A few days ago, I posted an article on 5 bad habits to avoid when maintaining a WordPress site. This article continues those thoughts with 3 more bad habits that should also be avoided and some WordPress security tips to help you avoid them. All of the bad habits in this post are related to site security, hacking, and recovering from being hacked.
The best way to avoid the very bad situation of being the victim of hacking is to avoid the ways hackers can get to you in the first place. This means following WordPress site management best practices by using good usernames/user logins and maintaining strong password policies. And if they get past these first two lines of defense, have a backup to roll back to. So here is a more in depth discussion of the bad habits, and 3 WordPress security tips to avoid them.
Bad Habit #6: Working with the default admin account
WordPress has been great about fixing this problem with its installation process. In the olden days of WordPress (a few short years ago), the WP installation process created an account called “admin” as the default admin account. It was then up to users to create a new admin account, then delete the default one; a process that most people never thought of – until they were the victim of malicious hacking.
Now the WP install process allows you to create the username for this first administrator account. Yet, even with that, I run into people all the time that use “admin” or “administrator” for their admin login.
WordPress now powers about 15% of the Internet. That makes it a nice target for hackers. Hackers like to employ simple methods to gain site access and the simplest method of hacking into your site is known as “Brute Force.” This means they just try combinations of login credentials over and over again until they find something that works. Even the dumbest hacker knows to try “admin” and “administrator” as their first go-to series of tests for username.
WordPress Security Tip #1: DO NOT use admin or administrator as your admin account username.
If you are using admin (or a any derivative thereof), set up a new admin account with some other name, set that as an administrator, and transfer all of original admin’s posts and data to the new account.
Bad Habit #7: Insecure passwords and/or no password policy
This goes along with Bad Habit #6. The next line of defense against getting hacked is to maintain strong passwords. WordPress has come a long way in this area as well, adding a password strength meter for you to know how strong your password is.
Unfortunately, as a paraphrase of an old cliche, you can lead a person to create a strong password, but you can’t make him change it.
I still run into people that use “password” or something simple as their password for the administrator account. Do a google search for “list of common passwords” and see what comes up. If you are using anything even remotely close to something on any of those lists, you are asking for trouble.
WordPress Security Tip #2: Use a complex password
Complex passwords consist of upper AND lowercase letters, numbers, and special characters. Try to avoiding using words if at all possible. At the bare minimum create a complex password following these rules. To take it a step further, don’t reuse passwords, don’t use the same password as you do on other sites, and change your password on a regular schedule. Establish a formal password generation and use policy for yourself and stick to it.
If things become complicated, there are many good password generators and password storage applications available.
There is some very good information on avoiding brute force attacks through good username and password policies available in the WordPress Codex. This is highly recommended reading.
Bad Habit #8: Not maintaining backups
This is a bad habit that could take down your business. And if you are vulnerable to hacking as a result of the previous two bad habits, not having a clean backup could destroy you – or at least make getting your site back online a veritable nightmare.
What would you do if your site was hacked (and defaced), or you contracted some sort of malicious code in your system or database? Do you have a clean copy of your site?
WordPress Security Tip #3: Maintain a schedule of regular backups of both your database and your site files
Keep offline copies of your entire site, and better yet, utilize some type of version control software that will allow you to roll back to a clean state should your site become the victim of hacking.
Be sure to check out these 5 WordPress site management bad habits you should avoid and best practices to avoid them!