5 Things That Work For WordPress Security (+ Things That DON’T)
When trying to keep your WordPress site secure, there are many things to keep in mind. The security landscape is changing all the time, and it can be difficult to keep up with the newest ways hackers or malicious actors are using to gain access to sites.
Everyone hopefully has a particular way or set of practices they use to run their WordPress site.
However, some of the practices you may be used to could be putting your site in jeopardy. In this article, we will go over five things that work, and five things that don’t work when it comes to keeping your WordPress site secure.
5 Ways To Secure Your WordPress Site
1. Add A Firewall To WordPress
By using a firewall on your WordPress installation, you ensure some very common exploits are no longer possible. These issues include things like Brute Force attacks or denial of service attacks.
What’s more, firewalls can block IP addresses of people who are continuously trying to breach your site. This not only keeps your site secure but increases its performance as well. And most WordPress firewalls come pre-loaded with the IP addresses of known hackers that become automatically blocked when the firewall is installed.
2. Keep WordPress Up To Date
Usually, when WordPress updates, it’s because some security issues are being corrected or patched. And even though some WordPress sites are set up to update automatically, this sometimes doesn't happen as soon as the update has been released.
So you need to keep an eye on the backend of your WordPress installation for updates to the core software that’s being used to run the site.
3. Keep Your Plugins Updated
Just as we mentioned with keeping WordPress up to date, you also need to keep your plugins up to date. Just as with the core WordPress installation, when a plugin is often updated times it’s because a security issue has been fixed or patched.
A common way hackers or malicious actors gain access to sites is by searching for exploits that are found in old software or plugins. And some plugins do not automatically update, especially paid plugins or what are sometimes referred to as “premium plugins.”
4. Use A Full WordPress Backup Solution
Not having a backup solution in place is a recipe for disaster when it comes to WordPress security. A common thing that happens when a site is hacked is snippets will be inserted into the site in a way that makes them difficult for them to be found. S
Having a way to restore your site to a stable and uncompromised state quickly is essential to running a secure website. This can also be a huge advantage if you are testing new elements and plugins on your site in the case that it breaks. The topic of WordPress security doesn’t just stop at dealing with hackers, sometimes you need to protect your site from yourself.
5. Choose A Secure Web Host
Not all web hosts are created equally. This can largely depend on the cost of your hosting solution. So if you are using a cheap or discount host, it’s almost guaranteed that their safety practices aren't the best.
So if you truly care about keeping your WordPress installation secure, perhaps the most important first step is to choose aweb host which prioritizes security. You can often find this information listed on the host's site. But, if the information is not readily shown, we would advise reaching out to your host to see what their security standards are so you know what needs to be fixed.
For example, Cloudways is a good and secure web hosting solution.
5 Things That Don’t Work To Keep Your WordPress Site Secure
Expecting Your Web Host To Handle Security
While your host does perform some basic security steps, they may not be doing everything. This largely depends on the quality and cost of your hosting platform.
You shouldn't make the mistake of expecting your host to perform everything that is required to keep your WordPress site safe and secure.
Doing Backups Manually & Keeping Them Locally
While having a back-up is great, relying on yourself to manually do it can be a huge pitfall. Even if you are diligent in the beginning, sooner or later you will forget or miss a backup.
What’s more, if you store the backups on the same server your WordPress site is hosted on, in the event that your site is hacked your backups can be compromised or destroyed also.
Keeping Your Passwords Written Down Both Physically & Digitally
Not keeping your password secure can be a great way to have your website hacked. And a common way that your password will be leaked is having it written down either in person or in a document online or on your computer.
Often times when hackers or malicious actors are breaking into computers or online accounts, passwords and logins are what they are looking for.
Using An Easy To Guess Password
The easier the password, the easier it will be for hackers or malicious actors to use software programs to guess it. A brute force attack is the most common way a site will be hacked or compromised.
What is a brute force attack? It’s when someone uses a software program to try hundreds or thousands of passwords that are the most commonly used around the world. So that means if your password is something simple like “banana,” the software program will be able to guess it very easily.
Installing Themes and Plugins from Untrustworthy Sources
When you install a theme or plugin from an untrusted source, you have no way of knowing if there is a backdoor pre-installed or if the plugin or theme is secure. So a great way to avoid this is ensuring that whatever themes or plugins you are using are from a trusted source like the default WordPress plugin and theme directory.
When plugins or themes are added to the WordPress directory, they undergo mandatory checks to ensure they are secure. So if you rely on the WordPress directory, you can almost guarantee the plugin will have at least go through some basic security checks
This is a guest post by Samuel Bocetta. He is a retired cybersecurity analyst, currently reporting on trends in cryptography and cybercrime.