In addition to photography I have an interest in developing websites. This site uses the Inkness theme (with one or two tweaks) but I have written themes from scratch, so I’ll be making posts from time to time on this subject.
WordPress is now the most popular platform worldwide for websites and that inevitably means that it is a target for hackers. Some preventative measures require coding; some just need plugins or correct configuration. The first advice is to always install WordPress updates. The only time I’ve been hacked was because I didn’t immediately install an update. This particular update fixed a security vulnerability introduced in a previous update; once the update was published the vulnerability became known and was exploited. But there is a caveat to this. I used to be very blasé about updating until an update crashed the site, and it took some work to roll back to the previous version and then track down the problem. This was caused by a plugin which used a WordPress function that had been deprecated for some time, and had finally been removed, causing the crash. As the plugin hadn’t been updated I had to fix it myself. I’ve now installed a second, staging, copy of the website in a subdomain. I always test updates to the theme or plugins or WordPress first on the staging site before updating the live site. The staging site is not kept up-to-date with the content, just the program files.
In making a copy of a site, one inconvenience is that WordPress stores links in the database as fully-qualified URLs. If you just copy the database the links still point to the original site. I use the WordPress Move plugin, which scans the database, updating this links.
Looking at the log files, there are many ‘file not found’ errors attempting to access wp-login.php, clearly attempts to break in. To make life more difficult, when installing WordPress, don’t use ‘admin’ as the username for the admin account. If this is done automatically, create a new account and demote ‘admin’ to subscriber. It goes without saying to use a strong password. Another plugin I always install is Limit Login Attempts, which does exactly what it says. A slightly more complicated step is to install WordPress in a sub-directory (and don’t call it ‘wordpress’!). That is, if your site is www.mydomain.com, install WordPress into www.mydomain.com/wp99/ (or something like that). There are instructions on how to do this at codex.wordpress.org/Giving_WordPress_Its_Own_Directory. It’s all about making life difficult for hackers by not following the defaults.