WordPress Security & Upgrade Tips

I’d been thinking of sharing some of my tips on WordPress security, and this weekend’s alerts about hacking of older sites has pushed it to top of the post-ideas pile.

I definitely don’t claim to be an expert on security. But I have found the following to help me sleep a bit better at night and make events like upgrading or even possible hacking less stressful. I hope you’ll share any tips or questions of your own in the comments so we can all learn from each other.

Upgrade, upgrade, upgrade.

The number one thing you can do to improve security with any software that’s connected to the internet is to keep it up to date. WordPress developers are constantly working to improve the tool and it’s security is a part of that. The current version and the version previous (2.83, 2.84) are both secure against this hack attack.

I used to be a lot more nervous upgrading WP sites than I am now. Occasionally it’s painful (if you’re on a really old version, relying on plugins that are no longer compatible, or have a pain-in-the-butt webhost), but usually it’s pretty seamless. If you don’t know how to do the upgrade yourself, talk to your web person, your geeky buddy, whomever, and get it done. The most recent versions of WordPress have an automatic upgrade built in so it might be simpler than you think. And if you’re on a really old version, see below for a killer upgrade offer from Mark Jaquith.

But first: backup

If you’re about to do an upgrade, you should back up: your database, your theme files, and ideally your uploads folder. A proper upgrade shouldn’t overwrite your theme or uploads, but it doesn’t hurt to have a backup on hand, right? Unfortunately that auto upgrade tool built into the latest versions of WordPress doesn’t do backups for you. So, here’s some tools I recommend for backups:

1. If you’re on an older WP version, grab the automatic upgrade plug-in. It creates a backup of both your files and your database before doing the upgrade, and usually makes the upgrade pretty painless. If you’re on a more recent version then you don’t need this for the upgrade part of the task.
2. Either way, install a plug-in for backing up your WordPress database. This is crucial because the database is where all the text content of your site is stored. WordPress DB Backup plug-in can do it either on-demand, or on a schedule. I install it on all my sites and have a backup emailed to me or the site owner weekly. (The backup can be stored on the server but it’s not recommended.) Note that you must also have some space on your server for it to do it’s thing, so if you’re running a really budget/lean webhosting account you’ll want to look into that. I had a client contact me with a failed upgrade because the auto backups he thought were successful had created 0kb files – his server simply didn’t have the room to create the files.
3. You might also find this file backup plug-in handy for backing up your theme, uploads, and plug-ins. I haven’t tried this one so if you have please let us know what you think of it in the comments.
4. UPDATE: A great set of instructions for setting up backups with gmail and a different plug-in, WP-DB Manager.

Now that you’re all up to date and backed up, consider making some tweaks to enhance security.

Usernames & Passwords

1. The first thing I do after installing WordPress is create a new administrator account. Then, I delete the “admin” username. I figure if the hackers don’t know the username of my administrator, it’s that much more difficult for them to get in.
2. Change the display name for usernames. On the user profile, you can set how your name will display in your theme. So when the post says “Written by Joe”, the username that Joe logs in with can be “masterdisaster” or whatever. One less clue for hackers.
3. Choose a secure password. This one should go without saying, but we’ve all done it: overly simple passwords used over and over again. I’ve recently improved this habit by adopting a password pattern for all my administrator accounts. Basically you make up a pattern that has a slight difference on every site’s password. I find this has been really helpful for making unique passwords I can remember. So it could be something like:
   1. a meaningful number (digits from an old phone number or address? a special date?)
   2. some characters from the site name, perhaps the first or last few. e.g. for gmail.com it could be “gma” or “ail” or some variation
   3. an acronym or a word that you’ll remember, and perhaps this has a number in it, like “sl33py” or something

Make sense? What do you do for secure passwords?

Other tips & links

• You might also want to turn off the ability to register for a new user account on your site if you don’t need it. I’d left it open on an old personal site and the other day I got an email that someone had registered (as a subscriber) on my blog. Makes me just a little nervous someone was probing for holes.
• Think twice before installing plug-ins which could introduce security holes. There’s no certification process for plug-ins unfortunately, so if it’s not been vetted by many people, you might want to hold off installing that shiny tempting thing until it has.
• Mark Jaquith, a lead developer on WordPress itself, no less, is offering a great deal on upgrading your site.
• Matt Mullenweg (WordPress’s founder) has explained the attack and more in this article: How to keep WordPress Secure.
• The Blog Herald on Password Security
• If you need a random, impossible-to-remember but secure password, try Good Password.
• UPDATE: here’s a thoughtful article from John August on blogs and baking bread. (via @NathanBowers)

So, what about you? Any recommendations or tips to share?