I often get asked by clients, “How secure is WordPress?” or “What can I do to better secure my website?“. Here’s a few of my musings on the subject of security.
First thing to note, is that a little bit of work on this subject goes a long way.
1. Updates
Making sure WordPress installs and WordPress plugins are up to date is vital for website security. Any core vulnerabilities to WordPress are fixed by the WordPress development team and then made available via updates. WordPress is fortunate to have a vast team of developers who regularly update the core system files to offer more functionality and more robust security. Minor updates to WordPress are automatically updated but more major releases require admin approval. Before performing any plugin or core updates, it is important that you have created a full site backup. This means that should there be any problems or conflicts with updated plugins, a rollback can be achieved.
2. Security Plugins
I use a plugin called iThemes Security (previously known as Better WP Security) which removes some of the most basic security vulnerabilities in WordPress websites. This free plugin has plenty of functionality. Some of my favourite features are:
- Control password management
- Blocking suspicious IP addresses
- Blocking multiple failed logins
- Remove the default admin account
- Prevent PHP from running within your uploads folder
3. Backups
It’s often quoted that the most important aspect of web security is a good backup policy. Backups are important in order to restore a website after an attack. All site owners should have their own backup policy, which covers the frequency and location of backup files. The security and frequency of backups will depend on a number of factors such as frequency of site updates. You should customise your backup policy to best reflect the way you use your website.
I, like many developers, use a plugin called BackupBuddy. This plugin allows site owners to create one-off or scheduled backups of the WordPress database or the full website. Backups can also be scheduled and sent off-site to be stored on other servers or your DropBox account.
Your host may also offer a managed backup facility. It’s worth checking with your host support department what backup facilities are available to you. This will vary host-by-host. Cheap shared hosting rarely offers such a service.
4. Hosting
Good hosting can make huge contribution to website security. Cheap shared hosting packages offer the most basic of security options. Despite being affordable, using such hosting may cost you more in the long term.
There are currently a number of excellent hosting companies which offer WordPress specific hosting options. These companies usually also include a comprehensive backup service as well as regular security scanning. I recommend wpengine as my preferred WordPress hosting provider.
5. Security Services
Security audits and website monitoring can also be outsourced. Sucuri offer an excellent monitoring and recovery service which is very affordable and will make identifying issues and clean-ups much easier. Should your website get hacked and infected with malware, Sucuri offer some very affordable packages to help you get cleaned-up and back online.
6. Password Management
Secure password management is a very important part of website security. Your FTP and cPanel logins should both have a strong secure password. Just as important are the WordPress admin login details.
Also, note, you should no longer be using ‘admin’ as your WordPress username. This is a well known vulnerability. If you are, you should create a new account with a strong password and delete the old ‘admin’ user.
A strong password consists of at least eight characters that are a combination of letters, numbers and symbols; both upper and lower case characters. If any of your WordPress user accounts do not have strong passwords, then these should be updated straightaway.