It’s a widely sites fact that WordPress powers 25% of the internet’s webpages. Think about that, 25%! And nearly 60% of the sites that use a CMS (content management system).
That is the main reason it is also a target. Like the popular Microsoft Windows or Android OS, WordPress powers so many sites that if you can find a way to compromise even a small percentage of websites using the system, you can gain access to literally millions of sites.
Because of this, one of the first questions I get when I suggest using WordPress is about security. But as I stated before, criminals and people looking to do general mischief as looking for the low-hanging fruit, the easy to hit sites. So with some basic precautions, your website can be even more secure than custom HTML sites.
Making WordPress Safe
There are a few basic steps that web developer or your company IT guy can take to secure your new or existing WordPress site. Below is a list of plugins, best practices and other items used by BeBizzy Consulting and many others to make your site as secure as possible.
Let’s start off with the most important part of the security system. If you don’t have a good backup of the site, it doesn’t matter how you set the rest up. Something WILL cause your website to fail; the webhost could suffer an attack or hardware failure, you could alter some code and break the site, or a security breach could happen directly to your site. With no backup, there’s no easy way to return to “normal,” so at minimal do a complete backup of the site files, and don’t forget to back up the database. There are automated methods as well for this process which are highly recommended.
The easiest way to gain access to a WordPress is through an out-of-date WordPress system. I’ve recovered sites running on 2.x (current is 4.7), and that’s a scary endeavor. WordPress puts out major releases a couple of times per year, and security patches about once a month or so to stay ahead of the pinholes that are found in WordPress. The best part is there are thousands of people who are looking at WordPress, for good and for bad, that identify issues and get them repaired. Keep you site updated and make sure PHP version can handle the update. If not, time to move!
I also suggest turning on automatic core updates. You should be able to toggle a switch that will update WordPress automatically for “X.x.x” updates, keeping your site secure without you even trying. Just make sure you test the site when notified of an update to make sure everything is running as it should.
The next best way to gain access to WordPress is through outdated, or poorly programmed plugins. Last summer I worked on recovering a WP site that had a plugin that had not been touched by the developer in over five years. When I updated the site to a new WP version, the plugin crashed and I had to find an alternative, more updated plugin that worked close to the same. But it’s not just keep the plugins updated, it’s keeping an eye open for poorly secured plugins as well. Do some research on a plugin before installing. Has anyone ever suffered a breach or WordPress crash after installing? What is the support like? How often do they update?
One thing that is often overlooked is deleting themes that are not being used, or are even active on the site. This is extra code that has been abandoned for one reason or another, and leaving it on your website can open a hole you don’t even know is there.
A final note on plugins, themes and other items is to NOT use pirated versions of software. Most plugins are fairly inexpensive and the alternative to paying $10 for a plugin is often spending hours, or even paying hundreds of dollars to have malicious code removed from a site. Pay the $10.
Next on the list of vulnerabilities is your theme. Every WordPress site is working on a theme, whether it’s the 2016 theme that came installed or one you paid for or got for free. Again, do a little research to make sure the theme you are planning to use isn’t a know security issue, does not get updated or supported, or is poorly written before you install it on your site. Then, update it as soon as you get a notification it has been revised.
More Security Steps
Below are a few other steps that are taken by BeBizzy Consulting, and should be considered by your team, host, or developer to make your site as secure as possible.
Like on a computer or virtually every other system, do not use “Admin” as your administrator username. Pick something a bit more robust and always use a secure password. Changing the password often also makes it more difficult to keep access once it is achieved.
Move The WP-Login.php Page
There are several plugins that allow you to choose a different admin login page for your site. Install one of them and rename your login to something less known can eliminate some from even trying to access your admin simply because it doesn’t exist at the usual spot.
Install a Security Plugin
Many sites have Sucuri or Wordfence installed to protect the admin and other parts of the site. Even the free versions will notify you when the admin is accessed, limit login attempts at wp-login.php and the premium versions can lock down the admin to specific locations or IP address, security scans for malicious code, and much more.
Keep Your Site Safe
There are definitely more ways to secure your WordPress site. Editing the .htaccess file, hiding WordPress from source viewers, hiding site author names, picking a good (reputable) host, automating security audits, removing plugin and theme editors and others will help keep your site safe, but do require some knowledge and planning by someone that knows their way around WordPress.
Adding an SSL to your site and hosting is also a good idea not only for encrypting data being shared back and forth with users, but also to the search engines which are starting to use it in their algorithms.
I still feel that having a good backup is THE step you have to take. If you have a restore point on which you can rely, you can move, restore or save your website pretty easily. But if you are starting from a dirty site and have to clean it, be prepared to spend either a lot of time, or a fair amount of money, to have it back up. And frankly, some times it’s even more cost effective to build over than to attempt the save.