for your blog will save you mountains of headaches. Share your experience in comments section.