WordPress powers more than 35% of all websites in the world. Yet, even with a dedicated security team and a vibrant and engaged worldwide community, websites that run on this leading content management system often are a target for security breaches.
The truth is, however, WordPress is secure: only 14% of WordPress security vulnerabilities come from core WordPress, and the WordPress organization follows rigorous processes for patching these issues. So, how do WordPress websites get exposed to hackers? More often than not, security vulnerabilities occur from insufficient maintenance.
It’s important to implement some basic, but often overlooked, best practices for your particular WordPress installation. In this post, we’ll look at several different ways to ensure your website is secure.
Start with Your Server
Before doing anything else, make sure that the server you’re using to run WordPress is secure. This process is described as hardening and helps reduce the risk of unauthorized access to your server by a malicious third party.
One of the biggest security precautions you can take with your server is to update your software. Updates will range from critical vulnerability patches to minor bug fixes and should be applied frequently and on a regular cycle.
Running your own server comes with a huge range of upsides. Complete control allows you to do as you wish, but the responsibility to ensure that it’s well maintained falls on your shoulders. If you’re hosting your WordPress website on Linode and are unsure where to start when it comes to securing your server, this document explains how to harden your Linode against unauthorized access.
If these steps look too onerous, then consider using a managed WordPress host like Pressidium that undertakes all server-level (and many WordPress-level) security updates on your behalf.
Update WordPress
After server hardening, perhaps the easiest way to keep your WordPress website secure is to make sure you install any available WordPress updates. With a significant number of contributors (around 70 developers contributed nearly 5,000 commits to the core in 2019), it’s not surprising that you’ll see an update available most months. These updates come in two flavors:
- Major updates where new features are released. These updates are released about twice a year.
- Minor updates that address any bugs or security risks in the current version. These updates can be pushed out as often as every few weeks.
If you’re using a managed WordPress hosting provider, these updates should be automatically taken care of for you. If you’re running your own server then you’ll need to manually update your WordPress version. Just log into wp-admin and, if an update is available, you’ll see a notification at the top of the homepage prompting you to update. Follow the prompts and WordPress will download and install the update.
Although most updates go smoothly (especially minor updates) it is advisable to backup your website before running the update process. You’ll also want to test your site carefully after the update as some themes and plugins might not be compatible with the latest WordPress version.
Update Your Theme and Plugins
Along with the WordPress core, you’ll notice that plugins and your theme (if you’re using a third party one from a provider like Theme Forest) need regular updates. Two common reasons that plugins and themes may not be updated include:
- The website owner forgets to perform the update, especially if it’s been a while since they last logged into wp-admin.
- Updating plugins and/or the WordPress theme can break the site, which can be discouraging.
It’s frustrating when a plugin update that should take two minutes turns into a larger job because your site stops working. When you’re busy running a website or business, finding the time to work through the problem isn’t easy. So, the temptation is significant to restore the site from a backup, which will leave the outdated plugin(s) and/or theme running.
Exactly the same situation can occur with WordPress core updates when you install the latest version only to find part of your site is now no longer working. The easy, but potentially insecure, thing to do is to revert to a previous working version and then not revisit the problem.
This scenario is exactly what hackers rely on. A significant portion of WordPress hacks are undertaken by exploiting known vulnerabilities on websites that are running outdated themes, plugins, and WordPress cores. The cost in either lost sales or reputational damage thanks to a hacked site can be significant.
Fix Vulnerabilities on Your Computer
The security of your server and your WordPress installation is important, but an insecure workstation can undermine those efforts. For example, if a malicious keylogger has been installed on your computer, an attacker can collect your WordPress login information. Make sure any computers you use to access WordPress are free from malware, spyware, and other virus infections by using antivirus software.
And, just like your server, make sure you keep the operating system and browser up to date by applying any patches that roll out. If you are browsing untrusted sites, it’s also a good idea to use tools like NoScript to prevent any executable web content running on your machine.
Passwords & Usernames
Without two-factor authentication, your password is all that stands between your website and someone who wants to access wp-admin. So, it’s of the utmost importance to choose a complex and unique password.
If you need inspiration when choosing a good password, you can use a tool like the 1Password Generator. Always use a different password for each website. The best way to keep track of strong passwords is by using a password manager like the one 1Password provides.
Equally important as a strong password is making sure that you don’t use the default ‘Admin’ username:
- Head to the Users section and create a new user that has a unique username.
- Assign admin rights to this user and set up a strong and unique password for it.
- Log out of WordPress and log back in using the new username and password.
- Head back to the Users section and delete the default Admin user.
Two Factor Authentication
Two Factor Authentication (2FA) is becoming almost mainstream. 2FA confirms users’ claimed identities by using a combination of something they know, something they have, or something they are.
WordPress is a perfect platform for 2FA usage, and this can be easily enabled using a plugin. Popular 2FA plugins are Duo and Two-Factor, although more are available (just search the WordPress plugin repository). With a 2FA system enabled, you can be confident that even if your password was to be guessed or otherwise obtained by a third party, your website would remain secure.
Use a Security Plugin
There are additional ways to harden your WordPress website to help keep it secure, such as changing database names and taking advantage of HTTP security headers. All of these require, for the most part, a reasonably high level of technical know-how and time.
Some of the top WordPress security plugins offer a significant range of features including blacklist monitoring, file scanning, brute force protection, firewalls, and more. They can offer easy ways to tighten up your website security quickly and with limited technical experience.
There are numerous plugins available but, as with all plugins, it’s important to use reputable, well-tested plugins like Securi Security and Wordfence. Remember to take a backup of your website before installing a new plugin or making any significant changes to plugin settings.
Take a Backup
Backups can be a woefully neglected element of WordPress maintenance. They do, however, play an important role in website security. Having a high-quality backup gives you the ultimate peace of mind that if the worst were to happen and your site was hacked and badly damaged, then you can recover quickly by restoring a previous backup. You can then apply any additional levels of security needed to avoid a hack being repeated.
It used to be tricky to take good backups of WordPress, but in the last couple of years the process has been made very easy. There are plenty of options to choose from, including plugins such as UpdraftPlus, and offsite backup systems like VaultPress or BlogVault.
In my next post, we’ll talk about some advanced measures you can follow to help keep your WordPress website secure.