I’ve been seeing tons of posts recently covering the (important) subject of securing your WordPress blog. There are many blogs that are currently sharing their top 5, 10 or 20 security tips.
Why am I writing about this? Because I don’t like the fact that most of these blog posts ignore the elephant in the room, rendering their advice into…rubbish.
Here’s the last one I encountered, on Copyblogger
Last week, in preparation for an interview about my work at Copyblogger’s managed WordPress hosting division, I chicken-scratched a top 10 list of tips for keeping your WordPress website(s) secure.
10 Steps to a Secure WordPress Website
Now, in that link you will find a checklist of ten (mostly valid and important) actions to take to secure your blog (and up-sell some services). So why am I not satisfied?
The Elephant In The Room
Everybody’s talking about security and importance of having “good” passwords. You’ll see tons of debating on how to choose a hard-to-hack password, but zero discussion on who can read your password???
Here’s the elephant: If you have a self-hosted WordPress blog, there’s a VERY good chance that you don’t have a secure way to log in to it . What does this mean?
If you don’t use a secure connection when you log in to your WordPress blog (and in a second I’ll show you exactly how to check if you are using one), then anyone on your local network can see your password when you click that Log In button.
Let me emphasize this again
Anyone can see your password when you log in to your WordPress blog using a non-secure connection.
This means that it doesn’t matter what-so-ever how complicated your password is. If you update your blog, approve comments or even just log in to check stats while you’re at a caffe, shopping mall or airport – congratulations, you’ve just given your password to all the other people that are using the same network like you.
How do you know if you’re using a secure connection?
When you log in to your admin panel, check if the URL (the address at the top) starts with HTTP:// (insecure) or HTTPS:// (secure). If it’s an HTTPS, this is a secure connection, and your password will not be up for grabs by your surrounding. If it says HTTP, you’re in trouble for two reasons:
- When you log in, you send your admin password as plain text over to the server, and any other computer on your network can read it
- Even if you log in at home, and select “remember me” and then access the blog from a public location, anyone can hack your account. The reason for this is that although you have logged in from your home, the server saves a special mark on your device that will allow it to be remembered. This marked is called cookie, and when you access your blog again in a public network, everyone can steal your cookie, and that will make your blog crumble!!
How To Fix This
Unfortunately, showing how to set up SSL certificates (this is what it takes to have a secure connection to your WordPress) is a subject for an entire blog, not just a post, and is definitely out of the scope for this blog.
Being a complicated setup that it is, it also completely negates the point of easy actions to improve security, like all the blog posts I mentioned advocate for.
What you should do, is contact your hosting provider and ask them to help you set up SSL connection for your blog. Notice that a shared-SSL certificate, like Hostgator (for instance) offers for free, will only allow you partial management of the blog (for instance, will allow to edit posts in HTML mode, but not in the WYSIWYG editor – which is what most people would prefer). Also take into consideration that a private SSL will cost money (few tens of dollars per year on average). If you host more than one blog on your account, take into account that you might end up being able to install SSL only on one of your blogs.
How To Fix This – The Quick & Easy Way
Don’t choose a simple & cheap shared-hosting package. Choose a Managed WordPress Hosting provider. Syntesis [this is NOT an affiliate link] is one that I heared some good stuff about, but haven’t checked them out myself. Make sure to pick a package that DOES includes SSL (their basic one doesn’t).
If you have any recommendations for managed WordPress hosting or at least one that makes it dead easy to enable SSL for WordPress on it, write me a comment!