Website security is, for a lot of small business owners, not really a primary concern. That is, until you get hacked, attacked, or otherwise inconvenienced by something that could have been easily prevented! In this post we’ll go over a few things you can do to maintain the security of your WordPress site(s), and save some real headaches later down the line. So without further ado, and in no particular order of importance, let’s begin!
1. Disable trackbacks and pingbacks
Pingbacks are used to notify one websites that they’ve been mentioned by another, e.g. in a blog post or a comment. Although that sounds harmless, these notifications can actually be sent to any website that is willing to receive them. By flooding your site with these requests, known as a DDOS attack, (denial of service) your site can be rendered unavailable to legitimate traffic / potential customers This means you’re left open to, which is obviously harmful to your site!
How to disable pingbacks & avoid the problem
Look to the left sidebar in your WordPress dashboard for the ‘Settings’ tab. Click this, then go to ‘discussion’.
At the very top of the next page you’ll see some checkboxes – one of which says ‘Allow link notifications from other blogs (pingbacks and trackbacks) on new articles’. This should be unchecked (see below).
2. Make sure everything is up to date
You see that little update notification that’s been popping up every time you log in for the last year?
Yeah, you should probably pay attention to that! WordPress is a massively popular platform, and with that comes a huge number of people wanting to exploit websites that use it. The best thing you can do for your site security is to simply stay on top of updates.
If it has been a long time since you updated your WordPress version, themes, plugins etc. – it’s somewhat likely that you’ll encounter some issues when updating everything. Which leads us into our next point:
An essential for everyone who has a website, keeping regular backups can save some serious headaches (or worse!) later on. In some cases, hosting providers will do this automatically, sometimes this is offered as an upsell for an additional monthly cost, and sometimes it isn’t offered at all. I encourage you to find out which is the case with your host if you’re unsure.
The good news is that you can do this yourself using one of many available plugins. Some are free and some aren’t (most actually use a ‘freemium’ pricing structure – i.e. pay for the pro version), and there’s a bunch of comparative articles available online which you can read, e.g here. If in doubt, simply google ‘wordpress backup plugins’ or similar!
4. Login Details
This one is important but often overlooked: using sensible usernames and passwords. One culprit that springs to mind in particular is using ‘admin’ as the username – this is nearly as bad as using ‘password’ for your password! In both cases you’re giving away 50% of the puzzle that a hacker needs to get in.
There’s not a lot more to say on that one – just use standard best practices, such as varying upper case & lower case characters, using numbers, and so on. Oftentimes a simple reminder to change your password is enough!
5. Activity / Audit Logs
One extra line of defence that we employ on our sites/client sites is ‘audit logging’ – for this we use a premium tool so perhaps it is unnecessary for the average Joe sole trader, but it can certainly be useful.
WP Defender lets us keep detailed logs of comments, posts, login attempts, plugin installs, etc. – so that if an intruder did somehow get into the website, we’d know what they did and when – making it a much easier recovery.
That’s all for this post – I hope you found it useful & choose to implement some of the suggestions. Thanks for reading!
If you’re interested in a done-for-you WordPress security service, we offer a monthly package in which we’ll install and configure all necessary plugins (including premium), ensure WordPress itself, your theme, and your plugins are regularly updated (and tackle any compatibility issues), and make regular backups. Please don’t hesitate to get in touch if that sounds like something you’d benefit from!