After working with WordPress for almost a decade, I have some strong observations over its security structure, process and etc.
I like to share some of these with you, hope it will help you…
- WordPress, itself as a software or a script is actually quite secure. The team at WordPress take security very seriously and have a well-defined process for managing potential vulnerabilities.
- Experience matters – Yes, in most of the cases, there are many security mistakes an inexperience developer or client made or can make. No doubt WordPress is the easiest CMS to install, setup and overall use, but it does not mean that it is easy to maintain properly in long term! Few basic examples are like
- Use weak or too weak usernames and passwords combination.
- Fail to stay up to date on software (WordPress core, plugins, themes, the web server itself, or the malicious software on their own pc).
- Install plugins and themes without doing any basic research about the author, previous reviews, bugs notes etc.
- They, I mean clients do share username/passwords (ftp/sftp/cpanel) to many freelance developers or friends while they have some work in their site, after the task done in most even forget to change those! Here, I do not mean freelancer’s will hack or make some damage you- No! they will never do such thing! even if you did not pay them well! I am also a freelancer, so I am very sure they are 100% loyal to his/her clients, small or big both. What I am trying to say it is very likely that some of their own PC, computers are infected with malware, trojans or some low level viruses, truly without their own knowledge, as I strongly doubt most of them are not using any antivirus program in their original or pirated Windows versions PCS,
- Choosing a cheap hosting is another reason for it! Yes, it is fact that Kinsta or WPENGINE has less chance of being hacked over bluehost or hostgator etc, I even read some techcrunch news of how to hack them! – found it here – https://techcrunch.com/2019/01/14/web-hosting-account-hacks/
Ok, so now it is time to make it secure,
I have a small checklist for you,
1. Pick a Solid WordPress Host
Try a premium one or a managed service, it is far better option for you in long term, even you are on small business owner with a small budget? try Amazon Lightsail, it is relatively cheap if you can not afford wpengine or kinsta, After signup at lightshail make sure you hire a good linux server admin to harden it, do the set-up of a web server, and migrate your website properly.
( Note – you can hire me for that! 😉 )
2. Back-up Your Website – ( Choose cloud backup option )
I can bet on it, every developer will agree me, this is one of the most important and live saving habit!
While doing backup try to use cloud option, perhaps daily backup is best, or at-least file backup in a week and daily database backup. It is ideal for small business websites which does not change daily, and perhaps they blog or change content in weeks.
3. Choose Themes and Plugins from Reliable Source
Theme and plugin choosing is a vital part for better security. Strictly, do not install any plugin or theme from a less trusted provider or not only because it is free! unless you are very much sure about it’s author reputation, like Autometic.com (the author company of WordPress),ElegantThemes, StudioPress, iThemes, EngineThemes etc.
However, I do strongly believe there are plenty of good or great theme is present to serve different purposes, but you should not choose a theme with bloated options,
You should focus on you actual need of your website, and choose accordingly, like I prefer to suggest two themes for simple small business or small shop,
(Note – These above links are not referral links! it is a stupid simple suggestion :))
4. Install a SSL Certificate
Now a days, SSL is a must thing, as Google already showing insecure notification in chrome browser along with other major browsers. Also, a non SSL will hamper SEO too, Google already disclose it few years back – https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html or you can read full blog post by the great Neil Patel –
So, Please install a SSL certificate from a authorised store or you can try to use Let’s Encrypt . As per I know, most of the hosting providers are now supporting Let’s Encrypt into thier system. You just need to a do a few click to install in your site, if your host support it.
Here is a short tutorial on how you install Let’s Encrypt on various web hosting panel, like cPanel, Plesk Panel, VestaCP etc.
5. Prevent Brute Force Protection
- Change your wp-login URL,
- Use to have a force strong passwords for all user level( subscribers to administrator)
- Set up a firewall
- Block Fake Google Crawlers
- Remove or add filter to reduce Comment Spam
- Use IP Blocking (manual and automatic both)
- Use 2-Factor Authentication
all these can be achieved via a plugin like Wordfence (strongly recommended), or iTheme’s Security plugin.
Or you can try to use Cloudflare, incapsula.com etc or similar cloud service which actually help you to block, prevent DDoS attack and other brute force attacks.