I am retired from a career in IT that includes managing a web development team for some time. So that makes me qualified to suddenly become a Wordpress admin. Does anybody have any recommendations for a good tutorial on Wordpress configurations, and common plugins to be aware of?
Most important thing is to keep autoupdate on and make an effort to keep it fully updated at all times, within the same day as each patch. Wordpress is extremely popular and each exploit commonly gets around extremely quickly.
Don’t run any unnecessary plugins just because they sound cool. Only install those you actually need. They will be an ongoing pain in the ass for the rest of your life, being updated, being abandoned, having to find replacements, etc.
Beyond that I do recommend using the wordfence security plugin, it auto-bans people when they act suspiciously, try to brute-force passwords, etc, and scans files for common trojans-- which will absolutely happen, it’s impossible to truly keep WP secure.
The Qt3 frontpage has been hacked a couple of times, where wordfence found trojans in there, and I just deleted them with seemingly no consequences that I could find. At least nobody is using our VM to mine crypto or anything, that would show up in CPU time, but I certainly wouldn’t put my credit card number on the filesystem or anything.
Oh boy, good luck with that. Being a Wordpress admin isn’t easy or fun, but it is necessary. I avoid it like the plague, though. Lots of horror stories to tell, alas.
Geez, you guys are making me feel real great about this!
I wish I had better news, Tim, but I’m keeping it real here. I think you better be prepared, that’s all. ;)
It’s not that big of a deal, I’d say I conservatively do 6 hours of work per year on maintaining the Qt3 frontpage. Mostly making sure it’s updated and bug Tom when a plugin goes unsupported. The forums maybe 80, Discourse is a huge pain in the ass relatively because they do breaking changes all the time. WP never, ever does.
I’ve administrated between 2-4 pages for many, many years; and I’d say just follow @stusser 's advice and you’ll be fine. Wordpress is extremely popular, but that is because it is pretty excellent and reliable software.
It of course depends on how you’re using it, but generally (repeated): autoupdate on, follow the security recommendations, ensure you have strong passwords, make sure you get a good security plugin installed (I use WP Cerber Security + Jetpack), and don’t install plugins unless you need it, and you’re unlikely to have any serious issues. I think I’ve seen maybe one successful attack in 14? years - and that was against the commenting plugin I was using. I’ve run lots of other stuff on the web (various wikis including wikimedia, forums, bug trackers, etc), and Wordpress is by far the most hassle-free of these that I’ve run.
It depends of course on how much interaction your users have with the site. If randos can upload files/media or you need discussion/comment/forms/shop plugins, etc., then you’re of course opening yourself up to a lot more hurt. I’m not sure I’d call that a particular issue with Wordpress though - this is why you need to pick plugins with care, because every plugin - and especially those with interaction - open up new attack vectors.
Wrt tutorials, honestly, just follow the instructions on the site. Wordpress is extremely simple to set up and administrate - you still need some technical understanding, of course, but if you need to do simple stuff, it is very simple to set up and you’ll get tons of good suggestions through the interface. And the community is vast, which means you’ll almost always be able to google for the answer to whatever question you might have (or just ask here).
Yeah they were all comments with dodgy JavaScript injected somehow. Never got anybody (as far as I know) because we don’t use WP native comments, we embed a discourse thread.
Doubt a nation state is executing an advanced persistent threat against our little gaming site so given that was like five years ago I have some degree of confidence no lasting harm was done.
My security strategy is simple— don’t be a low-hanging fruit. Anyone skilled wants to hack us, they will succeed. But if some script kiddie is scanning the entire internet for common exploits, which does happen, we won’t show up.
But as always, you don’t know what you don’t know. Be sure to take and keep offsite backups.
You’re not helping your point there. ;)
Hehe.
Fixed.
I’ve run into a little problem with email notification for new comments. There are comments being made on very old posts. These are generating email notifications to the personal email address of the previous admin. She put her personal email address in instead of setting up a role account.
Based on my reading of the Wordpress support docs on the email notification, this shouldn’t be happening. I still have her as a user on the site, but changed her role from administrator to contributor. According to the docs, “Contributors don’t receive any comment notifications.”, but she has.
It looks like the notifications happen when a comment is made to posts that she put published. So how do I fix this?
If it comes down to it, I can delete her ID from the system.
Not confident in this, but you could try installing a role editing plugin and removing edit_posts from her user. You could remove other permissions, too–all of them, by the sounds of it.
Check for custom PHP functions that might be assigning her permissions or emailing, too.
I’m not really keen on adding a user role editor plug in. The number of users can be counted on one hand and monkeying round with the detailed custom permissions seems like a recipe for disaster if I pass this site off to another person to admin.
I think I might just change her email address to the admin role account email address as she should not be notified of anything.