PSA: Protect your WordPress Site

I have woken up before and NOT found my website and have been horrified! This is what I thought of when I saw a fellow creator’s tweet about losing his website.

This is the worst feeling. All of your hard work over the years could be gone. It’s like losing a box full of pictures and memories that you know you can’t replace. EXCEPT, these are digital posts and thankfully John had good backups of his site and was able to restore everything.

The issue John ran into was a critical bug in a common WordPress plugin called ThemeGrill Demo Importer. The plugin had over 200k installs and has apparently been patched so if you use it, be sure to make sure you are running the latest version. Unpatched versions have a vulnerability that could be exploited by bad actors allowing them to wipe your site’s database and if you have a user named ‘admin, the attacker is granted full access to the site. Effectively allowing them to take it over.

I think this is a great opportunity to talk about things you can do to protect your hard work on your WordPress site.

  • Change the Admin Username to something other than admin.
  • Change the Admin Login Page – There are plugins that can do this for you easily.
  • Install some sort of security plugin like WordFence.
  • Deactivate and delete unused plugins. These are just additional attack surfaces. If you don’t need them, remove them.
  • Delete unused Themes – Just like Plugins, if you are not using them, remove them.
  • Keep active plugins up to date.
  • Backup your site. Using a service like ManageWP can help with that.
  • You can also run your site on a protected Hosting Platform like WPEngine. WPEngine allows you to have a completely isolated DEV site that you can easily restore from. It’s like snapshots for WordPress.

Stay Safe out there!