by Ali Luke
This is the tenth post in our Mistakes series, a guest piece from freelance writer and blogger Raspal Seni. (You’ll find his bio at the bottom of the post.)
You just created a new WordPress blog, and are excited to publish posts. Or, you’ve had a WordPress blog for a while, but don’t know how to secure it.
Below, I talk about 5 common security mistakes bloggers make when installing and using WordPress. Check to see whether you make any of these mistakes, and fix them if you do.
Mistake #1: Not Using Strong Passwords
Creating strong passwords is the first step to make any program secure, and WordPress is no exception. If you use easily guessable passwords or the same password for everything (e-mail, forums, bank accounts, online registrations and even WordPress), your WordPress installation will be vulnerable to attack.
Fix it: Starting with version 3.7, WordPress has a smarter password strength meter. Use it to make a stronger password. You can’t remember many passwords, so use a password program like LastPass to remember them for you. It’s free, and I’ve used it for many years.
Mistake #2: Not Updating WordPress, Themes and Plugins
Do you update your WordPress installation, themes and plugins regularly? If you have old versions of these, you risk your blog getting hacked. These programs are updated regularly to fix any security holes (in addition to adding new features and fixing other issues they may have). If you don’t already update your WordPress, themes and plugins, you should do it regularly, preferably once a week.
Fix it: Login to your WordPress Dashboard as an administrative user and update your WordPress installation if you see a message telling you to do so. On the same updates page, you can also see if your theme and plugins have updates available. If they do, update them too. It just takes a few clicks.
You can also enable WordPress to auto-update itself by editing WordPress installation details in Softaculous, or by editing your wp-config.php. More information here.
Mistake #3: Having the ‘admin’ User and Publishing Posts by This User
By default, WordPress creates a user named admin (with the default password set to ‘pass’), if you don’t specify another username. Many lazy people don’t change this username and password, when installing WordPress. So, If someone can login as admin, they can do anything to your blog/website.
Create a username which people can’t easily guess. If I use a username such as raspal, anyone can easily guess it after a quick look at my blog.
A bigger mistake is to tell the world that you have a user with administrative privileges, named admin. How do you tell this? By publishing posts by this user. Instead, create another user to publish posts on your blog. Login with the administrative user only when needed (for example, to install updates).
Fix it: If you have the user named admin, login to your WordPress Dashboard with this user account. Then, create another administrative user, with a username which others can’t easily guess. Also provide a strong password for this new administrative user.
Next, logout from the Dashboard and log back in with this new administrative user. Now, create another user, but this time with editor privileges. This is the user you should use to publish posts.
Finally, remove the old administrative user named admin. When you remove this account, WordPress will give you an option to assign any posts published by this user to another user. Assign it to the user with the editor privileges, you just created.
Mistake #4: Not Removing the Default META Widget From Your Blog’s Sidebar
By default, WordPress installs a few widgets into your blog’s sidebar. The META widget is one of them. It contains links to log into and logout from your WordPress Dashboard. But, it also makes a hacker’s task easy by providing the login link.
Fix it: Login to your WordPress Dashboard with an administrative account. Click Appearance -> Widgets and delete the META widget from the primary sidebar.
Mistake #5: Not (Regularly) Backing up WordPress and Database
When was the last time you backed up your WordPress and database? Are you struggling to remember? You might think this doesn’t have much to do with WordPress security … but backing up regularly is included as one of the 4 best security practices in WordPress Security 101 at iThemes (owns the WordPress plugins named Better WP Security and BackupBuddy).
You should also automate the backup process. If you backup manually, you will certainly forget doing it.
Fix it: Use one of the following tools to backup your WordPress installation. Two good, free tools to automate WordPress backups are Softaculous and BackWPup plugin.
Have you seen any other common WordPress security mistakes? Let us know in the comments…
Raspal is a Freelance Writer and Blogger at RaspalWrites, where he has just published a follow-up post to this, 5 Additional Comment-Related Mistakes to Avoid. He enjoys helping people, is interested in technical content writing and blogging and available for hire. You can follow Raspal’s personal and business ramblings at @raspalwrites.
Wanna make money with your own website? Check my Online Profits training program.
Sign-up To The Newsletter And Get A Free eBook
Sign-up to the Daily Blog Tips newsletter and you will be able to download the “Make Money Blogging” eBook for free (worth $47).
You will also receive tips to improve your blog, strategies to make money and useful resources from around the web.
<!–
<rdf:RDF xmlns:rdf=”http://www.w3.org/1999/02/22-rdf-syntax-ns#”
xmlns:dc=”http://purl.org/dc/elements/1.1/”
xmlns:trackback=”http://madskills.com/public/xml/rss/module/trackback/”>
–>
<!– You can start editing here. –>
