Let’s talk security! There’s a good chance you’re using WordPress on your website. Why? Because VentureBeat recently reported that WordPress now powers 25% of all websites and that number is only likely to increase in future.
Popularity breeds vulnerabilities. If you were a hacker, you’re going to want to cause the most amount of damage for the least amount of work. If you could find a vulnerability to potentially hack 1 in 4 websites on the internet then you’re going to focus on WordPress.
So in essence the problem isn’t that WordPress is insecure and vulnerability ridden, it’s just that with more people trying to hack it, more vulnerabilities are going to come out.
The simplest solution is just to not use WordPress. But what other free, open source script has tens of thousands of plugins that you can use to build pretty much anything? Exactly. So let’s stick with it and secure it as much as we can!
There are a couple of simple things we can do to help secure WordPress and limit the chances of being hacked.
1. Updates! Updates! Updates!
WordPress core, plugin and theme updates almost always contain security fixes. It is vital you keep WordPress updated with all the latest plugins, themes and core updates.
It’s very common for a huge vulnerability to be released and just a few days later a WordPress update will appear in your dashboard. That’ll be the fix for that vulnerability. Staying updated is probably the most important security measure you can take with WordPress.
2. Lock It Down
There are a lot of security plugins out there but my personal favourite is iThemes Security. It’s a simple, install and run through the recommended settings until the advisories are gone. iThemes Security has a ton of little tweaks like enforcing strong passwords for all users, renaming your admin section and removing some WordPress generator tags from your site.
The best people to explain it are probably the creators of the plugin so take a look at their video below:
3. Go Easy On The Plugins
Whilst one of the best things about WordPress is the massive selection of plugins available, it’s also a bit of a security weakness. The more plugins you have installed, the greater the chance you’ll get hacked. Even some of the most popular and most downloaded plugins like Jetpack and Contact Form 7 have been hacked pretty recently.
The best advice we can give on that front is, if you can achieve what you want to achieve without a plugin, it’s better to do so, even though a plugin is usually more convenient.
4. General Security Recommendations
When setting up WordPress it’s always best to avoid the ‘admin’ username. It’s the first any hacker will try. Password security is also vital, ‘password1’ doesn’t take long to figure out! It’s always recommended that you don’t use the same password for anything else. If someone finds it and decrypts it, and it’s also your PayPal password that’s a sitting duck.
An SSL always helps here too. Having an SSL on your site encrypts the login form and means the data can’t be intercepted as you submit it. It goes without saying that if your site has multiple users logging into accounts or submitting payments then an SSL is definitely recommended.
If you think your site might have already been hacked then WordFence is a great plugin to have. It can replace files back to standard versions and it explains why it believes your site is vulnerable. However it’s more of an ‘cleaning up afterwards’ tool than a preventative one.
We use some of the techniques and recommendations above in our own WordPress Management addon and we’ve seen a significant drop in the number of sites being hacked after clients have added WordPress Management to their hosting plans.
If you’re interested and would rather have us take care of updates and security fixes for £30 + VAT per year per site then contact us here.