Protecting Your Online Assets: WordPress Security Best Practices

I’m so glad to be featuring this fantastic post written by Cindy Bidar, one of the smartest gals I know on the topic of WordPress Security.  I’m pleased to announce that Cindy will be providing us with regular WordPress helps over on our brand new WP Tips blog.

It’s no surprise that WordPress is a favorite among online business owners, bloggers, and other web masters. It’s free, easy to install and use, and offers thousands of plugins and themes to extend the functionality and customize the look, so that your site is uniquely yours.

5_Simple_Tips_to_Keep_Your_WordPress_Site_Safe - Picmonkey

But all that open-source goodness brings with it a pretty big risk of being hacked. Here’s why:

  • Just like you, malicious hackers can access the code that makes WordPress and its themes and plugins work. That means they can devise ways to gain unauthorized access to your site. These “backdoors” are discovered at an alarming rate, and hacker networks quickly spread the details of each vulnerability, making it easy for others to take advantage.
  • No developer licensing board exists. While that’s a good thing for plugin and theme creators, it means site owners are left to decide if a particular plugin developer truly knows his stuff, or if he’s leaving a door wide open for a hacker.
  • Millions of sites are powered by WordPress, from tiny little hobby blogs to huge news outlets. The community of developers and passionate users is enormous, so you can always find the help you need, but the sheer volume (60 million sites according to Forbes magazine) makes it a tempting target for hackers.
  • Because its so easy to use, WordPress is attractive to those who aren’t tech savvy. Suddenly, everyone has a web presence, but it’s rather like giving a child a car. Without proper training, someone could get hurt.

Should You Be Worried?

If WordPress was truly a security risk, it’s safe to say it would not be the go-to web publishing platform that it is. After all, one in six sites online is running on a WordPress backend, so that alone tells us it’s a reliable tool.

But due diligence is certainly in order for every website owner. That means taking a few simple steps to lock down your site and keep it protected from the bad guys.

Start with Good Installation

Your host probably gives you access to the oh-so-easy “one click installation for WordPress.” It’s tempting, isn’t it? It’s fast. It’s easy. You don’t have to get your hands dirty at all. Just click a button and you’re done.

Please don’t do it.

One click installers are generally a bad idea. Here’s why:

  • They may install an out-of-date version of the software. At the time of this writing, Fantastico is installing WordPress version 3.3.1, while the most current version of WordPress is 3.5.1!
  • They may not allow you to choose your database name and user, leaving you vulnerable to attack because hackers know the database name these systems use.
  • They leave traces of their existence. You can easily search Google for the telltale signs of a Fantastico installation and be rewarded with a list of thousands of blogs which all have that same database name we mentioned.
  • They can “help” you by installing additional themes and plugins you don’t need. One hosting company installs more than 100 themes on every “one click” WordPress installation.

So what’s a website owner to do? Install WordPress manually. Choose your own database name, user, and password, and create an admin user with a different user name. It’s not hard to do, and WordPress gives you all the instructions. If you’re not comfortable with the geeky bits (it’s really not that bad) you can hire a virtual assistant to take care of it for you. Just make sure you specify that anyone you hire should not use a one-click installer.

Password Management

When you want to keep your home safe from intruders, you don’t start off by digging a moat. You simply change the locks.

The same is true for WordPress security. The first step is to change the locks. That means updating your passwords to something better than your dog’s name or your spouse’s birthday. Ideally, a password should:

  • Be 18 characters minimum
  • Contain upper- and lower-case letters, numbers, and symbols
  • Be unique – never use the same password for two different accounts
  • Be un-rememberable – if you know your password, others might, too.

“But,” you’re saying, “how will I remember all my passwords?”

LastPass is a free, secure password management tool that works with any browser. It encrypts and remembers your passwords, and will automatically log you in to every site you visit. The only password you have to remember is your LastPass master password.

Because passwords are encrypted within LastPass, even sophisticated key logging programs won’t be able to detect them as they’re entered. That makes logging in from a public WiFi much more secure.

Don’t forget about your other passwords as well. Your hosting account, domain registrar, and email are all potential points of entry for your online assets, so be sure you’re using strong, unique passwords for all.

