At the point of this writing, WordPress makes up over 29% of the sites on the internet, and it’s growing faster than any other competitor many times over. W3Techs – extensive and reliable web technology surveys. Since I make a living on WordPress themes and plugins, this is pretty exciting (yay, job security!). However, keeping it secure is critical because of the huge target on its back for hackers looking to exploit it. The team at Automattic takes this very seriously and are doing their part to make sure WordPress is secure and patched regularly, but there’s more that needs to be done to keep your site protected.
So what do we do about it?
WordPress has a team of developers that are dedicated to security. This means that whenever vulnerabilities are found, they are quickly addressed and patches are created to address the problem. WordPress now has the ability to auto upgrade minor updates so these kinds of fixes can be implemented immediately and without user intervention. For major WordPress core updates, regular maintenance is required.
Update Themes and Plugins
WordPress core updates are critical and so is keeping your themes and plugins updated. Any developer can create a plugin, so quality and security can vary wildly. According to this stat, plugins represent 52% of the security threats. Some are malicious, others are the result of bad programming, and some use third party libraries that introduce vulnerabilities. At Indevver we vet plugins carefully, and use them sparingly on our custom themes.
It’s critical that plugins are updated along with WordPress core to help insure that you have the most current and secure versions installed, not to mention all of the new features and bug fixes that come with those updates.
Tip: Remove unused plugins. Even inactive code in some shared hosting environments can be accessed from other sites on that server and be exploited.
Manage Users and passwords
Another common vulnerability is weak passwords, and exposed usernames.
Make sure your profile is set to show your display name and not your username. You can do this by going to the Users menu in the WordPress dashboard, and checking that the users first and last name is is chosen in the “Display name publicly as” dropdown and not the nickname or username.
Limit Login Attempts
Limit the number of login attempts that a user can make. The simplest way it to use the Limit Login Attempts plugin. A more complete and robust approach would be to use the Wordfence plugin that includes limiting login attempts, and requiring strong passwords, in addition to a number of other great security features like a Web Application Firewall (WAF).
Minimize Administrator Level Accounts
Not every user on your site needs to be and administrator. The Editor role will give you the access that you need to add and modify pages to a site and do most of the daily work. Even as the site owner, we recommend using an Editor role for most things, and only reserve logging in as administrator for admin duties like updating theme, plugins and core, or managing users.
Don’t use admin as a username
You’ll ward off some “brute force” attacks simply by not using
admin as a user name, and limiting the login attempts. Admin is the default username for the admin account, and even WordPress no longer recommends using it.
Mind Your Passwords
Strong passwords use symbols, caps and a combination of letters and numbers to make sure that guessing the password is difficult if not impossible. Changing them regularly is also a great practice. Of course we all know that users are going to have to be forced to do either of these things, so using a plugin like Wordfence can help make sure this is required. One thing that helps soften the blow to users is recommending a password manager. I use Dashlane, but there are other great ones out there that all do basically the same thing.
Quality WordPress-tuned hosting
An important part of your site’s security lies on the server the site is hosted on. Not all hosts are created equal!
We recommend Flywheel and WPEngine as great hosts for both speed and security tuned for WordPress. Not to mention great customer service.
Tools we use
Third Party Security Tools
- Cloudflare (includes performance and security benefits and has a generous free tier)