If you’re hosting a WordPress site, you’re likely already aware of the need for security. But you may not know just how complicated it is to set up and maintain a really secure website. It can be even more complex than designing the site itself or developing the content.
This articles covers a number of steps Resources Online routinely takes to make websites secure. It assumes a basic familiarity with WordPress, but not much more. To get technical details on the recommended solutions, do a quick online search.
Keep WordPress and your plugins up to date
This is the single most important thing you can do. Because WordPress is so widely used, when vulnerabilities are discovered, attackers know that there are many susceptible websites. There were six WordPress core security updates last year alone, along with many more plugin updates.
It’s critical that you continually monitor and patch your site.
The WordPress core application has the ability to automatically update whenever a new version is released. Automatic updates are also available for certain plugins. If your website is not that complex and you’re comfortable with code changes to your site without a thorough review, turn on automatic updates. In new installations of WordPress, this is on by default. Follow WordPress instructions to manually turn on automatic updates.
If your website is complex or you’re worried that an automatic update may break it, set up a testing environment and manually update WordPress. Modern versions of WordPress actually make this quite simple. The Updates page on your WordPress site shows a list of all available releases. You can install them individually or all at once with just a few mouse clicks.
If you have a lot of plugins, consider updating them a few at a time and, as you go, verify that the website still functions properly. This way, you can isolate the source of any potential problems caused during the update process. After you’ve made all the updates and verified the site functionality in your testing environment, follow the same process on the production site.
Note for developers: obviously, modifying WordPress core code or plugin code makes it very difficult to update plugins and stay secure. Use care!
Maintain good login security
Having secure code doesn’t help if you leave the front door open. One of the most common causes of WordPress site outages is the brute force login attack. That’s where an attacker writes code that repeatedly tries different passwords to log in to your site.
Take these steps to defend against this type of attack:
- Always use strong passwords.
- Disable the default admin account (a common target of attacks).
- Limit user roles to only specific, required functions. For example, don’t make everyone an admin.
- Rename the login page to something non-standard, so attackers can’t find the page. We have had good success with the Rename wp-login.php plugin.
- Install a plugin to limit brute force attacks, force strong passwords, and force password expiration. If you are not installing a more comprehensive security plugin, try this Login Security Solution from WordPress.
Pick your plugins carefully
Every plugin you install on your site potentially contains vulnerable code. Virtually anyone can write and offer a plugin. Look for plugins that:
- Are highly rated.
- Have a large numbers of installs.
- Are offered by reliable sources.
- Have good user reviews.
- Show frequent updates (indicating they are being maintained).
- Are available on WordPress.org.
Some plugins have write access to your WordPress files and directories. A malicious or vulnerable plugin with that kind of access has complete control over your site. Be very cautious with these. And, in general, limit your plugins to only those you need, delete any unused plugins, and carefully consider the trade-offs when adding new ones.
Install a good WordPress security plugin
There are dozens of different steps and techniques available to properly secure a WordPress site. Installing a WordPress security plugin simplifies this process for developers and for less technical users. Security plugins can conflict with one another, so if you install more than one, be careful to select compatible plugins. Our favorite security plugins include:
BulletProof security, which provides more of a firewall, detecting and blocking malicious traffic before it gets to your WordPress installation. It does this through a series of rules defined in the Apache .htaccess file. Installation is simple: use the setup wizard, and select the options you prefer. The plugin generates and saves the correct .htaccess file to your web server.
Wordfence, which provides security from within WordPress itself. It not only provides basic firewall-level intrusion prevention, but also it:
- Scans for infected files.
- Compares all of your core and plugin files against the original versions.
- Shows you real-time traffic to your site, which can allow you to detect and troubleshoot attacks.
- Protects against brute force attacks.
- Monitors disk space.
- Logs traffic, allowing you to investigate issues.
We like using BulletProof security and Wordfence together because of their complementary features.
Back up your site!
Disasters, such as site corruption or hacker-caused data loss, are a lot easier to deal with if you know that you have a good backup of all of your code and content. Install a plugin to make daily backups of your website, including the code and database. Make sure to back up your server, as well. And test your backup to make certain it that can actually be restored.
Our favorite free backup plugin is UpdraftPlus. It supports automated backups, prunes old backups, does remote storage to Dropbox, and will even automatically back up your site and database at the moment you are installing new plugins, allowing for an easy rollback if something breaks. The paid plugin BackupBuddy is also an alternative to consider.
Monitor and maintain
Your site won’t stay secure on its own. You need to monitor your security logs, apply regular updates, look for suspicious or abnormal activity, verify that your backups are still working, and keep an eye on your database size and available disk space.
Your security plugin helps by notifying you of issues via email, but there’s no substitute for periodically logging in and checking things out.
For more information
- Take a look at this great overview of security from WordPress.org.
- Get announcements about all WordPress core security releases.
- Explore known vulnerabilities to WordPress and plugins (4,211 and counting!)
Here’s to keeping your site safe and secure!