User Roles and Capabilities

WordPress has a built in feature to help limit the damage a bad guy can do. It’s called user roles, and the way they work is by allowing you to grant a user only the access he or she needs to do the job at hand. For example, on this blog, I have a user role of “Author.” That means I can log in, create, edit, and publish my own posts. I cannot create pages, add or update plugins or themes, or access the code editor. Should someone gain access to my account, there’s very little they can do to compromise the site.

WordPress user roles are:

  • Super Admin – this is the network administrator. He or she has complete access to all WordPress sites within a network.
  • Admin – this user is the first that’s created on a single WordPress installation, and has complete control over the site.
  • Editor – an editor can publish and manage posts and pages, both his or her own and those that belong to others. He or she cannot access themes, plugins, or the code editor.
  • Author – he or she can create, edit, and publish his or her own posts.
  • Contributor – a contributor can create and edit his or her own posts, but cannot publish them.
  • Subscriber – a subscriber can only read posts, and has no editing capabilities.

You can learn more about roles and capabilities at WordPress.org.

It’s a given, then, that if you have guest posters or others who contribute to your site, you should set them up with the appropriate level of access. But what about you?

Keep_Hackers_Out

While you’re probably logging in as the admin all the time, that can be a potential security risk. A better option is to create another role for yourself – that of Editor, perhaps – and use that identity for your everyday blogging tasks. That way, you don’t have to worry that a hacker who is “listening” as you log in will have admin access to your site.

The same holds true for your hosting account. If you have others who do work for you, there is no reason to give them complete access to your account. For example, if they need to upload a new theme, create an FTP account for them to use. Don’t provide your cPanel user name and password. Always offer the lowest level of access required to get the job done.

A Note About Your Hosting Account

Most hosting providers offer low-cost hosting which they claim includes “unlimited sites, unlimited bandwidth” for less than $10 per month. For someone just starting out, that seems like a great deal. From a security standpoint, though, it is not.

The trouble with hosting multiple sites on a single shared hosting account is that if one site is compromised, they all are.

A better option is to use a host such as MomWebs.com, which provides WHM (Web Host Manager) access, so you can set up each site on its own cPanel account. That helps put a barrier between each site you own, so if one is hacked, the others will be protected. Other hosting companies offer a similar option with their reseller or VPS (virtual private server) plans. The price may be a bit higher per month, but the improved security is worth the cost.

Choosing Safe Plugins and Themes

One of the things that makes WordPress so attractive is the generosity of the development community. Thousands of plugins and themes are freely available to help you create a site that looks and performs exactly the way you want. Of course, that means you’ll eventually stumble upon a few bad eggs, as we saw recently with the Social Media Widget plugin.

While most plugins and themes are safe, but there are a few steps you must take to protect yourself, your website, and your readers:

  • Only use plugins and themes from trusted sources. Free plugins and themes should be available on WordPress.org. If they are not, stay away. The folks at WordPress test listed themes and plugins for known security problems, and regularly remove those that no longer comply, so if they only place you can find a particular plugin or theme is from the developer’s own website, find another alternative. Premium plugins and themes should be well supported and well documented.
  • Pay attention to security warnings and updates. Conscientious developers respond to vulnerabilities and and threats and update their themes and plugins accordingly.
  • Use the tools available to you to monitor your core files for unauthorized changes. See the section below about WordFence.
  • Fully inspect any free theme  you intend to use for bad links and other evidence of unscrupulous developers. See the video below for examples of bad theme behavior.

Update Frequently

I cannot say this enough. Most WordPress security issues can be avoided all together if you just keep your site up to date. WordPress updates the core files several times per year, and they let you know right in your dashboard that an update is available. They even give you a one-click update option, so there is no excuse for not keeping your site updated. The same goes for plugins and themes. When a new version is released, it’s critical that you update.

If you’re afraid something might break when you upgrade (that’s pretty rare), you can hire someone else to do the dirty work for you. If a plugin or theme breaks after you upgrade, find a different one. Do not sacrifice your site’s security for the sake of a theme that is out of date and won’t work with the current version of WordPress.

In addition, keep an eye on plugins that aren’t being updated. Plugins and themes are sometimes abandoned by their developers, so if you’ve been using a plugin for a while and it’s never been updated, it’s a good idea to check the WordPress repository to see if it’s still being supported. If it’s not, get rid of it.

