2.3 Security Tips for Admins

Hello everyone, I am Reggie Dawson. Welcome to the WordPress security tips course for Tuts+. Now that we know what practices we can put into play to make our user logins more secure. There are a few more things that we can do as an administrator to protect our site. The first thing you want to do is make sure that your WordPress site is always up to date. If you look at the dashboard, you'll see that there's an update for WordPress available. WordPress notifies you and makes it easy to update by clicking the link. Now this is a local installation of WordPress that I use for development. As a result, it hasn't been updated recently, but I'll run it now so that you can see how it works. As you can see, updating WordPress is so simple, there's no reason that you shouldn't keep your site up to date. Now beyond keeping your site up to date, you should also run backups of your WordPress site. That way if someone breaks in, you can restore it to the way it was before the site was compromised. Again, there are many different options and with most web hosts, we will have some sort of utility built in to perform backups. Now if there is no solution for backups on your host, you can always use a plugin. A plugin that I like for this is UpdraftPlus. This plugin offers the ability to back up your WordPress site to Dropbox or Google Drive. This plugin is not limited in any way and with over a million installs it certainly is very popular. Another thing an administrator can do is be very careful when assigning permissions to users. Do not assign anyone as an administrator if they don't need to be. Only give a minimum of permissions needed when creating a new user. User management is essential to protecting your site, also, make sure that any inactive accounts are deleted. Now as an alternative, we can change our site to use an email address as our username. Presently WordPress will not accept special characters such as the at symbol in our username so we can't use an email address. Remember I said obscuring the username as much as possible helps. So using email as a username is a bit more secure as it is harder to guess an email address. When we create an account we have to use a valid email address. This has to be unique, so it works as an identifier for an account. Then if we add the email login plugin, we can now use the email address that we signed up with as the account name. After that we will no longer use the username as the login anymore. The best defense for you site is to conceal anything that can be used to break in. A common thing everyone knows is the URL to the WordPress login page. The brute force attacks to break into your site are performed against this login page. As another layer of security, we are going to obscure the login page so that it's not easy to find. A really nice plugin I found to change the login page URL is called WPS Hide Login. Once we add this plugin, we can change the URL of the login page on the settings page. Once we change it and save it, we can then login with a new URL. Now this plug-in only serves to obscure the log-in, and they can still figure out what you changed it to. For better protection, we should also limit the amount of log-ins allowed. Remember, the brute force attack is just running random passwords against the log-in. Since this is not built in to WordPress, a good plugin for this is the Loginizer, this plugin will actually block an I.P. from logging in after a certain number of retries, it can also blacklist or white list an I.P. address. This determines which I.P.s are allowed to log into the WordPress site. Of course this is just one plugin, and there are many more that provide this same functionality. Now these are just a few of the ways that we can protect our site as the administrator. In the next video, we will look at some plugins that allow us to monitor the activities of users.