If you’ve paid any attention at all to WordPress related news over the past month or so, you know that there have been some security vulnerabilities discovered (like this, this, and this and yeah, this too.). Not only did they affect WordPress itself, but a large number of plugins as well.
Sure, it’s serious stuff. Maybe even a little bit scary. At the end of the day, all of these security issues reflect the world we live in. The information age is wonderful, but it also means that there’s probably some bot out there trying to hack into your internet-connected toaster. Even large, expensive government networks get the same mistreatment.
That being said, is it any surprise that a website, regardless of which software platform it’s on, has vulnerabilities? I recently had an interesting conversation with a colleague about someone who created their own rudimentary content management system (CMS) to run their client’s sites. While that home-grown CMS might not necessarily be the target of as many botnets as WordPress, there’s no doubt there’s a security flaw in there somewhere.
My point is, everything and everyone is vulnerable to some degree. But here’s the thing: In large part, both the WordPress core team and larger developer community stepped up big-time during the recent issues.
Doing What’s Right, Fixing What’s Wrong
When the recent WordPress vulnerabilities were uncovered, there was quite a coordinated effort between security experts, those who develop the WordPress core along with many theme and plugin authors. Envato also stepped up to immediately to notify WordPress developers selling products on the Market about the issues and provided steps they could take to rectify them.
As a result, security fixes have been coming through the pipeline at light speed. Those of us with many WordPress-powered websites to maintain have stayed busy applying those updates to ensure the latest security fixes are in place.
Overall, the situation couldn’t have been handled much better. Information was shared efficiently with a far-flung group of developers, site managers and users.
While it’s wonderful that a good deal of progress has been made in sealing up these vulnerabilities, this should serve as a reminder that we all need to take steps to secure our own websites. While it may not prevent every potential issue, it can certainly harden your site against attacks.
Here are five simple things you can do:
- 1. Turn off comments if you aren’t using them. One of the recent exploits revealed were related to malicious code running inside comments. WordPress installs have comments enabled by default. If you aren’t using them on your site, turn them off by going to Settings > Discussion inside the WordPress admin. If you are using comments, make sure to use a plugin such as Akismet or Anti-Spam Bee to block out spammers.
- 2. Change the default WordPress table prefix. This is a step aimed at experienced developers. By default, WordPress has a database table prefix of "wp_". Bots look for such identifiers to find which sites they can attack. A simple change to, well, just about anything other than the default can help.
- 3. Please, strengthen that password. I know, we all like to have short passwords that are easy to remember. Bots love them too. Make your passwords long and as unintelligible as possible. Write it down, keep it in a safe place at home (unless you live with a bot). Let your browser remember it. Just stop using ‘password1’.
- 4. Deactivate and remove unwanted plugins. Maybe you tried out a few similar plugins on your site until you found one you like. Perhaps they’re still sitting there, active and well out-of-date. You might have some plugins that aren’t even being developed anymore. Clean out the ones you no longer need.
- 5. Install a Security Plugin – There are many outstanding security plugins available for WordPress. And, if you run Jetpack, they’ve recently added a "Protect" feature that will help stifle brute-force attacks.
Don’t Feel Insecure
All of this security talk has reminded me of a line from Eels, one of my favorite bands:
"a careful man tries to dodge the bullets, while a happy man takes a walk…"
In other words, it’s easy to hide in the corner and not want to come out when security issues arise. But the fact is, that’s the complete opposite of what you should do and the opposite of what the WordPress community did.
The best thing all of us can do is to stay vigilant, stand up and knock out one bug at a time.
Image Source: Internet Security Icon via Shutterstock.
- Hacked: What to Do When Your WordPress Website Has Been Compromised
- How to Add Two-Factor Authentication to WordPress
- Creating a Custom User Role in WordPress
- 10 Best Free Security Plugins for WordPress
- Building WordPress Websites That Better Respect User Privacy
- 5 Tips for a More Secure WordPress Website
- The Responsibilities of a WordPress Plugin Developer
- Playing Whack-a-Mole With WordPress Security