Tips for new WordPress blog? Specifically with security/privacy

[jonxihama]

I've decided to start a blog. It'll be more like a public journal than an author's platform, so I'm sticking with the free tier of Wordpress. From what I've read, plugins are the name of the game for WordPress. The only one I've found is Wordfence, but I'm wondering if there's anything else.

I know how to write the back-end of websites, but haven't done the pretty front-end stuff. I'm not afraid of writing something custom, but I'd strongly prefer something drag-n-drop.

 

[ElaineB]

I have no tips, but will watch this space for others' since I too have the free Wordpress and am absolutely hopeless at it.

 

[ChaseJxyz]

I've decided to start a blog. It'll be more like a public journal than an author's platform, so I'm sticking with the free tier of Wordpress. From what I've read, plugins are the name of the game for WordPress. The only one I've found is Wordfence, but I'm wondering if there's anything else.

Do you mean wordpress.com or wordpress.org? Because ALL of wordpress.org is free. It's a package you download and install onto your own network drive (GoDaddy or whatever). Wordpress.com, meanwhile, is the thing with tiers of payment. You're not setting up your own "instance" of Wordpress, it's something run/managed by Wordpress. And, because of that, you are NOT able to use plugins. Since plugins are the real security risk.

So, depending on what you "built," your plugin question is kind of a moot point, because you might have set yourself up to not ever be able to use them.

I know how to write the back-end of websites, but haven't done the pretty front-end stuff. I'm not afraid of writing something custom, but I'd strongly prefer something drag-n-drop.

The beauty of Wordpres is you don't need to do ANY of the backend lol. It's all frontend. I mean, you could fuck around with the php yourself if you have a Wordpress.org thing set up, but then you'd have to deal with php, and who wants to do that?

Look at the themes page and pick something that's the shape that you want. You can change all the pictures/colors/menus on your own website. It's all managed through Wordpress's menus, so you never have to write a single line of CSS.

Also your actual post has nothing about security OR privacy, which are two entirely different animals lmao. But I'm gonna give you that info, anyways, because I imagine you want it.

To keep your security good: use a unique, long password for your Wordpress. Don't download any plugins UNLESS it has a ton (like, hundreds of thousands, if not millions) of positive reviews. Same deal with themes. Turn on auto-updates and remove anything you don't use regularly. Turn on auto-updates for Wordpress, for WP itself and the php stuff and everything else. Don't be an idiot and download/install/run random programs on the internet (people are idiots and do this and lose access to their discords all the time). Do all the other "don't be an idiot" security things like I've said elsewhere.

I have no idea what you mean by "privacy." So here's some generals: Don't post anything online you don't want your mother to see. Or your kids. Or your boss. But if you must , ensure that you are using completely different aliases/emails/phone numbers/etc from your main/"professional" info/handles. But do be aware that Immigration/TSA/the feds/etc can and will look every possible thing up, and probably find it. If you want something to be actually private, then don't post it online.

 

[jonxihama]

you are NOT able to use plugins. Since plugins are the real security risk.

I'm confused. I'm on WordPress.com and from what I can tell, I have two plugins already: something called "Jetpack" and another called "Akismet Spam Protection." The former includes malware protection and the later protects for spam. That's really all I care about.

Almost all the other plugins require me to upgrade my WordPress plan. Is this what you mean?

Don't download any plugins UNLESS it has a ton (like, hundreds of thousands, if not millions) of positive reviews. Same deal with themes. Turn on auto-updates and remove anything you don't use regularly.

Do you mean downloading random plugins on the internet or the plugins within WordPress' marketplace? There seems to be a ton of plugins available through WordPress. Hopefully all of those are safe?

By privacy I didn't mean anonymity. My name isn't on my blog, but it's not really a secret. I just have a persona to add to the blog's ~~allure~~.

 

[ChaseJxyz]

I'm confused. I'm on WordPress.com and from what I can tell, I have two plugins already: something called "Jetpack" and another called "Akismet Spam Protection." The former includes malware protection and the later protects for spam. That's really all I care about.

Almost all the other plugins require me to upgrade my WordPress plan. Is this what you mean?

The Akismet thing is standard it all comes with. I guess Jetpack is another one that comes with it.

I guess they must have changed it to allow .com folx to use plugins at some point lol. But making you pay for it makes sense. Because it leaves you (and, theoretically, Wordpress) in danger. Because...

Do you mean downloading random plugins on the internet or the plugins within WordPress' marketplace? There seems to be a ton of plugins available through WordPress. Hopefully all of those are safe?

There's two main causes for security holes: stupid users, and stupid programmers. Stupid users fall for phishing and leave their laptop unlocked at Starbucks when they go to the bathroom. Stupid programmers don't sanitize their inputs or leave their Jenkins servers unsecured. You can be a smart user, but if you use a site, software, or service made by a stupid programmer, then you're the one who has to pay the price.

So just because something is available "through Wordpress," that doesn't mean it's 100% perfect. There could be some yet-discovered flaw that leaves a back door for the bad guys to exploit. You said you're a programmer, you remember Log4j? Imagine some massive flaw in a widely-used library like that is discovered again. Is the programmer for your random plugin going to drop everything and update it to fix the hole? Also, sometimes good programmers are stupid users and their accounts get compromised, which pushes malicious code into their software. Or maybe they're like the Gshader FFXIV guy and has decided to Go Evil and give you malware on purpose, to teach you a lesson.

Also giving random sites/services access to your shit and permissions to look at/fuck with your data is just asking for trouble. You remember Cambridge Analytica, don't you? You know how they got all that data, right?

Security is only as strong as its weakest link. As you add more people, software, and services to the chain, you're creating more opportunities for things to fail.

By privacy I didn't mean anonymity. My name isn't on my blog, but it's not really a secret. I just have a persona to add to the blog's ~~allure~~.

So what do you mean lol I can't give you advice on how to privacy your WP good if I don't know what sort of privacy you're looking for

 

[jonxihama]

There's two main causes for security holes: stupid users, and stupid programmers.

We're on the same page here. I won't say I'm not a stupid user but I'm certainly less stupid than the average user a la long passwords, OTP, USB keys, etc. It's just a text based blog, so I don't need any other plugins.

So what do you mean lol

I meant more on the preventing known data breaches, which is covered in the not a stupid user/not using stupid code bit. I'm clearly new to blogging so I wanted to ask more knowledgable people. Sounds like I have my bases covered with basic digital security practices.

 

[stephenf]

Wordpress.com is a hosting company and I believe is not connected to wordpress.org . I have never used the com. I have not found Jetpack or akismet to be useful, I just delete them. I do use WP Cerber Security.

 

[lizmonster]

I meant more on the preventing known data breaches, which is covered in the not a stupid user/not using stupid code bit. I'm clearly new to blogging so I wanted to ask more knowledgable people. Sounds like I have my bases covered with basic digital security practices.

If you're on wordpress.com, you don't have any control over data breaches - that's all on them.

I mean, you sort of do - don't put passwords, bank account numbers, etc. on your web pages. But in terms of hacking user data? They keep that on their backend, and I don't believe there's a thing you personally can do to protect it.