How secure is your WordPress website?
You’ve probably heard more and more news recently about websites for big organisations being hacked. It doesn’t matter whether you are a big company or one (wo)man band, hackers target any website. And it’s not just about stealing valuable information anymore, there are many other reasons a hacker might want to gain access to your site including stealing bandwidth or installing malicious software among other reasons.
WordPress sites are particularly targeted. Why? Because WordPress is very popular. All the hacker needs to do is find a vulnerability in the WP platform and then they can use that to gain access to your site. But isn’t WordPress secure? WordPress core is usually very secure, yes. It’s not WordPress core that is the problem, it is the themes and plugins that you use that are open to vulnerabilities. Anyone can develop plugins or themes for use on WordPress as it is an open source content management system, however not all plugins are coded to best standards.
What can you do?
Well you could choose to buy a premium theme with guaranteed support and a good security history (I recommend Genesis StudioPress themes), or have your site custom built by a trusted developer. You could take the same route with plugins – choosing only premium or custom themes again with guaranteed support and a good security history. However, many incredibly popular and useful plugins in WordPress are free, and are well maintained as well. And even premium plugins and themes are at risk of a security vulnerability. So what can you do?
When you choose hosting for your WordPress site, security should be at the top of your list. Things to consider: does your host offer support to help if your site gets hacked? You don’t want to be in a position where your site goes down and no one is available to help you sort the problem out. Does your plan include a firewall? A firewall acts as the first line of defence for your website against common attacks such as cross-site scripting and SQL injection by monitoring, blocking or filtering HTTP traffic. Are you using shared hosting (and generally the cheapest plans will be)? Know that your host server will also be home to many other websites, and a vulnerability in any of these can affect your website security too. If possible, consider VPS, dedicated or managed hosting.
Other things to consider when looking for a good web host include backups, malware scanning, and also the ability to automate WordPress updates.
Security at network level
There are options to protect your site on the network level by adding web application firewalls by using services such as Cloudflare, MaxCDN, and Sucuri Firewall.
Stop people from gaining access to your site
- Use a unique, strong password and don’t use admin as a username!
- Set up 2 factor authentication. This can be a hassle, one extra step when logging in. But for extra security this is a great, simple option. Some plugins that can set this up for you include ‘Google Authenticator’.
- Limit login attempts. This is another step you can take to stop a brute force attack on your site. Some security plugins can help with this.
Always keep up-to-date backups of your site. Use a back-up service either provided by your hosting provider or a plugin. If your site crashes, you’ll want to have easy access to your most recent back-up.
Make sure you always keep WordPress core, themes and plugins up-to-date. Hackers exploit security vulnerabilities, particularly in themes and plugins that may not be coded to best practices.
Choose your plugins and themes wisely
Do you trust the source of the theme / plugin? What is their support service like? It’s not always the case that a plugin that hasn’t been updated for a long period of time is vulnerable (they may for example be dealing with aspects of WordPress that have remained unchanged for a long period of time), but check the support forums for an indication of whether the plugin creator is dealing with support requests. User ratings and reviews should also give you a good indication of the plugins trustworthiness, as well as the number of active installs. You can also check for any unfixed issues or vulnerabilities with the WPScan Vulnerability Database.
The same goes for themes. If you are choosing to use themes rather than custom building, I recommend choosing themes with a good security and support history, that have been created using coding best practices (I prefer Genesis StudioPress themes).
Be mindful as well that you remove any plugins that you are no longer using (or at least keep them updated and make sure there are no vulnerabilities)
Consider security plugins
There are many security plugins available for WordPress and they can help in all areas from prevention to detection. Something to consider before adding security plugins though is how resource intensive they are (if you are on shared hosting in particular) – they may swallow your bandwidth very quickly. Choose a combination of methods that is most appropriate for your website – it may be that a premium security plugin is the best option for you, or a security focussed hosting package on a dedicated server. If you’re on a budget, a combination of a few simple steps can better help secure your site rather than using plugins. Check out Michael Bely’s comprehensive article for a great rundown of what plugins or steps might be best for you.
Hardening up core files and the database
There is a lot more you can do behind the scenes if you don’t want to resort to security plugins to make changes to your core files or the database, such as modifying your .htaccess file and making sure you don’t use the default database table prefix of
wp_ when installing WordPress. The Codex has an in-depth article on hardening WordPress that covers some basic security concepts.
Security on your local connection
Be mindful of security on your computer and internet connection – use antivirus software, keep your passwords safe.
In brief, to increase security for your WordPress site and avoid being hacked consider these steps:
- Choose hosting wisely
- Utilise a web application firewall such as MaxCDN, Cloudflare or Sucuri Firewall
- Stop people from gaining access to your site
- Use a strong password
- Set up 2 factor authentication
- Limit login attempts
- Make sure you back everything up
- Keep WP core, themes and plugins up-to-date
- Choose your plugins and themes wisely
- Consider security plugins for auditing / monitoring / preventing / detecting
- Harden up core directories / database
- Make sure your computer employs an antivirus program and your internet access is secure