To access the wp-admin directory (e.g. my Admin Dashboard) I have to login using my administrator username and my strong password. So, my admin directory is already protected. But I might want additional layers of security to better protect the WP admin directory from hackers. There are several ways to do this, and I can implement as many as I want. I should aim for a reasonable balance between convenience and security – each additional security layer will make it less convenient for me to login. In rough order of inconvenience, least to most:
Rambling thoughts about WordPress
Clearing browser cache
When working with WP, I frequently find a need to clear my browser cache – along with my other caches. But I would prefer not to clear the cache of my usual browser. There is useful stuff in there that I want to keep.
I generally use Chrome, but I also installed Firefox and set it to permanent private mode, so the cache is cleared every time Firefox closes. When I need a clear browser cache, I simply launch Firefox.
WP Troubleshooting
These are some basic troubleshooting techniques for WP ailments, in rough order of how frequently I make use of each.
Flush all caches: I am working on my site but the changes are not showing up. This is commonly a caching issue. I need to clear all caches, which might include Cloudflare, browser cache, caching plugin, and/or server-side cache provided by my web host.
Switch to a default theme like Twenty Sixteen: A theme conflict can manifest itself in many poltergeist-like ways. Whenever something strange is happening I switch temporarily to Twenty Sixteen to see if it exorcises the problem. One example I encounter frequently is failure to upload images to the media library. I have to switch to Twenty Sixteen, upload my images, and then switch back to my regular theme.
Disable all plugins: Similar to a theme conflict, a plugin conflict can cause various strange errors. I encounter theme conflicts more frequently, so I try that first. If it does not fix the problem, then disabling all plugins is the next step. If the problem goes away, I reactivate the plugins one by one to find the culprit. Unlike my theme, which my site is designed around and cannot be easily replaced, I can usually find a substitute plugin if one misbehaves.
Use SFTP or the host control panel file manager: So what if the error prevents me from logging into to my admin dashboard? I can still switch to the default theme and disable plugins, using the file manager in my host control panel, or an SFTP tool like FileZilla. I navigate to the /wp-content/themes/ folder and rename my active theme’s folder – just put an ‘x’ in front of the folder name or something like that. My site will not be able to load my usual theme, and will revert to the default theme.
Similarly, I can rename the plugins folder or the individual plugin folders to disable plugins.
Refresh Permalinks: A glitch in the WP permalinks functionality can cause 404 ‘not found’ errors. I can refresh permalinks by visiting Settings, Permalinks, and clicking ‘Save Changes’ without actually changing anything.
Last resort: On occasion I have had to restore from the site backup that I either wisely or luckily made before the troubles started.
None of the above work? Try asking in the WP support forums.
Essential Plugins
This is my point of view on which popular, free WP plugins are essential for me. Choice of plugins is dependent on the needed functionality as well as personal preference. There is no list of essential plugins that is right for everyone. In general I try to limit my number of plugins, and use only those that I very much need.
That being said, most sites benefit – or would benefit – from some sort of …
In Praise of Irfanview
I am the first to admit my graphics skills are limited, to say the least. But because I enjoy dabbling in web work, I have to at least be able to accomplish simple image edits.
For me, Irfanview is the perfect tool. Its creator, Irfan Skiljan, humbly refers to Irfanview as an image viewer, and it is superb for that task. But it also has an impressive set of image editing, converting, and optimizing features. I find it intuitive and easy to use. I have been using it since shortly after it was introduced in 1996. It is not a full-blown professional suite like Adobe Photoshop, but for the simple image chores that form the limit of my abilities, it is indispensable.
Irfanview is free for noncommercial use and for use by educational, charity, and humanitarian organizations. A license for commercial use is $12 U.S. at the time of this post.
