Most of you are likely very experienced with this subject, but instead of asking for your forgiveness that I'm giving such obvious tips in this post, can I ask for your help? As I cover these fundamental ideas of WordPress security, could you let me know if I miss something? You never know what tidbit of information could save someone from finding their blog has become a hub for distributing malware -- maybe even helping engage in illegal activities! I'd like to help prevent that.
In my previous Ani-Blogging Safety Tips post, I talked about keeping your domain name safe. In this post, I'm going to talk about the bare minimum you should do to keep WordPress safe. That will reduce the odds that a malicious actor (which is to say, evil folk who want your stuff or your readers' stuff!) can take control of your site.
I also have a selfish reason for posting this: If this advice helps you focus on posting more anime content instead of trying to put your site back together after a malicious actor wrecks it, I get to read more good stuff! It's all about new content!
Don't Need It? Don't Install It!
Whether you're just starting out or you're going on year 10 of your blogging career, it can be tempting to play around with WordPress plugins. I'll even say it's a good idea! You never know -- the next plugin you try might make a huge difference in your productivity or audience reach. So by all means, please experiment as much as you like!
By all means -- experiment with plugins like Stein experimented with, well, whatever he felt like experimenting with! But don't forget to remove any plugins you're not using! Capture from the Funimation stream for Soul Eater episode 5.
But if you find you don't need a plugin, deactivate and de-install it.
The idea is that any time you run something on the internet, you have to make a trade off. The trade off is between the benefit you get from the software and the danger it represents if it's compromised. Not updating an active but unused plug in leaves a way for a malicious actor to get into your site (it's called an attack vector) -- and if it's unused, it not giving you any value! I've read a lot of reports (like Verizon's annual report on business breaches) where poorly maintained code contributed to the breach. In terms of our blogs, a breach could mean an attacker could use your site to install malware on your reader's computers, or it could redirect your site to a completely different site.
I've seen it happen before! Like, recently!
So if you need a plugin, feel free to install it!
But if you don't need it? Get rid of it.
Keep Your Plugins Updated!
If you find a plugin or theme that if perfect for your needs, then please do keep it up to date! I check this site daily to make sure there are no pending updates. If there are new updates, I try to install them almost immediately.
Yes, sometimes applying an update too quickly can expose me to bugs that waiting a couple of days would avoid. But in my experience, the risk of running old plugin versions that could be compromised is more dangerous than occasional bugs in the mid to long term.
Have you ever seen a better example of "Do as I say and not as I do?" I feel ashamed! This is from my novelist website, www.terranceacrow.com, and I have since applied the updates.
This applies to themes, too. Themes are just code, which means they can have bugs and ways malicious actors could use them against you. Please do keep them updated!
In all my blogging years (stretching back to 1999!), I've only had a theme update bite me once. That is to say, I updated a theme and immediately found that my site was dead. It wouldn't come up at all!
Remember how I mentioned that I chose TigerTech as my internet hosting provider because they offer great support? They saved my blog's life in this case. They gave me a command to reset my theme to one of WordPress' defaults. In case you might find it helpful:
To see what themes are installed:
wp theme list
To set the theme to "twentyfifteen:"
wp theme activate twentyfifteen
To run these commands, you'd have to connect to your server using something called secure shell (ssh). If that doesn't mean anything to you, not to worry! If your provider offers good service, they can likely run the command on your behalf. The key here is that even if it sometimes bits you, it's still worthwhile to keep your plugins and themes up to date.
Keep WordPress Updated!
WordPress itself is a huge amount of code. Have you ever taken the time to browse any of it? WordPress has a lot of talented developers who contribute to it, and they try to write secure code. But no one's perfect, and WordPress often gets upgrades that include both new features and security fixes.
You should install updates as soon as you can. You can check if an upgrade is available by logging into the admin screen (wp-admin). You should see an option called:
You can find Updates under Home, which is under Dashboard.
If you click on Updates, there should be an "Upgrade automatically" button if an upgrade is available but you haven't installed it yet. At least, that's what WordPress' help system says. I enabled automatic updates so many versions ago that I'm not sure I even remember what the button looked like!
I've run with automatic updates for a few years now, and so far, it's been smooth sailing. Again, I think the risk of installing an update too quickly and encountering a bug is less than an outdated version having a security flaw that an attacker could exploit. But again, if you run into problems, you should be able to rely on your internet hosting provider to help you out.
Security is a balancing act, after all!
Very Basics Checklist
- Deactivate and uninstall unused plugins
- Uninstall any themes you're not using
- Keep your plugins up to date
- Keep WordPress up to date
If you're used to thinking of computer security as complex and cumbersome, this post might be surprising to you. But sometimes, if software is designed well, implementing a basic level of security can be straight forward.
Fortunately, WordPress is one of those pieces of software! If you keep it and its components up to date, you'll have eliminated the majority of ways attackers can make your life -- and your readers' lives -- miserable.
Update often and prosper!