WordPress has become one of the most popular content management systems (CMS) available. With its host of available themes, templates, and plugins, WordPress is versatile, easy to use – and provides an easy venue for users to make some very common mistakes.
Some users put too much trust in the standard WordPress installation. All too often, these users lack an understanding of basic security, database management, or the dangers of excessive plugin usage. Here are some simple steps to take to increase the security and usability of your WordPress platform.
Often times users install WordPress via FTP without any security enabled. Worse yet, key files and folders on your server may be inadequately protected after being uploaded. To minimize possible security problems, make sure to use your .htaccess file to protect your wp-config file, which controls key aspects of your site, and set up your folder permissions to prevent anyone from viewing content best left out of the public eye.
Some experts assert that if you’re using proper folder permissions, then using .htaccess to protect individual files is unnecessary. There may be some truth to that, but tweaking .htaccess adds yet another barrier to entry. It’s especially valuable if you co-administer your site with someone who could potentially do something foolish to undermine your site’s security.
To add extra protection to your wp-config file, first download your .htaccess file from the root directory of your Apache server, then edit the file and add the following lines:
# protect wpconfig.phpSave the file, but don’t upload it yet – we’re not done enhancing it.
order allow,deny deny from all
You can also add protection for your wp-admin area to .htaccess. The wp-admin page lets you administer pages, posts, templates, and plugins, which means it’s pretty important. As long as your ISP isn’t changing your IP address on a regular basis, allowing only your own IP address to access files in wp-admin can help you avoid attacks by script kiddies who try to break into your WordPress installation. However, you must remember to update your .htaccess data when your IP address changes.
Add the following code to your downloaded .htaccess file, then save the file:
#Protect wp-admin AuthUserFile /dev/null AuthGroupFile /dev/null AuthName “Access Control” AuthType Basic order deny,allow deny from all # whitelist home IP address allow from xxx.xxx.xxx.xxx # whitelist work IP address allow from yy.yyy.yyy.yyyIf you can’t count on having a static IP address for your server, an alternative to using .htaccess to protect your wp-admin area is to install a plugin called AskApache Password Protect that’s designed to protect your WordPress site from potential hacking threats, and is an effective alternative to hacking your .htaccess file yourself each time your IP address changes.
Two other helpful .htaccess hacks include disabling your server signature and disabling directory browsing. Disabling your server signature hides sensitive data such as your Apache version number and operating system information. Public access to this information could lead to a malicious user trying to exploit a flaw in your WordPress installation. Disabling directory browsing prevents easy-to-exploit files and folders from being targeted. The code for these hacks is fairly straightforward:
# disable the server signature ServerSignature Off # disable directory browsing Options All -IndexesThe final piece of your security puzzle is to make sure that your .htaccess file itself is adequately protected. Once you’ve added this last bit of code to the file, you can send it back to your server:
# protect the htaccess file
order allow,deny deny from all
Have a Backup PlanProtecting your crucial WordPress files is a great first step, but it may not be enough. Not having a reliable database backup strategy in place for your WordPress website is actually more dangerous than a poorly configured .htaccess file. Why? Because if you have a database backup, you can recover a hacked website, but a crashed site without a database backup is in real trouble. By the way, if you do find yourself in that unenviable position, check out Warrick, an Internet cache-based recovery script that can be a recovery tool of last resort.
The best approach to protecting your WordPress data is to make sure you have an up-to-date backup of your WordPress theme, the images directory, robots file, .htaccess file, and of course your database. You can make a backup of your WordPress database in a variety of ways. The most common method is to use phpMyadmin, which allows you to not only back up but also manage your database in other ways. You can also install a WordPress plugin to make backups automatically; I recommend WP-DB-Backup. Some backup plugins will even email you a copy of the database after it’s backed up. However, I recommend storing your database backups locally on the server; you can always connect to the server later on to download them for safekeeping at another location.
Themes and StructureOnce you have a handle on keeping your WordPress website secure, the next step is to think about the best way to present the information on your site. The first thing to think about is your theme. Avoid presenting visitors with a theme that’s difficult to navigate or a layout that’s difficult to use. I recommend using a minimalist theme that offer a white background with black text and blue hyperlinks, as most people consider that combination the easiest to read and navigate. When looking for WordPress themes for your website, I recommend starting with the WordPress.org theme portal, which offers a wide assortment of themes to choose from.
Next, consider your site’s structure. Are your categories easy to find? Would you consider your categories and tags relevant to your posted content? While this kind of analysis may sound obvious, it’s commonly overlooked by WordPress newcomers. Remember to keep things relevant to both human visitors and search engines indexing the site.
One of the most common mistakes users make when it comes to site structure is poorly thought-out permalink structure. A permalink is simply a URL designation for any post or page that will be left on the WordPress website for an extend period. Out of the box, WordPress permalink structure is going to be something like
?p=some-random-id, which does nothing for readers or search engines. A better permalink structure would be one of the following:
/%category%/%postname%/. You can select either of these from the administration interface at your-wordpress-site.com/wp-admin/options-permalink.php. With both examples, the reader of the WordPress site can see clearly that the URL matches the content they’re looking for. Even better, search engines will find the data holds more relevance than some random URL variable.
Countless WordPress plugins cater to those wanting to tweak their permalinks, but I don’t recommend any of them. Your best permalink structure is one that is set to only a single layout. Ignoring this policy creates the potential for broken permalinks in the future, especially with WordPress updates.
Images and AdvertisingThe right theme and permalink structure can make it easy for visitors to find your text, but you probably also want to display images and maybe advertising. When it comes to images on any website, remember that people don’t need to see a large number of large images. In fact, for site visitors with slow connections, tons of unneeded images can be a real problem.
I recommend using images sparingly throughout a WordPress website. A single image on a blog post can add visual appeal to the text, but adding random images without context serves no one. Ask yourself whether any image you plan to post helps with the context of the post. Most plugins designed for image uploading aren’t especially helpful, but Image Pro does offer some powerful options when managing multiple images throughout a website. Image Pro allows you to easily upload, resize, add, and alter images.
Advertising has become a significant part of running many WordPress websites. The revenue accrued through your WordPress website can help contribute to hosting costs, in addition to potentially building up a tidy part-time income. Considering the financial rewards that come from advertising, you may be tempted to display too much of a good thing, but keep advertisements down to no more than three ad blocks per page. More than three blocks might be seen as disruptive by your readers. Regardless of your advertising type, I recommend display your ads using CSS code like
div style="float:left; padding-right: 5px;"within the top part of your content entry. This provides you with great placement for a box ad without hurting the reader’s experience, and enables to you display less advertising on the same page thanks to careful placement of your primary ad. If you feel the need for additional ad placement, using a heat map can help to determine the best placement.
If using a heat map for your WordPress site is something that interests you, look into a plugin called WP Super Heatmap, which keeps track of website visitor actions while providing clear visual context as to what the “hot spots” are on different areas of each page.
Running WordPress is actually really simple. Just remember that a WordPress website needs to be securely set up, regularly backed up, and, of course, pleasant to read. If you remain mindful of these guidelines, chances are good you won’t have any serious issues using WordPress on your website.