Install Plugins Made for Security

Several plugins exist to help WordPress site owners keep their sites safe. One of the best is WordFence, which allows you to:

  • Prevent brute force login attempts by locking out users who try to log in with a bad user name.
  • Permanently block the IP addresses of known hackers.
  • Block unnecessary crawlers and bots that just waste your bandwidth.
  • Monitor plugin and theme files for changes.
  • Scan comments for malware and known phishing URLs

Better WP Security is another free plugin that does many of the same things WordFence does, but adds another helpful tool: It allows you to hide your WordPress login. Malicious hackers know they can find the login screen on nearly any WordPress installation simply by adding /wp-admin to the end of the domain. Better WP Security lets you change that default location to anything you choose, so your login screen might be found at /open-sesame instead. It’s unlikely that a hacker will discover a hidden login screen, so this plugin helps keep you safe from brute force attacks.

Another important tool included with Better WP Security is the ability to change the admin user name. If you installed WordPress using an automated tool such as Fantastico, you probably have an admin account. Unfortunately, hackers know that the majority of WordPress installations have such an account, and since they already know the user name, all they have to do is guess the password to get in. WordPress does not allow you to chance user names within the dashboard, but Better WP Security adds that functionality.

Make Regular Backups

If, despite all your precautions, your site is hacked, you’ll be in a much better position if you have a backup. Restoring your site from a backup takes minutes, while cleaning up a hack can take hours and cost you hundreds of dollars.

When you back up your site, remember there are two parts you need: the core files and the database. Most automated backup plugins only back up the database. While that’s important, it leaves out all your file uploads (images, MP3 files, PDFs, etc), your themes, and your plugins. A better solution is to use an all-inclusive plugin such as BackupBuddy, which creates a copy of everything and stores it off-site.

Do not make the mistake of thinking your hosting company is handling this for you. They may be making backups, but that is for their convenience, not yours. Their backups are generally only created once per week, they don’t keep multiple copies (so if the copy they have was created after you were hacked, it’s useless to you), and they are stored on the same server as your site, so in the event of a catastrophe (fire, flood, earthquake) your backups will be lost along with your site.

WordPress Security at a Glance

Here’s what you really need to remember about keeping your WordPress sites secure:

  1. Use good strong passwords and manage them with an encrypted password tool such as LastPass.
  2. Give users only the access they need to get the job done – nothing more.
  3. Use plugins and themes only from trusted sources.
  4. Update and backup your site frequently.
  5. Use WordFence and Better WP Security to help keep the bad guys out.

Malicious hackers are out there, and they’re looking for sites that are vulnerable to attack. By compromising an unsecured WordPress site they can distribute malware and viruses, run illegal phishing scams, send thousands of spam emails, or simply deface and destroy the site for sport.

Employ strong security practices such as those outlined here, and stay up to date on the latest WordPress security threats, and you stand a better chance of keeping your site safe from attack.

Search Your Favorite Sites From The Browser

Everyone of us has sites we visit regularly to reference the information found there. For me, these sites are:Add to search bar

  • Flickr – to search for Creative Commons Licensed images to use on blog posts
  • WordPress.org Codex – to search for code snippets, functions and template tags
  • WordPress forum – to look up solutions to problems
  • Youtube – to find videos that I can blog about or add to my site/resources etc
  • Internet marketing forums – to see what people are saying about a topic I want to write about and question they are asking

Each one of those web sites have their very own search feature so what is the problem? No problem. I just like to cut out a few steps and clicks if possible because some of these sites especially WordPress, I search several times a day. Bookmarking and navigating to these sites take time.

So, I installed this cool little Firefox plugin called Add to Search Bar. This lets me add the search function for any web site to my Firefox Search Bar. Which means less looking up for a web site in the overloaded bookmarks folder and less clicking to get to the right page to search.

Tools That Make An Affiliate’s Life Easier

Kelly’s inspirational post about dreaming bigger, has really got quite a few of us riled up and ready to go. For me, it couldn’t have been better timing because this week is also the same week my kids start school again. I am excited to reclaim those hours and pour 100% of it into my business once again. Since Kelly talked about affiliate marketing and working harder on it, I thought it would be good to follow up with some tools that can help make your lives as affiliates easier, better, more productive which hopefully leads to more profits. So here goes.Tools

Password manager – I use Roboform on the PC and 1Password on the Mac, others I know use LastPass and Xmarks. Whatever you decide on, a password manager really helps logging in and out of those many affiliate accounts a breeze.

