Online forums have been swamped with stories of blogs being broken into and then blocked by Google for spreading badware. You should always adhere to these WordPress security tips to avoid your blog being hacked and having to face that kind of situation.
Update to get the current version that’s secure
Every piece of software has its own problems and weaknesses. Be diligent about always updating to the most recent “known secure” version. In this instance, you will want version 2.3.3 of WordPress.
Since WordPress gives plugins and themes full access to your blog, you also need to keep your plugins up-to-date. With the latest 2.3 series of WordPress you are notified in the admin screen when the plugins that you have installed are released in new versions.
Disable and remove any themes and plugins that you’re not using
If you are like the majority of bloggers, you have tried several different themes for your blog. More than likely, you now have a few different unused plugins that are installed.
Each installed theme and plugin is a potential security hole. Keeping unused themes and plugins up-to-date is a waste of time. Instead, deactivate all plugins that you don’t need or use. Remove the files for unused themes and plugins from the server.
The last step of actually removing the files from the server is very important. Almost all themes and plugins are installed in well known directory locations. An attacker can use that well known URL to exploit a vulnerability even if you’re not using that theme/plugin.
Only download and install trusted code
An analogy can be made between mail from an unknown party and software added to your system. If you are going to install it, make sure the code has been tested and has the authors’ blessing.
Wordpress, themes, and plugins are released as Open Source. Open Source allows anyone to modify the code, even if they have malicious intent. Any person with malicious intent can put up badware for downloading to unsuspecting web surfers.
There is a penalty for being an early adopter! Allow other people to work through the holes and security issues before you attempt to use the package.
Watch out for JavaScript includes
A lot of web analytics services and advertising networks have a requirement that you add JavaScript to your blog, which frequently comes in the form of a JavaScript include. This gives the JavaScript authors an almost wholesale permission to change your web page. Essentially, you must trust your Web site’s security to the third-party service.
In the case of Google AdSense and Google Analytics, or any of the major and reputable ad networks and web analytics services, I would not be worried. But if some relatively unknown company wanted to place JavaScript on my web site I would run away.
Another common problem occurs if you don’t have complete control over the type of ads appearing on your site. This is a particular problem with Google. You cannot afford to have your site ignored by Google, but if the ads on your site promote “undesirable” web sites, your site may be declared “undesirable” too.
Read more of Nick Dalton’s WordPress security articles on his blog for Internet business owners and bloggers at TipsTricksToolsTechniques.com.
- Nick Dalton
If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!
