WordPress Blog Security Mistakes (And How to Fix Them)

WordPress

With my blog design clients, my audit includes a “Security” section. I incorporated this feature into my project process to assess the blog’s health and fix any potential issues immediately. If a site shows signs of being hacked, a client will work with a third-party to clean-up their blogs (like Sucuri). This cleanup occurs during the homework and strategy phase.

Only a handful of my clients have had hacked sites, but the Security audit sheds light on some critical issues. Typically, a client will have four out of five of these problems with their website. Fortunately, you can fix them quickly.

Not Updating WordPress Versions, Themes, and Plugins

Always stay on top of WordPress updates. Very often, updates occur due to security issues and fixing existing bugs. Why is it essential to update? You are likely to get hacked from outdated software than from a weak username or password. Ignoring updates is asking for trouble.

If your theme starts acting weird every time you update, then you have a terrible theme, unfortunately. I have had a few clients who were told by their former designer “not to update.” If you ever find yourself in that place, you are working with a subpar developer.

Updates are super simple in WordPress! It’s merely a click. Whenever an update is available, a notification appears in your toolbar. The number next to it identifies how many updates are pending.

  1. Backup your website before you update. If you have automatic backups scheduled, then you don’t need to worry about this step.
  2. lick the update icon.
  3. Select the updates you want to perform. WordPress does the rest!

I recommend updating every time you see a notification. If not, shoot for updating each week!

“Admin” As Your Username

Earlier versions of WordPress create a default user with the name admin. As a result, nearly every single WordPress site had an admin user. If a hacker wanted to get into your site, they could use a bunch of password combinations with the admin username, or crash your server – brute force attack.

While this practice is no longer the case with WordPress, I do run into situations where clients use admin as their username. If this is the case for you, here’s how you change it:

  1. Select Add New under Users. Create a new user with a different email than your admin email. You need to have access to this email. Make sure to set the role to administrator.
  2. Log out of your site, and log in with the new user.
  3. Go to Users and delete admin.
  4. It might ask you to attribute content to a new user. Make sure to select the new user you create in step one. This selection ensures any post, pages, or content you created still exist under your site.

On top of changing your username from admin, I recommend that all my clients install Edit Author Slug plugin to customize their author slug. Hackers can still figure out your username through the author slug, but using this plugin allows you to hide your username.

Weak Passwords

Strong passwords are an easy way to ensure your website stays secure. If you have difficulty remembering passwords, I recommend you check out LastPass. You only have to remember one password – your LastPass password. It will generate passwords and store them for you. It comes with a browser extension and mobile app. I use LastPass along with two-way verification on everything.

Keeping Unused Plugins, Themes, and User Accounts

As part of my blog design audit, I review the client’s plugins, existing themes, and user accounts. I download a backup of existing themes and plugins and place them in a Dropbox folder for the client. I will write down a list of plugins that we can remove based on how I build the theme. If I have questions about whether a plugin is active or not, I review them with my client.

When I’m ready to install the theme, I will remove any themes and plugins, not in use. Not only does this help make updating more straightforward, but it keeps the client site lean and intentional.

A few of my recent projects have worked with contributors. They might have several contributors who are no longer active or previous designers who they don’t want to have access to the site. As a result, we remove any user accounts not active. For sites with contributors, I will create a “Blog Contributor” profile. I complete the bio description and social media profiles explaining the contributors with links to the brand. As I delete users, I will assign any content to the new profile. Thus, the content still lives, but the user is no longer affiliated with the site.

Not Installing a Security and Backup Plugin

Finally, if your blog is your business, you must protect your content! All sites should have a backup plugin and security plugin. If something would happen to your site, do you have a backup? Not a backup with your host, but a third-party backup. Most bloggers don’t, and they are living on the edge. All their content could go away in a snap.

For backup plugins, I love Vaultpress. While it is a premium plugin, it’s reliable and efficient backups your content automatically. For $37/year, a third-party backup is money well spent. I had had clients use free backup plugins only to find out that their content was not backed up when it was too late.

For security plugins, there are a few plugins I recommend. Use Sucuri or Wordfence to protect your site. I also like Loginizer and using Jetpack’s Monitor and Protection features. Using Sucuri or Wordfence should be enough for you. Both options are free.

It’s important that you are protecting your content. It is vital to growing your digital business. No one wants to face a situation where you have to start over. How devastating would that be! Unfortunately, I have had a few customers face that position in that past because they didn’t take precautions.

You might also like WordPress.com to Self-Hosted Transfer Guide and Add Your Gravatar (Author Picture) to Your Blog. Want more WordPress tutorials? Check out these posts! If you have a question, leave a comment below!

WordPress Security Mistakes that Make Your Blog Vulnerable to Hackers