As part of our ongoing improvements to the system, we are removing the reCAPTCHA v1 service from our WordPress installations.
This was set up in 2013 and the security world has moved on from simple “Are you a human?” responses. As WordPress has become more popular, it’s more likely that hackers will write scripts specifically to attack WordPress sites.
If you’re wondering how secure your WordPress site will be, don’t worry – there are very simple things you can do to make sure everything runs smoothly.
Keep WordPress up to date
This is the most obvious one, and, yet, it’s the one everyone forgets to do. Even on my own sites, I forget to keep them updated, and if I have a site I don’t have to check regularly (like, for example, my blog on the local coot population), I’ll often be several versions behind.
But now’s your chance. Stop reading this and go update your site.
Update your plug-ins too.
That was easy, wasn’t it?
Make sure your passwords are strong
This is another obvious one, but it’s also the one everyone falls down on. And it’s not a matter of adding in all the characters and numbers – it’s about having unique passwords for each site. No longer having the same email address/password combination for Netflix/Steam/WordPress/Google/DropBox/that tiny little forum you still hang out at.
And once you’ve sorted out your passwords, you can make logging in an even more secure process by adding two-factor authentication. Try miniOrange’s Google Authenticator.
Clean up your users
Have people left your company? Did you get guest authors in? How many users do you have on your WordPress installation? And what are their permissions?
This might not seem like a big deal, but the recent ICO ruling against Carphone Warehouse found that their £400,000 data breach was the result of someone using a valid WordPress login on an outdated site.
So what do you do with these unwanted users? If they haven’t posted anything, delete them. There’s no reason to keep them around and they’re just a risk.
If they have posted something, and you’d like to keep them as an author, you can set their role to “No role for this installation”. This means that they can try to log in, but then once they log in, it doesn’t let them do anything else, and they can’t access the Admin screen after.
Yes, I did lock myself out of my WordPress site.
Get a good plug-in
There are hundreds of security-related plug-ins available, containing everything under the sun, from firewalls and brute force testers to two-factor authentication and anti-spam measures. Luckily, most of them are free or have trial versions, so you can test them and see which works best for you. You can also judge the plug-ins by the number of downloads and the ratings.
Here are four that are generally considered to be on the top of their game:
And don’t forget that Jetpack comes with a lot of security features, and it’s automatically installed on your installation of WordPress.
You should also double-check all your existing plug-ins to make sure they’re still regularly maintained and kept secure. Just recently, thousands of sites, including the NHS and ICO, were turned into cryptominers by one third-party script that had been hijacked.
Back up regularly
Of course, no matter how much we lock everything down, no matter how many plug-ins or security measures we’ve taken, we can still get hacked.
This is where regular backups come in. Even if you do get hacked, you can just revert back to a previous version with a minimum of data loss.
You can use the backup feature in the eXtend Control Panel to take a backup of your entire site, but you’ll need to remember to take those backups, as well as remembering to back up the database separately.
Jetpack also has a backup feature, which you can set to do a daily backup.
So here are five easy things you can do to strengthen your WordPress security. What else do you recommend?