Is WordPress secure? It’s a question we get from a lot of our clients. Technology is tricky so the answer isn’t always straightforward. But the bottom line is that WordPress can be secure when set up correctly. Unfortunately, most WordPress sites are not set up correctly. We come across sites every day which are vulnerable to attacks because the person who set them up was careless. So we’ve put this guide together to help you protect your site.
1. Make sure you’re using the latest version of WordPress.
WordPress has increased the frequency of updates in recent years and nearly all of these updates include security fixes. If you’re not upgrading WordPress regularly, you’re leaving your site open to attacks. We have an entire article about upgrading the WordPress core.
2. Keep your plug-ins updated.
Next to the WordPress core, plug-ins are the next place that attackers look for exploits. We recommend checking for plug-in updates at least monthly. We set up all of our maintenance clients to get alerts when plug-in updates are available, as well as the urgency of the update. Urgent updates get done within 24 hours to minimize the potential for an attack.
3. Keep your themes updated.
Yes, themes can actually cause security holes in your website. This is why we recommend keeping a minimal amount of themes on your website and making sure they are updated.
4. Use strong passwords.
We used to suggest this just for administrator-level accounts but have since changed our guidance to include author, editor, or any role with access to edit the site. Some browsers like Google Chrome will suggest strong passwords, but you can also use the password generator from LastPass to generate one for free.
5. Limit admin access and usage.
This is a two-for-one tip. First, only have one administrator account unless you have a legitimate reason to have more than one. We see a lot of websites where everyone who edits the site has an administrator role. This not only gives hackers more accounts to hack into, but it can also cause people to change something they shouldn’t inadvertently.
Second, use the admin account only for admin tasks. For making updates to pages, use either an author or editor account. Again, accidentally clicking on something as an administrator could break your site. If you’d like to discuss the best way to set up access for your users, please sign up for a complimentary consultation.
6. Change your default WordPress login page.
Most sites use www.sitename.com/wp-admin to log in (as well as a few other variants). Anyone that knows WordPress knows that this is how one typically logs into a site. Some sites even put the login URL in the footer which we strongly discourage. We recommend changing the default login to something else as that will deter some brute force attacks (unless they can figure out your login URL).
7. Use a firewall.
WordPress does a decent job protecting against attacks, but adding a firewall makes a huge difference. One of the services we perform as part of our monthly maintenance program is to review the firewall logs and block any IP addresses where attacks originate from. There are a lot of different firewall plug-ins for WordPress so we’d be happy to help you choose the right one during a complimentary consultation.
8. Run regular malware scans.
While this doesn’t prevent an attack, it’ll alert you to when one has occurred. We recommend running one at least monthly and we have some clients that we run scans daily for. The sooner you know of the problem, the better chance you have of containing and fixing the problem.
9. Limit login attempts.
There are tools out there that will automatically block an IP address from your site once it exceeds the number of failed login attempts that you specify. This limits the likelihood of a brute force attack (a person or bot attempting to guess your password). We recommend locking them out after five false tries within one hour.
10. Watch your stats.
You should check your site’s statistics regularly as large fluctuations could indicate a problem. A sudden drop in page views could mean that visitors are getting directed away from your site. A sudden spike in visits could mean a hacker has gained control of your site and is using it to serve malicious content. If you’re not sure how to check your stats, or how to add them to your website, we can help.
We’ve only scratched the surface here as we have a checklist of over 30 things we look for when checking the security of a WordPress website. A lot of these items are very technical and related to hosting and server configuration, so please schedule a complimentary consultation with us if you have concerns about your site’s security. In the meantime, take an hour and use this checklist to review your website.