According to the data reported by W3Techs, 32.2% of the web is run on WordPress. That's nearly one third of the Internet. It's no wonder, since the WordPress CMS (content management system) has grown into a very robust and powerful content publishing tool.
But with great exposure comes great susceptibility.
The popularity of WordPress also means that hackers regularly target it and some do succeed. It isn't because WordPress isn't secure or easy to hack, it's a sheer numbers game, similar to why there are more hackers targeting Microsoft's operating system versus Apple's.
Out of the box, WordPress' security is relatively good but them pesky hackers are pretty clever and persistent, so taking some extra steps to further lock down your site beyond the initial installation can save you some potential headaches and costs.
The technical tips in this article aside, the biggest reason why hacks like these occur (in my experience, anyway) is almost always because of carelessness on the part of the site owner, not because the site is on WordPress. These tips will cover all the bases.
Use a secure hosting provider
First and foremost is to have your website hosted on a secure server that provides tools and support to ensure optimal security.
Most web hosts provide their users with in interface (typically cPanel), which provides access to various tools and information related to your site's security. Look for a host that doesn't prevent you from accessing these tools on your own and also provides 24/7 support by phone, email, and live chat. We can recommend some excellent options for you if you need.
Of course, along with a secure host should come a secure website, so an SSL certificate is a must as well (which is also important for your SEO!).
Back up your data and content
Performing regular backups of your site's data is obviously important, and you can do so either by automating the process or doing it yourself. But really, why not automate it and save yourself yet one more thing to have to remember?
One thing I prefer to do is conduct a manual backup every so often and have a site restore process ready to go on the fly should all hell break loose. You should back up everything, but at the very least back up your database and wp-content folder and store it in another location you can access easily, ideally not within your site's root directory (just in case!).
Keep the WordPress core and plugins up to date
Keeping your WordPress installation up to date is crucial, particularly because most updates are security related and the WordPress development team may release core updates as often as two or three times each month.
When logging in to your dashboard, you'll see a message that indicates the status of your WordPress installation. If an update is available, you can install it in one click.
If your core is up to date, you'll see a message like this:
Automatic versus manual updates
One thing to keep in mind is that one or more of any plugins you may have installed could stop working or experience some minor issues upon updating your WordPress core. It's wise to double-check each plugin's compatibility with the version you're about to install. In most cases, you should be fine, but plugin conflicts are not out of the question. This is why it's a good idea to always back up your site before updating.
Use a security plugin
Installing a security plugin adds an extra layer of protection that can help keep hackers on the outside.
One of the most popular and robust ones is iThemes Security, which can be installed and configured in a few easy steps. It also offers a pro version if you wish to extend its functionality further.
Features of iThemes Security include:
- IP tracking and banning
- Auto-banning IP addresses making failed login attempts during brute force attacks
- Customizing your WordPress login URL instead of using /wp-login.php
- removal of the "wp" prefix from your asset URLS
- File change logging and alerts
- Turning off file editing within the WP dashboard
- Forced SSL for the back end and selected pages
- Forcing strong user passwords
- An Away Mode that prevents logging in during specific periods of time
- Detecting 404 errors to help with managing your SEO
Once installed, the interface is very easy to use:
Of course, you're not limited to using this particular plugin. There are others available that offer similar and additional features. These include:
If you have any further questions or need a hand in getting started with any of these, let us know!
User management best practices
When managing user accounts for your WordPress site, here are the four never's to keep in mind:
- Never use 'admin' in your username
- Never use any portion of your domain or organization's name in either your username or password
- Never give every user the same password
- Never forget to periodically change passwords
When changing your password, don't be lazy and use an easy one you can remember. Include special characters, numbers, and capital letters. Current versions of WordPress offers this out of the box.
Keep your use of plugins to a minimum
Minimizing your use of plugins for your WordPress installation is good not only for security but for performance as well.
Not all plugins are created equal, but a general rule of thumb is to limit your number of plugins to about fourteen. Your needs may dictate the use of more, which isn't bad as long as you're keeping tabs on your site's performance.
Periodically conduct a performance and security audit
Taking the time to analyze your website for any potential security or performance issues is always a good idea, especially if you have a few cooks in the kitchen making updates and publishing content.
A thorough security and performance audit of your WordPress site includes (but isn't limited to) the following:
- Reviewing your username and password usage (including removing unused accounts)
- Ensuring your login page uses a unique URL (instead of wp-login.php)
- Ensure the absence of the "wp" prefix in your asset URLs
- Review of your site logs (host or plugin-generated) to look for unauthorized access or file changes
- WordPress core installation updates
- Updated to plugins and third-party integrations
- Conducting a site speed (page loading) test
- Conducting a mobile performance test
- Validating your HTML for errors and WCAG 2.0 Accessibility (which can affect performance)
- Checking your PHP version (contact your host or IT department
If you need a hand getting started in securing your WordPress website, reach out to us!