is-wordpress-secure

20th May 2016

Backing up WordPress

An important part of data security, whether it be your own data on a computer, on an external drive, on a disk, or in this case, a website running WordPress on the web, is to have a proper backup routine in place. When you run a WordPress site, there’s always a risk of something going wrong. After all, it’s a website, so a whole set of files that are sitting on a server somewhere and that server’s connected to a database server. And in between all the things that are going on when people are visiting your site, and you’re creating content, there is a minute chance that something might go wrong.

And in those cases, having a backup in place, and being able to just restore the site to a stable state will save you a lot of time and a lot of heartache. A lot of web hosts now come with backup as a standard service when you host your site with them. But even so, it’s a good idea to setup your own backup routines for your own WordPress site.

An example of a great plugin you can install is VaultPress – created by the WordPress team.

Secure usernames and passwords

All WordPress sites have at least one administrator account and that is the account used to change configuration settings on the site, to change the settings on the site and have access to absolutely all the content on the site. That means, anyone who wants to gain access to your site for malicious purposes would try to log in using one of these administrator accounts. As a result, it’s important that you have good usernames and really strong passwords, especially on your administrator accounts, so that it’s hard for computers and real people to get in.

When you create a username for your administrator account or for any other account, for that matter, on your site, it’s important to avoid a couple of different usernames and there are historical reasons for this. The most important username to avoid, at all cost, is admin. This is because, historically, WordPress shipped with a default admin account, with the username admin. As a result, every single computer on the web that tries to hack a WordPress site will start out by using the name admin and then do a brute-force attack on the passwords.

Basically, just randomly choosing different passwords and see if they can get in. This means if you don’t use admin as an account name, you already have a more secure site. And this is also why admin is no longer a default username for WordPress. While we’re at it, there are a couple of other names you should avoid. They include:

  • Administrator,
  • user,
  • test and
  • the Site name


And you’ll notice all of these names have something in common. They’re not really user names, are they? They’re just like default, boring names that you would put in if you just don’t think about anything else.

And the answer to the question: What is a good user name? is: anything other than these five. You can use your own name, you can use an email address, you can pretty much use anything except these really non-descript names that don’t mean anything. So, avoiding someone gaining access to your site through a brute-force attack, pretty much just means not using any of these five names. Now, of course, the real security feature of the login screen is the password. And people often ask me how can they make good passwords that they can remember because everyone has seen all these requirements.

You have to make a password that has six different keys, and upper and lower-case letters, and two spaces, and at least two numbers, and preferably some language you don’t know. Well, the reality is, the longer a password is, the better that password is. So, instead of trying to make some cryptic password that’s impossible to remember, try to consider making really long passwords, instead. Maybe full sentences, or just passwords that spell out something because the more keys you add to the passwords, the harder it gets for a computer to try to guess at all those keys.

So, if you have an 8-key password, it’s far less secure than if you had a 16-key password, even if the 16-key password is just regular words whereas the 8-key password was all random letters and numbers. Because a computer doesn’t see a difference between a word and just a random number of letters. So, personally, what I do, is I make relatively long passwords and then I’ll do things like swap out o’s with 0’s or i’s with 1’s and things like that, to make it a little more cryptic. Even so, I still have passwords that are real sentences that you can actually say out loud and that are easy to remember.

So, create usernames that make sense and long passwords and you’re well on your way to creating a more secure WordPress site.

Part 3 of the WordPress Security Best Practices series;
Part 1 : Is WordPress Secure?
Part 2 : Keeping WordPress up to date
Part 3 : WordPress Backups and Logins

About Blueocto

Blueocto is a web design and development company, based in North Tyneside, UK.

We work with sole traders, small and medium-sized businesses.

PI Insurance Broker