Our tips for WordPress security
Whilst the numbers vary from 25-40 million active sites, WordPress is the most widely used CMS on the planet. The platform is free to download and even novice users can easily install an off-the-shelf theme or install plugins that will add functionality and features. All without writing a single line of code.
As a result, WordPress’ security credentials are often called into doubt. With this in mind, we present our tips for better WordPress Security.
We find many clients are scared of using WordPress because of bad experiences they have had in the past through poor implementation of the platform.
That said WordPress itself is a very well supported and secure platform as long as best practices are followed.
It can also deal with high volume, high profile sites. We have hosted Nokia’s press centre and Taylor Swifts merchandise store on WordPress, both dealing with high traffic levels.
Off the shelf or bespoke WordPress themes
We design and build bespoke WordPress themes for our clients. They are built just for you so we have total control over the design plus they also benefit from the following factors:
- Less code = much faster page loads
- Better code-to-text ratio (important for SEO)
- Private code – Not available publicly so is much less likely to be hacked
If you are choosing an off the shelf theme make sure it’s from a reputable developer and check the reviews (good and bad). Also, ask if they offer any after-sales support.
Additionally, you can reduce your risks by limiting the themes you have on your server. Quite often we see installs that have 4 or more unused themes that can all be sued for attacks. Ideally, just the one but you might want to keep a core WP theme, Twenty Seventeen for example for testing purposes.
Finally, if you are using off the shelf themes always keep them up to date.
WordPress security and plugins
Over 50,000 plugins are available for WordPress. They provide functionality and features not available in WordPress core. These plugins are developed by a huge range of developers from beginner to corporations and consequently, the quality varies too.
It’s worth noting that a plugin that helps you upload a file, for instance, could (if incorrectly coded) upload a script that opened up a security issue on your site or for your visitors. Again, it’s a case of doing your research. If you were hiring us to build your site you would want to know a bit about who we are, how we work and what our clients say about the work we’ve done. Apply the same to plug-in developers to keep safe.
There are many great plugins out there and some that we firmly recommend. Here are a few of our favourites:
- Wordfence – Security
- Woocomerce – Ecommerce
- WP Remote – Updates and Backups
- Yoast – SEO
Every plugin adds load time to your site so if you can just add a line in of code in place of a plug-in you are going to see results. ShareThis, for example, adds a lot of delays due to 3rd parties using the data (no such thing as a free lunch). We created our own code to do the same thing without the hidden bulk.
Try to limit your plugins as much as possible and if you’re going to use them make sure you do your research.
Hardening WordPress security
A number of additional things can be done to harden your WordPress install.
Lockdown the server
If you can use a properly configured firewall to manage who and how the server can be accessed. This entails limiting ports and ideally limiting developer access to specific IP addresses (your office IP’s for example).
Enforce strong passwords
Use tools like Wordfence to audit your passwords and send alerts to users that have week ones.
Weak passwords are the modern-day equivalent of leaving a key under the mat with a post-it note on your door saying “key is under matt”.
Not everyone needs to be a super admin and with WordPress, you have lots of user levels. You may want to just allow someone to write articles but not publish or be able to access product or client databases.
Change the admin username
Most hackers will treat this as a default and only need to crack the password. If they have to crack both it makes the job a lot harder for them.
Lockout attempted break-ins
Another great feature of Wordfence allows you to block user based on rules you set.
For example :
Block for xx mins is user “admin” is used
Block for xx mins if the wrong password is used more than x times.
Secure the admin area
There is always going to be a balancing act between convenience and bulletproof security. Making your username and password harder to guess would be enough to secure the admin area on most websites.
If you are in need of some extra security here consider using htaccess to protect the admin folder.
Another option might be to use 2-factor authentication. Having a code sent to your smartphone via text or using Google Authenticator to confirm access.
This is by no means an exhaustive list, but following at least some of these steps will go a long way to preventing unwanted access to your website and data.