If you’ve never had your site hacked by some dopey spammer or script kiddie then you don’t know what you’re missing. And you’re missing some really bad shit that nobody should have to deal with. I’ve been hacked more than once and have spent hundreds of dollars getting my sites unhacked.
So I’m always on the lookout for good security tips. And Matthew Woodward recently posted a killer list of Wordpress security tips for your sites.
He says the list will take about 10 minutes to implement. So I thought, “I’ve got 6 sites to cover. I can knock this out in an hour.” Two hours later I was nowhere close to finishing. And, in fact, I spent a week or so mopping up some of the details I’ll get into.
In a couple cases, I did things a little differently:
Site Backups – Many hosting companies do this for you. But better to be safe than sorry. Matthew suggests a plugin called BackWPup. For me, I ran into a problem with the size of one of my sites. Instead I went with a plugin called UpdraftPlus. It handles large sites a little bit better and is still free. There’s a bit more of a setup curve to it, but it’s not too difficult if you follow the steps.
For a backup location, I’m using Google Drive. Unless I’m mistaken, when you get a new Gmail address, it comes with a sparkly new Google Drive partition too. I didn’t want to use up my main Drive with a bunch of backups, so I just got a new Gmail address that won’t be used for anything except storing backups.
CloudFlare – This service will speed your sites up a bit and offers a few other features. If you’re on a host that offers CloudFlare through the CPanel, absolutely do it from there. It’s way easier and you’ll run into fewer troubles. I didn’t realize that at first and had to undo everything I’d done to streamline and take care of a few errors by doing it through CPanel. I still have one subdomain I haven’t been able to enable it on, but CF’s tech support is being very helpful.
Security Plugin – Matt suggests BetterWPSecurity (now called iThemes Security). After a little research, I went with Wordfence instead. It’s being used on more sites and includes a firewall. That means I wouldn’t have use a separate firewall plugin. Again, it takes a bit of setup, but it’s easy if you follow the steps.
I did run into a bit of White Screen of Death on a couple of my sites that I think were caused by Wordfence. But I’m still working my way through the plugins to see what’s wrong. Mostly it’s worked ok. It does tend to be a little overly proactive in showing which files have been changed. But better that than missing something.
Incidentally, if you can’t access the dashboard of your WordPress site and need to deactivate plugins that are breaking the site, here’s how to do that.
Other than these few changes, I pretty well went with what Matthew has on his post. I feel a lot more secure about my sites not getting hammered again. Now I just need a similar checklist for Joomla sites since I’ve yet to transfer my main artist website over to WordPress.
Definitely dig into that list and get the job done. It may take a little longer than 10 minutes, but you’ll be super happy when you avoid being hacked by some jackass with too much time on his hands.