Things change rapidly in the WordPress world. The content in this post is more than a year old and may no longer represent best practices.
What’s the Hardest Thing About WordPress?
Prior to the security plugin demos, we had a discussion about what people find difficult about WordPress, based on our own experience and that of our clients. Here’s what people had to say:
- Ted—People expect WordPress to be like Wix, with great UI elements you can just drop in. He’s taken to using Shortcodes Ultimate to help with this. Pieter Hartsook recommends Visual Composer (or similar) and front-end editing.
- Karla—Understanding that you need plugins to do anything. She’s a pretty good searcher, so doesn’t think finding and evaluating plugins is all that hard.
- Sharihar—In Joomla you can put an extension (plugin) on just a particular page, and he hasn’t seen the ability to do that with WP. Also he found theming for Joomla easier—there’s more separation of the PHP and the HTML/CSS. Widgets also puzzled him.
- Sallie—clients can be puzzled by the widgetized home pages in Genesis—they expect to be able to go to the home page and edit it.
- Ted—the way your widgets depend on your theme—they will disappear/move around when you change themes
- Bill—Trying to simplify the admin and client-proof it.
- Ted—It really helps clients to have a UI set up where they know what type of content to enter where. Red8 does this via ACF, and it’s easier for clients, but harder to use any of that information on another page because it’s all stored as post_meta.
- Karla—The whole concept of databases and why WordPress—she finally started to understand about retrieving the information and displaying it in multiple places.
- Pieter—as consultants we need to take a longer view and think about what the client is going to need in 3 months or 6 months. WP’s extensibility is an advantage and you don’t always want the quickest solution.
- Ted—Media management. Can you just bulk-upload images and display them in multiple places? Pieter suggests storing them on Flickr and pulling them into WP and elsewhere.
(Demo’ed by Pieter Hartsook.) The first thing to be sure you do is whitelist your own IP address. After that the plugin will give you a list of top-priority actions. Features include malware scanning, 404 protection, block lists, changed file detection, and brute force protection. They also provide a series of instructional videos in addition to this video overview.
Pieter Hartsook showed us the new, attractive interface of Wordfence Security. Wordfence scans for malware and also compares your themes and plugins to the WordPress repository. Here’s an overview video with a feature tour:
Ted Curran did a demo of All in One WP Security and Firewall. It has a straightforward dashboard that shows you critical issues and your security points grade. In addition to the usual sorts of security features, AIO WP Security includes comment spam protection and text copy protection.
Security Plugins and Your Database
Security plugins log activity. The logs normally get stored in your database. iThemes Security creates three tables: _itsec_lockouts, _itsec_log, and _itsec_temp. You can tell the plugin how long to store the logs in order to keep them from taking up too much space.
Wordfence, on the other hand, creates 18 tables, which can amount to quite a bit of database clutter.
wp_wfBadLeechers wp_wfBlocks wp_wfConfig wp_wfCrawlers wp_wfFileMods wp_wfHits wp_wfHoover wp_wfIssues wp_wfLeechers wp_wfLockedOut wp_wfLocs wp_wfLogins wp_wfNet404s wp_wfReverseCache wp_wfScanners wp_wfStatus wp_wfThrottleLog wp_wfVulnScanners
All in One WP Security and Firewall creates 5 database tables, for events, failed logins, global meta, login activity, and login lockdown.
All three plugins have free and paid versions. If you don’t have a favorite yet, try them out and pick one. Any of them should give you good protection.
One very important factor in good security–not just with WordPress but anywhere on the Internet–is using strong passwords. Sallie just started using Dashlane, which lets you sync passwords between devices for $40/year. Ted uses LastPass, which has a $12/year premium version to allow use on and syncing across unlimited devices. 1Password offers sync via Dropbox, iCloud, or Wi-Fi, all of which seems a little clumsy, and you have to buy a license for each device. (Plus it’s just kind of annoying.)
In addition to passwords, utilities like these can also store credit card information, personal information, and license keys. Using them makes it possible to use long random passwords (the most secure kind) without having to try to remember them.