Basic WordPress Security

This post follows up on the tech tip I recorded for Episode 279 of the Just the Books podcast. This continues the series about websites and how they’re made, looking specifically at WordPress. This series is not intended to deeply explore the topic, the primary goal is to build a foundation for understanding how websites are put together, the tools that can be used, and how innovation is changing and advancing this topic.

Yes, WordPress has an easy and famous five-minute install to get you up and running quickly. However, that leaves you with the default installation that millions of others have as well. The similarities among all the sites make it easier for hackers to then target your site.

With even very small changes to the default basic configuration, you make your site different and that could help protect your site from being hacked. Website and WordPress security is a vast topic. Below are three tips that everyone with a self-hosted WordPress site should follow. This topic will be explored in greater depth in the future.

  1. Update, Update, Update. Security releases happen for a reason. Backup and update. Most hacked WordPress sites occur because the site was running an older version of WordPress.
  2. Delete themes and plugins that you do not use. Keep all the rest up-to-date. Most hacked WordPress sites occur because the site was running an older version of a theme or plugin. If you are using a child theme, that should make your theme updates painless.
  3. Don’t allow user accounts unless you absolutely must. In any case, limit their role.

    If you installed WordPress prior to version 3, you probably have an account with the username ‘admin’.

    Sites setup with newer releases let you choose the unique name of your administrator account.

    If you have a default admin account, the instructions below will to help you remove this insecure account. Please make a backup of your database first, just incase.

    Steps to remove legacy admin account:

    1. Backup WordPress.
    2. Create the new user account with unique name and grant administrator role.
    3. Select all posts and pages assigned to legacy account and reassign to the new user. This is easiest to do through the bulk edit on the All Posts or All Pages screens.
    4. Make sure you are logged into the new administrator account, delete the old account and reassign posts and pages to the new account.

    My instructions require an extra step, while one could just skip to deleting the admin account, I like to reassign the owner of posts and pages first, just to be safe.

Future tech tips will discuss user roles in detail and additional steps for hardening WordPress.