getButterfly Logo getButterfly

WordPress Security Console

I am managing more than 20 client sites and I’m down from 40. The most important thing I have to consider is data security. While regular backups are always in place, hackers, crackers and spammers should also be kept at bay.

Part 1

What you have to consider:

1. Secure server configuration
As we’re talking about WordPress, you should have the latest versions of Apache/Nginx, PHP and MySQL on your server. The most important of these three is PHP. Because WordPress is built on PHP and most plugins are also built on PHP (with lots of them sporting outdated code), you should use the latest version available on your server. Some hosts allow for version switching inside your .htaccess file. Before going for it, you should check your theme and plugins and see if they generate any notices, warnings or errors. Use the debugging options for this, while in maintenance mode.

I use this plugin on my live development server and I test all plugins before adding them to my site.

2. Secure/encrypted connection
An SSL connection will soon become the norm, just as mobile responsiveness is now a very important factor for Google ranking.

SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

An SSL certificate is purchased yearly and is installed on your server. Prices range from high to very high, but for sensitive data web sites or e-commerce sites, it should be a requirement. Some CDNs offer free (shared) certificates (see Cloudflare), but you should purchase a full certificate if you really care about your business.

3. Site/code/database protection
This is an ongoing process and it involves having an active firewall (see Cloudflare or Sucuri), constant access notifications and constant checks. These are usually performed by plugins (see my previous article for some recommendations) and should be carried out regularly.

Part 2

What you should be aware of when having a live site:

a. Hackers

These guys are the most dangerous ones, as they can exploit code vulnerabilities and inject hidden code to either supply passwords and account information or to add links to spam web sites (usually pharmaceutical products, online gambling sites and online stores).

b. Crackers

These guys usually crack passwords either by exploiting code vulnerabilities (such as visible HTTP headers or visible PHP notices, warnings and errors) or by using brute force attacks trying hundreds of passwords each minute. The result is either password cracking or your server being brought to its knees (your host will probably restrict access to your site or ask you to clean your site before going live again). If your business depends on your site, you are losing money until you fix your site.

c. Spammers

Depending on the content of your site you may allow comments. These guys will post fake comments with links to various sites (usually pharmaceutical products, online gambling sites and online stores). They usually use automated software to post comments on thousands of sites. Make sure you have Akismet enabled and working. Also, make sure you  have either Stop Spammers plugin or Antispam Bee plugin active.

d. Sploggers

If you have a multisite WordPress installation, these guys will create lots of fake accounts and sites. Make sure you use double opt-in account registration, email checking and clean up your user base regularly.

Image credit

Subscribe to getButterfly Blog

Once a week or so we send an email with our best content. We never bug you, we just send you our latest piece of content.

If you found any value in this post, agree, disagree, or have anything to add - please do. I use comments as my #1 signal for what to write about. Read our comment policy before commenting! Comments such as "Thank you!", "Awesome!", "You're the man!" are either marked as spam or stripped from URL.

Leave a Reply

Your email address will not be published. Required fields are marked *