Security

WordPress web sites are very popular with hackers. The code is readily available and attacks are frequent. If you site is hijacked and used to relay email or to host pornography or other inappropriate material this will have a very bad effect on your club’s reputation.

The WordPress software which you site is using will be kept up to date for you. Generally the main software, plugins and themes will be updated the same day that an update is made available.

There are however things you can do as indicated below.

Restricting access to pages

For any page or post which is not to be read by ordinary members of the public – i.e. those who are not logged in make the page inaccessible. Do this by marking as “Hidden” in the post restriction in the bottom right hand corner of the editor. Failure to mark something as hidden will allow it to be found by a search though it is not accessible from a menu. Unfortunately someone logged in on another website using the same infrastructure will be able to see your hidden posts by using the search box.

Restrict access to menus

While the pages and posts themselves should be marked hidden if they are not to be accessed by non-logged in users it is also good to hide menus from those who should not see them as explained in menus.

Don’t share accounts

It is very bad practice to share accounts. If someone needs admin access then change his/her role to admin but don’t share your account and password.

Don’t create a user called admin

A brute force attack requires trying different usernames and passwords many times. WordFence (one of the installed plugins) will notice this and block further attempts but don’t make it easier by having an obvious username like admin.

Leave comments disabled

Hackers use programs to send advertising “comments” to WordPress websites. The simplest solution is to leave them disabled.

Use reCAPTCHA on the registration page

This is initially set up for you but if you use your own domain then you must follow the instructions for giving your site a URL with the club’s domain.