A Travel Blogger’s Guide to Basic WordPress Security

As part of my travel blogging series, I’m trying to highlight some of the things I’ve learned as I set up this site. Check out “A Travel Blogger’s Guide to Facebook Fan Welcome Pages” and “A Travel Blogger’s Guide to Using StumbleUpon” for some of my previous guides. If you have an idea for another guide, please contact me with your suggestions.

As far as blogging goes, there are two very big platforms that the majority of bloggers use: WordPress and Blogger. Travel bloggers seem split between the two, but my guess is the majority use WordPress simply because the biggest travel blogs out there also use WordPress. And if you’ve had any interest in being successful, you’ve probably checked out NomadicMatt’s “How to Make Money with Your Travel Blog” and David Lee’s “Travel Blog Success.” Both are useful resources for beginners & experts alike, and both use & recommend WordPress.

So, if you’re planning on getting serious about your blog, you’ve got to be prepared to get serious about your blog’s security.

I’m by no means a web expert—just a novice, actually—but from recent experience, I’ve learned the valuable lesson of tightening blog security. If your site gets hacked, it can cripple your site and potentially even get you blacklisted by Google. The basic steps I’m going to recommend are really, really simple, but hopefully by highlighting them, you’ll take the time to secure your own site. I want to reiterate that I know very little on this subject, just the basics!

1. Use a good host

If your WordPress blog is self-hosted, your site could be especially vulnerable. WordPress.com hosted sites are going to be more secure just by the nature that WordPress (as the host) is responsible for security. So if your site is self-hosted (through WordPress.org) then you need to make certain that you know & trust your web host. Here’s a few things I think are important for a web host:

• 24-hour customer service & phone support. You never know where you’ll be when you’ll need their help the most.
• If the company is small, then they’re likely to be able to help you solve problems on a personal basis.
• And just to contradict myself… If the company is large, then there is a good chance someone else will have experienced the same problem and you can usually find them (and hopefully their solution) with some Googling.

2. Create strong passwords

I think this is pretty obvious, but you need to have secure passwords. Strong Password Generator is a useful tool for setting impossible-to-remember (but also tough-to-crack) passwords. Using WordPress, these are the passwords you need to make sure are secure:

• WordPress administrator login: Mix letters, numbers & symbols. A lot of them. You can go into double-digits, people. Change your password after logging in to the admin section. Click on Users > Your Profile. The password change box is at the bottom of the screen.
• Database: If/when you change this password, don’t forget it has to be updated in your config.php file as well. This password usually has to be changed through your host.
• Host/FTP: This password will have to be changed through your hosting company but it’s important to keep it different than your other ones. If someone gets access to your FTP site, they’ve essentially got write-access to everything.
• Other: If you manage lots of sites (or have an account with a big host/domain provider), you likely have an account with your hosting company. Make sure your password is secure for that as well.

3. Always update WordPress & your plugins

This one is important. Make sure you’re running the latest & greatest version of WordPress. Hackers can get in quick once an update is released. WordPress 3.0 is set to release soon, so be sure to stay on top of it.

4. Backup your files…just in case

Backup! Backup! Backup! If something should happen to your site, you’ll want to restore it to it’s original condition (but more secure, of course). Your database is where all your posts and comments are stored, so you’ll want that backed up somewhere safe at the very least. The WP-DBManager plugin makes this easy, though there are lots of similar options.

To backup your theme, uploads & plugins, use WordPress Backup to backup your files, but again, there are several similar plugins.

5. Pay attention

Stay on top of your site’s security. If you see something strange, act quickly! And don’t forget to put up a “site maintenance” homepage to protect your site visitors. Some of the things you should be sure to monitor:

• File Permissions. This is technical, but you should be careful and aware of what files are executable publicly. Don’t change the security settings of your files without knowing what you’re doing, though, because WordPress requires certain permissioning for certain files.
• Admin users. Make sure there are no unknown admins of your site. Sometimes hackers can create their own admin account to get access to your site & all your files/database. You can check by logging in to your admin section. Go to Users > Authors & Users. Most likely, you should be the only Administrator.

This is meant to be a ROUGH guide and you should really consult experts if you end up having problems.