My Free-dom Experiment
Over the past decade or so I have become increasingly astounded and thankful at the availability and quality of free stuff for web work. WordPress – not just the core, but also awesome themes and plugins; ClouldFlare; IrfanView and GIMP for graphics work; FileZilla; Google Analytics; Notepad++ for coding – the list goes on and on. No longer do I have to risk falling behind on my rent to dabble in the web. As an experiment, I decided to see how far I could push the envelope. Could I launch a website without ads (or with only my ads) completely for free? This would include free domain name, free hosting, free CMS and other tools, free everything.
It turns out, no. Not for me anyway, though I came kinda close.
Uptime Monitoring
WP hosting providers, even at the low end, almost universally claim ninety-nine-point-something percent uptime. I want to keep track of uptime in practice, not just claimed or ‘guaranteed’. I use both of the most widely recommended free uptime monitors – Uptime Robot and StatusCake. Both are easy – though somewhat different – to set up, and both offer a free tier. By using both, I hope to catch transient downtime that one or the other may miss. On the free tier Uptime checks my sites every five minutes and StatusCake – well, they don’t really say, just a “Slower interval rate” than the one minute interval of the lowest cost paid plan. Both monitor from multiple locations across the globe. And both will happily take my money if I opt for a more robust paid plan.
Down for Maintenance Page
If my site crashes, or I have to take it offline for maintenance, I want to redirect all traffic to a temporary ‘Down for Maintenance’ page. And I want to get the page up quickly, so my visitors are greeted by a relatively friendly page, not just an error. It seems a good practice to be proactive and create a simple ‘Down for Maintenance’ html page and htaccess file to redirect traffic, so that both are ready to deploy in a jiffy when needed.
Automatic updating WP, themes, and plugins
Update 2020-08-28: Auto-updates for plugins and themes is now built into WP 5.5 and later.
The vast majority of hacked WordPress sites were compromised due to outdated plugins, themes, or WP core. I need to keep my site updated. But should I update manually, or automatically? If I choose automatic, updates will be more timely but there is always a small chance that an update will break something. If I update manually, I can make a full site backup first, and restore if anything breaks – but I am at more risk of a hack occurring in between my manual updates.
Custom 404 Error Page
In another post I present a case for using a short, simple text string to report 403-Forbidden errors. For Not Found errors, I want to serve a friendly helpful 404 error page that fits reasonably well with the look and feel of my site. But I still want to limit resource use to the extent practical, otherwise serving a lot of 404 pages could slow my site or even bring it down.
WP REST API Exploit – why was the filter disabled?
At the time of this post, the WP REST API exploit is pandemic, with over 1.5 million WP posts defaced. A high-profile California government website – that I am somewhat responsible for – was hit yesterday, causing a great deal of consternation in my office. When news of the exploit first appeared, my personal sites like this one had already updated to WP 4.7.2, and I had long ago disabled the REST API, so I had no worries on that front.
Read more WP REST API Exploit – why was the filter disabled?
Maintenance Checklist
I use a checklist to remind myself of the various tasks to perform during periodic WP site maintenance. For me monthly seems about right for these tasks. A very active site would benefit from more frequent maintenance.
WP Child Theme
Whatever WP theme I decide to use, I will almost certainly want to make a few tweaks to it. I could make changes directly to the theme, but those would be lost in the next version update. Instead, a good practice is to create a child theme. I can create a WP child theme manually, but doing so requires an understanding of words like ‘enqueue’. I can make the job easier using a plugin like Child Theme Configurator. After I install and activate the plugin, I click the new ‘Child Themes’ item on the Tools menu, choose a parent theme – Responsive Mobile in my case, and click Analyze.
Overrated WP Security Tips
WordPress security tips abound. As of the date of this post a Google search on the phrase “wordpress security tips” returns over 36,000 results. I give my list of essential security practices in another post. Certain other tips are overrated, providing little in the way of practical security benefits. Full disclosure, I practice some of these anyway.
Top WP Security Practices
I find it easy to obsess over WP security practices, and to get lost in minutia – things like changing database table prefixes and obfuscating my admin user name – good practices but with little practical security value. Here is my list of the top seven eight essential WP security measures, in rough order of importance. All these measures can be implemented free of charge.