Affiliate link plugin for WordPress – there are a few out there. What does it do? You set a keyword for example “SparkplugU” and tell it to link to your affiliate URL each time SparkplugU is found. All automatic and works for older posts too.

Zemanta – this is a Firefox plugin that will make photo, books, DVD and website resources suggestions for you based on what you are writing about. You can link it up to Amazon – if you’re still their affiliate – and make it easy to add links to products found in Amazon.

A macro utility – Tired of typing your affiliate URL again and again? Copying and pasting is OK but still takes time to open your file, look it up, copy and paste. Too many actions. Use a macro utility. I use something called DirectAccess that helps me do a bunch of things, but one of my favorite uses is for it to help me type in URLs. Instead of typing, I enter a short code and hit ‘End’ the software types the links for me, reducing the amount of typing I do.

Image by sanja gjenero

Lynette enjoys discovering new ways to use technology or new technologies to use in a business and in turn help her clients apply them. You can find also Lynette at her blog, Twitter and Facebook

Community Chats Using Skype

Last weekend, I decided to try Skype public chats on a community that I run. Here’s how it works. You launch your Skype application, under Chat, go to Start Public Chat. Then you’ll receive a wizard-like utility to setup a Skype public chat room. At the end, you are given a button or link you can copy and paste into your emails, web site or blog.

Skype public chatTo chat, anyone who has Skype installed simply clicks on the button or link. A new Skype chat window launches and you can start chatting. My community is forum based so having the ability to do live chats without installing yet another script and having to manage it myself is a big selling point for me. Also, having the option for scheduled live chats is nice.

The down side, as a public chat room creator, you cannot leave the chat or what – Skype doesn’t give much documentation on that but I suppose the room would not be available. So definitely not a 24-7 solution but good for scheduled chats. Later, I found out that the latest version (Skype version4) does not support this feature :-( The above instructions is based on Skype version 3 which is what I still have.

After digging around a little bit in the forum, it seems that there is a work around to make this work on both Skype 3 and Skype 4. It is a little more technical in Skype 4 though but if this is something you want to try, here are instructions to set up chat links or buttons on Skype 4.

Making Client Appointment Scheduling Painless

Have you ever called up your hairdresser or fitness trainer, got the voice mail, put on hold and wished they could just go online to set up an appointment yourself? You’re not alone. Playing phone tag is a pain and not very efficient. The good news is, there are many, many appointment scheduling systems you can take advantage of, some with very little investment.Schedule

My favorite is Genbook. This is a pretty complete system. They offer a free basic account where you can take advantage of most of their features. You can start scheduling appointments online in a matter of minutes. I love the ability to assign staff to certain services. It is super simple to use but not lacking in customization. Just tons of features for free. Premium accounts start at $39.99 a month and you also get the ability to take payments before scheduling the appointment. Perfect for any offline service who doesn’t have an e-commerce component yet.

Other services in this area include

  • Acuity who also offer a free account have have two other levels at $10 and $19 a month.
  • Schedulicity at $29/month for one user and $49/month for 2-20 users.
  • Appointment-plus who has three plans beginning at $39/month.

Prefer to do it yourself? Whenever there are fully hosted software, you will usually find standalone software that you can pay for a one time fee, get it installed on your own web site and managed yourself. Here are a few I came across.

Photo by jenny w.

Lynette enjoys discovering new ways to use technology or new technologies to use in a business and in turn help her clients apply them. You can find also Lynette at her blog, Twitter and Facebook

Should You Crowdsource Customer Service

Let’s get the jargon out of the way. Crowdsourcing is a term that’s used to describe the process or soliciting the mass or your own network of friends, followers, fans, customers, prospects and so on, to accomplish a task, project or maybe just answer your questions. So what does it mean to crowdsource your customer support?

Great examples of this is how opensource software have formed communities where everyone tries to help each other out. Technically, this is not something brand new, but the tools can be. Traditionally, forums have been the tool of choice. But these days, you have great tools like Get Satisfaction and UserVoice.

These are very well built tools that allow users to post their questions, let other users to chirp in to say “me too” or answer questions. As a business, you can set up your company and use it like your official help desk. It is kind of like a merge between a forum, a personal Yahoo Answers system and a help desk.

