There’s a good chance you’re using WordPress on your website. Why? Because W3Techs reported that WordPress now powers over 28% of the web. We use it in almost all of our projects so if you've had a site built here it'll likely be WordPress.
The Problem: Popularity breeds vulnerabilities. If you were a hacker, you’re going to want to cause the most amount of damage for the least amount of work. If you could find a vulnerability to potentially hack 1 in 4 websites on the internet then you’re going to focus on WordPress.
So in essence the problem isn’t that WordPress is insecure and vulnerability ridden, it’s just that with more people trying to hack it, more vulnerabilities are going to come out. In some respects this is actually a good thing as it leads to a more secure platform overall. *So long as the advice below is headed...
WordPress core, plugin and theme updates almost always contain security fixes. It is vital you keep WordPress updated with all the latest plugins, themes and core updates.
It’s very common for a huge vulnerability to be released and just a few days later an update will appear in your dashboard. That’ll likely be the fix for that vulnerability. Staying updated is probably the single most important security measure you can take with WordPress.
2. Lock It Down
There are a lot of security plugins out there but we find iThemes Security to be the most effective preventative plugin. It’s simple, just install and run through the recommended settings until the advisories are gone. iThemes Security has a ton of little tweaks like enforcing strong passwords for all users, renaming your admin section and removing some WordPress generator tags from your site. All of these can help throw potential hackers off as your site won't have some of the tell-tale signs of being a WordPress install.
3. Go Easy On The Plugins
Whilst one of the best things about WordPress is the massive selection of plugins available, it’s also a bit of a security weakness. The more plugins you have installed, the greater the chance you’ll get hacked. Even some of the most popular and most downloaded plugins like Jetpack and Contact Form 7 have been hacked pretty recently.
The best advice we can give on that front is, if you can achieve what you want to achieve without a plugin, it’s better to do so, even though a plugin is usually more convenient.
It’s always better to download any plugins from the official WordPress Plugin Repository or in the case of premium plugins, a reputable marketplace like CodeCanyon. The same applies to themes.
4. General Security Recommendations
When setting up WordPress it’s always best to avoid the ‘admin’ username. It’s the first any hacker will try. Password security is also vital, ‘password1’ doesn’t take long to figure out! It’s always recommended that you don’t use the same password for anything else. If someone finds it and decrypts it, and it’s also your PayPal password that’s a sitting duck.
An SSL always helps here too. Having an SSL on your site encrypts the login form and means the data can’t be intercepted as you submit it. It goes without saying that if your site has multiple users logging into accounts or submitting payments then an SSL is definitely required.
If you think your site might have already been hacked then WordFence is a great plugin to have. It can replace files back to standard versions and it explains why it believes your site is vulnerable. However it’s more of an ‘cleaning up afterwards’ tool than a preventative one.
All of the advice outlined above is included as part of our monthly fee with any website that we build here at Kobault. It's in our interest to make sure your website is safe, up to date and secure at all times which is why we implement iThemes Security on every site we build and we handle updates for clients as well.