In this post I will review WordPress Security and the “Best Practices To Keep WordPress Secure”. But first I want to address a myth. I have some clients who think they do not need to worry about website security because their website is not a major corporation and would never be a target for malware or other unscrupulous attacks. The fact is that WordPress is one of the most popular website platforms. W3Techs 2018 Survey shows that WordPress powers over 30% of Content Management Systems on the web and that WordPress is the fastest growing Content Management System.
Five Reasons Why WordPress Is So Popular
- WordPress is free & open source with a large community for “tips and tricks” and troubleshooting
- WordPress has a large array of themes and plug-ins to create a unique website with broad functionality
- WordPress is SEO friendly
- WordPress is easy to use
- WordPress is contentiously improving to offer more functionality, improved integration, and better security
There are additional reasons why WordPress is so popular, but the above reasons are important features for selecting a platform on which to develop your website, and why you should use WordPress. However, the downside to this much popularity is that it makes WordPress a target for unscrupulous behavior. Think about it, if your goal is to develop malware to infect websites wouldn’t you set your sights on the most popular platform? This means that even small businesses may find that thier website will become the target of the malware bots.
Does this mean I should not develop my website on WordPress? Go back to my five reasons why WordPress is so popular.
Does this mean that WordPress is insecure? No, not at all. But you need to maintain your website to keep it secure.
Best Practices To Keep WordPress Secure
To reduce your WordPress security concerns, here are several proactive measures you can take to keep your website secure.
Keep Your WordPress Version Up-To-Date
Due to WordPress’s large and active open source community if there is a security issue it gets reported quickly and WordPress is quick to react with a security update. Therefore, it is important to keep your WordPress version upgraded to receive the benefit of the security releases. WordPress will automatically upgrade your dot versions of WordPress (if it has not been turned off in the config file), but it will not automatically upgrade your point versions. Example: WordPress will automatically upgrade 4.9.4 to 4.9.5, but they will not automatically upgrade 4.9.x to 4.10.
Important Note: Before you update WordPress or any of your plugins, make sure that you backup both your website and your database first – just in case something goes wrong during the update, you will have a backup to restore from!
Choose Plug-ins Wisely And Keep Them Upgraded
Research plug-ins before you install them to see what others have to say and make sure that the plug-in is maintained. If the plug-in developer has not issued an update to the plug-in within 6 months, I recommend you do a bit more research. Using a poorly-designed plug-ins or a plug-in that is not maintained, meaning it has not received security updates, is just inviting hackers in the backdoor of your website.
When WordPress has an upgrade you will often see that some of your plug-ins will also have an upgrade. It is important they you upgrade your plug-ins because they may be patching the same security issue as WordPress. Plug-ins may have upgrades outside of a WordPress version upgrades, so it is important that you stay vigilante in keeping your plug-ins upgraded.
You should inventory your plug-ins periodically to make sure that they are still maintained by the developer and that they are providing functionality that you are using. If you are not making use of a plug-in then delete the plug-in. Do not just deactivate the plug-in, delete it. Deactivated plug-ins still can provide a backdoor into your website.
Tighten Up Security Features
- Turn off comments or limit the length of time users can comment on your posts.
- Don’t allow open registration.
- Limit the number of Administrator user accounts on your website to the bare minimum
- Require Secure passwords
- Do not allow Admin as a username
- Make sure that that the correct file permissions are set
- Remove and block spam comments
Backup Your Website
Backup your website frequently. That way, if your site does get hacked, you can get it up and running again quickly.
Do not just store your backups on your website’s server. Make sure that you have off-site backup storage for disaster recovery. If all of your backups are stored on the server with your website and a disaster strikes the server or your host provider, your website could be lost. If you have backups off-site then that backup can be used to get your website up and running on a new server.
Install Security Defense on Your Website
Install security defense on your website that provides a web application firewall, blocks brute force activity, and blocks intrusion attempts. This type of software can be configured to ban/block activity and IP address.
Scanning Your Website For Trouble Spots
Regular scanning of your website for malware and other security issues can help you find any issues quickly — hopefully, before Google marks your website as having malware. If you find an issue right after it occurred then restoring your website from a backup is an option. However, if you find the issue several months after it occurred, this often mean that restoring from a backup is not a viable option. Scanning can also sometimes alert you to vulnerabilities in your website so corrective action can be taken before you are hacked.
Cheap shared hosting is a bad bargain. It makes your website slow, which hurts your ranking in search engines, and it is inherently difficult to secure completely because many different users have access to the same file system. Virtual Private Network hosting often costs more, but your get what you pay for, improved website performance and more security.
Following the above steps will go a long way towards safeguarding your WordPress site. And, I can say with some confidence, if you do NOT follow the above steps it is highly likely that your website will be hacked.
The “Best Practices To Keep WordPress Secure” can be followed by anyone, however, often time business owners find that their time is better spent focusing on their business. If that is the case for you, Web Image Designs offers packages to keep your website secure and up-to-date. If you have any questions we would be happy to discuss which WordPress Security & Maintenance Package is right your you.
photo credit: DeclanTM License