The information in this article applies mainly to self-hosted WordPress sites, not to sites on WordPress.com.
Your self-hosted WordPress site is only as secure as you take the time to make it, and you definitely want to take the time to make your WordPress site secure.
There are many security plugins available to help you with this, many of which have so many moving parts that it is hard to know exactly how to configure them in the best way to secure WordPress without locking yourself out of your own site at the same time.
Fortunately, there are several things you can do to start you on your way to securing WordPress that do not include fumbling and stumbling through a lot of settings and options in plugins. Here are three:
One...
Never use your domain name, site title or your own name as your administrative (admin) username.
We learned long ago to never use (or stop using) admin as our username on our WordPress sites, but almost equally as egregious as using admin as a username is to make your login easy to discover by using your domain name, site title or your own name.
Let's say the domain for your WordPress site is allmywidgets.com, your site title is Widgets R Us and your own name is Wendell Widget. You would not want to use allmywidgets, widgetsrus or wendellwidget as your administrative username.
Why?
After hackers try figuring out your login credentials by using admin as the username first, they are then most likely to next try the name of your site, your site title and/or the name(s) in the by-line of your posts and/or pages.
If they guess right, then they have one half of the combination they need to hack into your WordPress site.
Consider making your username something only you and a very small group of other people would know. Do not be afraid to include numbers and/or random characters in your username, too, especially if you insist on using your domain name, site name and/or real name as your username.
Once your WordPress site is established, you are not allowed to change the username via the WordPress Dashboard, but there are two other ways to accomplish this.
If you would like more information on how to change your administrative username, contact the author of this article by clicking here. The information will be provided to you at no cost.
Two...
Never leave your administrative username as your display name.
When you set up your user account to be able to log into your WordPress site, the username you choose is automatically set as the name that will be displayed publicly when you create posts/pages.
To change what gets displayed to your website-viewing audience, hover over Users and choose Your Profile. Find the field Nickname and change it to something other than your username.
Below Nickname, you will see Display name publicly as. Click the down arrow to see your choices.
You can either fill in the First Name and Last Name fields and use a combination of those two fields, or you can choose to use the new display name you have just entered. Consider making your Nickname something like Subscriber or even Author if you decide not to use a combination of your first and last name.
Three...
Never use your administrative username on posts and/or pages.
When you are the only person who creates posts and/or pages on your site, you sometimes forget there are other roles available in your self-hosted WordPress site.
You should create another account with the role of Author for posts/pages.
Subscriber will not work, because you will not be able to assign posts/pages to a subscriber account. Since the Editor and Contributor roles have more permissions, and therefore more access to back-end options, shy away from assigning either of those roles to the account you are going to use for posts/pages.
It is totally fine to create the posts/pages while logged in as the administrator, but before the post/page goes live you should change the author of the post to the account of the role of the Author you set up.
Even if a hacker gets into the Author account, there is only so much damage the hacker can do since the Author role has limited capabilities in the back-end of your WordPress.
Please keep in mind that these are three, simple security measures you can take without plugins, but they should not be the only security measures you take to secure your WordPress site.
In a later post, we will cover some plugins you can install and activate on your WordPress site to further enhance your site security.
Source: 3 simple ways to start your WordPress site security without plugins
No comments:
Post a Comment