Phil Wylie

WordPress developer, Code Club volunteer & Staffs Web Meetup organiser

How to protect your WordPress site

I recently contributed towards an article on WordPress security and thought I’d write up my advice in full over on my blog. This is particularly relevant in light of recent vulnerabilities in WordPress and a number of high-profile third party plugins.

The most important steps you can take to secure your WordPress site are not necessarily specific to WordPress. Good password practices and keeping your software up-to-date are often overlooked. In my experience, the root cause of security incidents tend to be a trusted administrator with a bad password or an exploit in an unpatched, third-party plugin.

The basics of security

Password security

A strong password doesn’t use dictionary words, it’s made up of a combination of mixed case letters, numbers and symbols. It’s important to use a unique password for every website. Not only because a security breach on another site could give up your password, it could also make it possible to access your email and therefore an attacker could request a password reset from your WordPress install.

Password management

I’d strongly suggest looking into using a password manager such as 1Password. You’ll be able to generate strong passwords and not have to worry about remembering them all. There are also tools around which limit the number of incorrect login attempts. Thwarting automated password attacks. If you already have Jetpack installed, check to see whether Jetpack Protect is enabled, otherwise look into something like Limit Login Attempts.

Keep all your software up-to-date

In terms of keeping software up-to-date, WordPress has a built-in update mechanism to keep itself, it’s themes and plugins updated. Running the latest version of each means you’ll benefit from new features, bug fixes and crucially, security patches.

You can access the Updates screen within the WordPress Dashboard to see and install available updates. The WP Updates Notifier plugin can email you when an update is made available for your WordPress site, saving you from having to manually check.

Managing multiple WordPress sites? Use the tools available

If you’re looking after a number of sites, there are some brilliant remote management tools available. Jetpack now includes a Site Management feature which has many of the useful features the more established services such as WP Remote and ManageWP offer. From one interface you can get an overall feel for the status of your websites and remotely install updates.

The threat from premium themes

WordPress itself has a strong security track record and as outlined in The WordPress Security White Paper, has a dedicated team of professionals responsible for ensuring vulnerabilities are dealt with in a structured and efficient way.

An issue I’ve seen causing pain recently is premium WordPress themes which come bundled with plugins. The idea is to provide additional functionality and value to the end user. However, as the theme author is the licence holder for the bundled plugin, it is their responsibility to update and distribute the patched files. As the site owner, you might not even be aware you’re running out-of-date, exploitable code.

Adding any third-party code to your WordPress installation increases the potential for introducing vulnerabilities. You should source your themes/plugins from the official repositories or from reputable developers who provide a clear update process.

How to avoid Google’s slow label – benchmarking

This is a post written for the iWeb blog taking a look at a number of website benchmarking tools and services. Useful for pinpointing performance issues which can be improved upon.

For a long time Google have advised the web community that site speed is taken into account as a ranking factor. The move to displaying a publicly visible “slow” label may be the push site owners need to take action…

How to avoid Google’s slow label – benchmarking

Can you point me in the right direction?

I provide web development and associated services to a small number of clients I’ve picked up over the years. This post is based on my humble experience freelancing and is aimed at those who, like me, are providing a service on a small scale.

Every so often I receive a question from a past client. I try to get back quickly and generally, I don’t mind as it feels good answering little questions and helping people. But those quick email exchanges add up and without an ongoing agreement, it’s a cost that I (and I imagine others) absorb because often those questions lead to billable work.

This lead to an interesting situation recently where I received a question worded with a subtle difference:

“Can you point me in the right direction?”

Many clients don’t understand the troubleshooting process that web developers and IT folk undergo in order to determine the nature of a problem. I imagine this isn’t unique to this industry. There’s value in knowing where to look and how to resolve a problem.

In many cases, it’s the troubleshooting process that accounts for the majority of time spent resolving an issue. Sometimes, the solution comes in the form of a simple flip of a switch, ticking a checkbox that’s buried deep within a settings interface. It might take an hour to find it, but it’s there.

Website owners should plan on paying a monthly maintenance fee to cover the costs associated with troubleshooting, updating and problem resolution. Unfortunately, this is easier to conclude with hindsight. My younger self wasn’t aware that these simple content sites might stick around for five, even ten or more years.

The takeaway? Make it a point to charge your clients for ongoing maintenance. I suggest discussing maintenance early on when you take on a new client. Bundle basic support along with CMS updates and regular backup. Then you can cover those quick questions which would otherwise be covered out of pocket.

A skewed perception of value

WordPress makes it easy to put a website together but it doesn’t necessarily make web development easy.

For many, WordPress works out-of-the-box and with the vast ecosystem of both free and low-cost plugins, beginners can patch together a reasonable website packing serious functionality within a short space of time, with minimal upfront cost.

The mission of the open source WordPress project is to democratise publishing and of course, in many ways it has achieved this goal. However, the simplicity and low barrier to entry hide the true cost of web development.

Mario Peshev wrote about value a while back after receiving an enquiry. The client outlined their requirements, to alter a plugin to include their bespoke functionality. The client laid out their expectations, “the plugin costs $25 so I estimate the change would probably cost around $15”. It’s clear this client undervalued the work involved in custom development.

WordPress is a great tool to get a project going quickly. It’s fairly rewarding to work with. A lot can achieved out-of-the-box and you can end up feeling that anything is possible! However, once you stray outside the basics of strapping a theme together with a few plugins and need something custom, that’s when you realise web development is complex and WordPress is no different.

WordCamp London 2015

Our team headed down to London last weekend for WordCamp London 2015. A three day event split between a contributor day on Friday, followed by a two day conference covering a diverse range of WordPress topics.

Newer Posts
Older Posts