Your website security should always be at the top of your concerns
Website security has many different layers. There are applications you may run that hook up or “tie into” your website such as Facebook and Google+ or various types of plugins that make contact with your databases and information. Another type of security issue is assigning users to your WordPress website. Will they share their password and login information with someone else? And if they do, how would you know? What types of roles should users in your site have? In addition to user role security their is the ever present risk that someone could attack your database with measures such as SQL injection attacks. Also very important is having a user name and a password combination that is secure. And lastly, but certainly not least, your server and FTP accounts and any admin roles that may have access to your hosting account.
What are the best ways to maximize my website security?
Users and roles
Your WordPress website has the ability to have several users or several hundred users. Normally a site would not have several hundred users, but some do. Some sites where user registration is necessary in order to interact with an area of a website may warrant many different users. Such as our support forums here on Mr. WPress. Those types of roles should be able to access their account information and their account information alone. They should have no other privileges within the website. For example, they cannot log-in as a user and start changing content in your website’s pages. No, they should be given a role with specific privileges as to what they are allowed to do. WordPress has made it very easy to give different levels of privileges to different types of users. Here is a list of the different types of users that can be assigned.
- Administrative Role – Gets all of the power of the website. Can manage users, posts, pages and plugins. Everything pertaining to the website’s functionality.
- Editor – This role is for someone to post and edit posts. They can also mange other user’s posts.
- Author – This is given to an author that writes on your site and you only want them to manage their posts and their posts alone.
- Contributor – A role for an individual that can write and manage their own posts, but do not have the ability to publish them. An admin must review and publish on their behalf.
- Subscriber – An individual that can only manage their profile and nothing else. Cannot make any contributions to the website.
Understanding these user roles are important. Important because every time you want to add someone to your website to help with your work load or to contribute, you don’t want to make everyone an admin. That is giving everyone the ability to have a really bad day, lose control, and possibly take it out on your website. You want to give these permissions out according to the level of access and tasks the person really needs to have. A typical website may have one or two administrative roles. All other roles are reserved for people under them and they escalate any matters as necessary to the administrators.
Plugins and third party technologies
First of all lets start out with saying you should never add a plugin to your site without having done a proper amount of research on it. With that being said, whenever possible, you should go with the original author plugin or their way of integration. This is very important because 3rd party plugins and technologies can be a major security risk. You really have no clue who they are or what they may be putting on your website. A perfect example of this would be the Facebook plugin. The Facebook plugin is a pretty difficult plugin to get installed and setup and for that reason a lot of people just go with a 3rd party plugin to try to save themselves a hassle. The Facebook plugin for WordPress authored by Facebook is the best way to get all of the power of Facebook and exactly how they intended it. Their software is patched into their framework and their developers and simply by releasing an update, they can respond to security issues as they may come up over time. This is only one example, but should be applied in your decision making when finding a plugin for your needs. If the original author has authored a technology for your website needs, you go with that option above all others.
Tracking user logins
Tracking user logins as far as the time they logged in and from what IP can be a valuable resource to keeping your site secure. If you notice some suspicious activity and can put it around a time frame, then you can isolate users that were in your system at that time. In addition, you can manage where users can login from. So if you only want them to login from work, on work IP’s, then that can be done. Making sure you have a log of user activity is a ground level move toward maintaining your website security.
SQL injection attacks
Say what? What is an “SQL injection attack”? An SQL injection attack is performed by an outside user. The user would go to a form on your site and submit an SQL query string that your SQL server would process and who knows what it could do. It may just wipe out your entire database to never be seen again unless you have a previously backed up version. It may update and change information on your website. There are a multitude of things an SQL injection attack can do to your site and they are all ugly. For this reason, plugin identification and from well known authors is again a big factor in keeping things like this at bay. Making sure your PHP programmer understand SQL injection attacks and does not leave any loopholes open for outside attacks is vital. Well written code that is up to date as well as well researched 3rd party technologies can help you avoid these types of nightmares.
User names and passwords
A user name should be something you can remember and is unique to you. This is most commonly the persons first name or nickname or something of that nature. A username is just an identifier for you as part of the username and password combination verification system. In a database, it is possible for two users to have the same password. However, no two users will ever have the same user name. The password is however where the security value is. The user name should not be anything extravagant. As long as it is good for you and does not match any other users in the database, you are good to go. The password however should be constructed in a way that you will be able to remember it, but it will be impossible for someone else to crack or hack. Even a super computer would take over 100 years to crack an eight digit password using upper and lower case letters, a special character and at least one number. A common practice is to make a password out of a word you know. So for example “aligators”, we could write a password as “@Lig8t0rS”. See how it still spells the word, but just in a unique fashion. This is a very strong password right here. As long as you did not share it with anyone else and kept it private and never sent it over email or anything of that nature, you would not have to fear someone being able to obtain that.
Securing your cPanel for hosting and all FTP user accounts
Your website and all of it’s information including databases live in your hosting account cPanel. That includes your FTP accounts. By rule of thumb, you should create your FTP accounts giving users only access to specific folders. Administrators within your company and obviously the web master would be an exception to the rule. Those individuals need access to the entire site’s file structure. But some developers and other type of roles may only need access to work within a given folder on the site and all of it’s sub-directories. Just like setting the user roles in the section above, you also want to make FTP accounts based on what the user should be doing. This helps minimize any damaging potential from a fired or disgruntled employee, etc. Similar to the users and password section above, you want to make sure you really have a good password set for your hosting account cPanel login. Remember, that is where everything lives and you don’t want anybody other than you and maybe some well trusted site manager or company. Other than that, you should be safeguarding and keeping absolute control over that information. And it should go without saying, but this is the very first password you need to change when letting go of someone that may have it.