WordPress is popular among bloggers, especially those who self-host the WordPress software that can be downloaded from Wordpress.org. In spite of its many benefits, self-hosting presents more challenges with security issues. There are a few easy steps that bloggers can take when tackling an important issue with WordPress: how to stop hackers.
WordPress Setup and User Accounts
The WordPress installation automatically creates a user account called "admin." That means that there are many WordPress blogs with the user admin, and the only difference is the password. This automatically makes it easier for hackers to break into the account because they only need to guess the password. For this reason, the admin account should be deleted and at least two new user accounts should be created: one for administrative tasks such as updating software and editing important settings, and one simply for posting.
- Click "Users" on the navigation bar on the left. This will show all of the users for the WordPress blog. New blogs will have only the "admin" user. Clicking on "Users" will also expand the menu under that category on the navigation bar.
- Under "Users," click on "Add New." Use this to add two new users, each with a different privileges. One user should be an administrator, and the other should be either an editor or an author. Click "Add User" when finished.
- Return to the "Users" page.
- Hover the mouse cursor over the user "admin" to show the options "Edit | Delete." Select "Delete." If this is a new WordPress blog and there are no new posts, simply click, "Confirm Deletion." If posts were created under the admin account, select "Attribute all posts and links to:" and select the username with only author or editor privileges from the dropdown menu.
- Click "Confirm Deletion."
The administrator account should never be used for posting information on the blog because the username will appear in some of the URLs on the blog. Also, the username usually appears under the blog post title. Having the administrator username appear in either of these places would defeat the purpose of having a secret administrator account.
Avoid Weak Passwords
Easy passwords are easy for hackers to figure out. Using all lowercase levels greatly lowers the combination of letters that the hacker must work with. Using lowercase and uppercase letters, numbers, and symbols adds many more characters to the possibilities and greatly decreases the odds that the password can be discovered. This does not mean that passwords cannot be easy to remember. Consider the following possibilities for a password, using "password" as our sample word:
- PASS!word10
- PaSsWoRd1#0
- PAssWOrd10&
- Pa$$W0rd
Passwords should not be based on personal information that can be found on the Internet. Avoid using your name, address, birthday, pet name, or anything that can be found on a public forum. For example, if you bought a new Trek bike and you boasted about it on a bike forum that you frequent, don't use TrekEX7! for your password.
WordPress Upgrade
WordPress and the plugins that are created for WordPress often have updates that include fixes for security issues. Security issues often include vulnerabilities that hackers have discovered will let them break into a WordPress blog. Fortunately, updating WordPress is very easy.
When logged into WordPress, those using outdated software will see a message at the top that says, "WordPress x.x.x is available! Please update now." Clicking on the "Please update now" link will prompt WordPress to update the files.
View the plugins by clicking on "Plugins" on the left navigation bar. Any plugin that can be upgraded will have a message below its information that says, "There is a new version of Sample WordPress Plugin available. View version x.x.x Details or upgrade automatically." Click on "upgrade automatically," for a quick and easy upgrade.
WordPress Backup
There are many methods for backing up WordPress software, blog posts, and other database information, but these methods can be complex and tedious. Since the most devastating part of being hacked is losing all of the work one has put into his or blog posts, minimal backup can be done by exporting a copy of the blog posts onto one's computer.
Click on "Tools" on the left navigation bar, followed by "Export." Select "Save File" and "OK." This will download the blog posts to the computer hard drive. Make sure the file is saved in a folder that you can easily find in case you need it. If you cannot select the folder when you choose to save it, you will have to move it after it has downloaded.
If someone hacks into the blog and all of the posts are lost, they can be replaced simply by clicking on "Tools" and "Import." You will then be able to select the export file that you saved, earlier. If this does happen, you may wish to delete all of the WordPress files on your server and reinstall a fresh version of WordPress. It is best to stop hackers by limiting privileges of public Wordpress user accounts, using complex passwords, and keeping software current.
Diane Ursu - Diane Ursu joined Suite101 as a contributing writer in August 2009 and became a Feature Writer in January 2010. She is a freelance writer ...
Join the Conversation