The pros:

  • You don’t have to maintain the software
  • You get the ability to tap into the knowledge of the masses – since there’s already a user base there, if they are familiar with your product, others can answer your customer support issues for you, alleviating your work burden
  • You get to use a pretty cool and well built piece of software that would cost you to build or set up on your own and you get started quickly
  • You get to establish a professional support system where you can manage requests and provide support in an orderly and organized method
  • You get to see what the people actually think and feel, granted, you already see this using your own system but user sentiment and feedback is better captured by these systems which means you can get a better overview or what people are actually saying.

The cons:

  • If you’re using the free option, you do not get to moderate any posts made by others. This is good and bad. Good in the sense that it encourages transparency but bad in a sense because even if you upgrade and get moderation turned on, you have to provide a reason. To me, it’s like having a ‘boss’ over your shoulder – not exactly my preference.
  • It can get pricey. Get Satisfaction starts at $99/month. UserVoice does have a much more affordable starting point at $19/month but if your system is pretty busy, you may find yourself hitting the limit pretty quickly.
  • You can lose your branding. Branding options only come with paid accounts and for that, refer to con #2. Your customers are directed to a site where they can quickly get distracted with other things. On your own system, you can better control what you present.

What’s the verdict?

I’m not entirely sure. I think it is great if you don’t already have a system in place but want to setup something where you can organize and respond to people effectively. But if you already have a system, then you fragment your support by also setting up on these sites. While I love the idea of crowdsourcing, it is very enticing to me, including the transparency, I’m not sure I like having someone looking over my shoulder when it comes to support issues.

Also, crowdsourcing works a lot better if you actually do have a big following and user base. For smaller companies with limited exposure and user base, at the end of the day, you or your staff will still end up providing the bulk of the support. I’ve decided not to take advantage at this time.

Lynette enjoys discovering new ways to use technology or new technologies to use in a business and in turn help her clients apply them. You can find also Lynette at her blog, Twitter and Facebook

Photo by sanja gjenero

What is NFIB Virtual Summit?

nfib-virtual-summit-full-logo

The NFIB Virtual Summit is an exciting, informal online conference we are hosting on September 15, 2009.  No travel arrangements are necessary – you can attend from the convenience of your home or office!    In case you are not familiar with NFIB – we are the nation’s leading small business association, with offices in Washington, D.C. and all 50 state capitals. We are a nonprofit, nonpartisan organization.  NFIB’s mission is to promote and protect the right of our members to own, operate and grow their businesses.

NFIB is proud to be the host of the Virtual Summit because now – more than ever, it is important for small businesses and entrepreneurs to come together to participate in open dialogues about critical issues that are directly affecting your business.

Who should attend the summit and why will it be beneficial to them?

This virtual conference is focused on entrepreneurs and small business owners.  It will give them a chance to meet and network with peers and industry experts.  This conference format is an exciting new way to connect, discuss the issues, learn from experts, and most importantly – find solutions to better your business.

What features/topics will be discussed at the NFIB Virtual Summit?

Inside the virtual “Auditorium” – NFIB, eBay, Google and Facebook will present webcasts on topics including:  “The Keys to Success for Your eBay Sales”, “Digital Marketing and Social Networking”, “Healthcare for Small Business”, and “Focus on the Economy”.

Will there be any Q & A sessions available for those attending that may have questions about topics talked about?

Each of the webcasts in the “Auditorium” will be followed by a scheduled chat session in the “Networking Café”.  Attendees will have the opportunity to ask industry experts questions – live!

Looking at the site I see an auditorium, exhibit hall, networking cafe, resource center and information. Can you explain what those areas are for and how they will work during the conference?

From the main lobby, there are numerous rooms to explore.  You can download free resources into your “virtual tote bag” in the “Resource Center”.  The “Exhibit Hall” will feature sponsor booths including eBay, Google, Solveras, Dun & Bradstreet, as well as our media sponsor, SBTV.  The booths will include prize giveaways, free small business resources, and will be staffed by company representatives to answer any questions you may have.  The Networking Café will be open for people to connect and network, exchange virtual business cards, participate in live schedules chats, as well as contribute to the “Hot Topics” message boards.

Registration is free with the promo code bgg737.   Register online at:  www.NFIB.com/VirtualSummit

Last updated by at .