5 Ways to Improve Your Site’s WordPress Security

mouse trap
Posted by Andy Romanofsky on March 02, 2017

Imagine this: you open a new store, and are very proud of it (congratulations!) One day, you notice a mouse in the corner. He must have come in through a crack in the foundation, but you don’t know where. You could try to trace him as he moves about, or start working to seal up all the cracks, but…he’s just a mouse. He’s harmless. So you ignore him. What you don’t realize is, everyday, he’s observing you, monitoring your patterns. Then one day, he retreats and sends in an army of robot mice and they overthrow you and take over your store.

Sound ridiculous? It is, when we’re talking about a mouse. But really, this is a pretty close metaphor for scenarios that play out everyday on the web, with attacks on millions of sites by hackers who sneak in through a crack, attacking sites with weak WordPress security, and destroying their foundation

Why is WordPress security so important?

Whether you’re selling products or simply your brand, a website is your virtual storefront. First impressions are everything – and a hacked site plagued with malware, spam, or brute force attacks can slow speeds, compromise performance and cripple user experience. Hijacked sites can become vessels used to further deploy viruses and feast on other unsuspecting victims (like our army of robot mice described above). Even worse, you could run the risk of being at the center of a major customer data breach.

How to improve your WordPress security?

It doesn’t matter how big or small your company is – today, every single site is susceptible to a hack. According to WordFence, out of 1.5M active WordPress sites that they protect, more than 580,000 weathered an attack in just one week – that’s just under 40%, in just in one week. But don’t panic. For every action, there’s a reaction. And the WordPress developers and community are very good at reacting to keep you safe. So, here are 5 simple ways a user can keep their WordPress security up to date:

1. Regular Updates

Update your WordPress core version often. This is your easy, first line of defense, and it’s handled with a few clicks directly in the WordPress Dashboard. There’s little reason not to update. WordPress developers work endlessly to improve code and shut down any potential vulnerabilities. Our advice is to trust them. In fact, when WordPress Developers discover a threatening vulnerability, they will release the security patch and push the update automatically. But it is up to you to maintain your WordPress and Plugin versions. In some rare cases, a plugin update may conflict with your version of WordPress and you may to revert to an earlier version (see the section on Continual Backups for more).

2. Up-to-Date Plugins & Themes

WordPress powers 25% of the internet. That’s an impressive figure and also quite appetizing to hackers. Many hackers explore popular plugins and prebuilt themes for vulnerabilities. Their hope is the more popular a plugin or theme, the more sites on which it will likely appear, which results in a greater attack. Perform routine plugin and theme update checks and always run with the latest versions. Plugin and theme developers are good at squashing vulnerabilities and exploits, but it’s still up to you to stay up to date. You can see some of the most commonly attacked WordPress plugins in this blog post from WordFence as well as the most commonly attacked themes in this WordFence post.

Sometimes site owners will deactivate unused plugins but not delete them in case they later choose to reactivate them. This may seem harmless, because it gives the illusion that you switched “off” a plugin. But in our experience, most people don’t bother to update inactive plugins assuming it’s unnecessary. But those out of date plugin files are now just sitting on your server, dormant. They are still vulnerable. It’s like an untreated and abandoned rotting door waiting for someone to kick it down. Our advice: Delete inactive plugins. You can always re-add them later.

3. Secure Passwords

We’ve seen an entire site hacked to pieces and watched their SEO (Search Engine Optimization) rankings crumble all because a WordPress Admin created their login password as…”password.” It’s not a myth. This happens. Don’t be that person. Always use secure passwords. WordPress has its own password generator in the Users section of the admin, and plenty of other free password generators exist as well. You can also set limits on failed login attempts with a plugin for added WordPress security. Have trouble keeping track of your passwords? There are services out there, like 1password.com or lastpass.com, which organize and encrypt your passwords for you. If you’re looking for even more on how to create a secure password, we recommend this great article by Cloudwards.

4. Verified, Managed User Accounts

User account management is one of the most important aspects of WordPress security. When creating user accounts, assign rights based on need. If your site requires multiple users, make sure each has a unique login, along with a complex password and an appropriate role, such as Author or Editor. Limit the number of users with Administrator rights. Taking these steps will make it much easier to track which updates a legitimate user makes and more difficult for hackers to cause significant damage by compromising an account (especially if the account compromised has Administrator permissions).

If you are a solo blogger, you probably don’t need more than one login with a complex password. It’s good practice to routinely review the list of users associated with your site. Don’t share accounts or allow account sharing among your team. Always logout of WordPress after working on your site, and don’t use the “Remember Password” feature of your browser.

5. Continual Backups

Backup your site daily, and if possible, have a secondary fallback such as monthly backups. Not to be melodramatic, but whether you’re dealing with a hack or server failure, another number of things can go wrong. Sometimes, a server crash can result in a lost or deleted site. And, if your site has ever been hacked or injected with malicious code, it can sometimes take days or even weeks before it’s discovered.

Always have a backup. Your hosting provider may provide backups as part of their service, either to a remote location (another server) or as a download of your site. We recommend using this if it’s available to you, as it would generally be the quickest way to get your site up and running after an issue. Check with your hosting provider if you aren’t sure. Plugins are also available to help you automate the backup process if you’re doing it yourself. (Here are some trusted plugins we like: Duplicator Pro, Updraft Plus, BackupBuddy.) Just remember to make sure that the site is being backed up in a different location than your main site.

Andy Romanofsky - Programmer/Developer

Andy Romanofsky
Developer