Most internet users know the basics of Internet security; they have antivirus protection installed, don’t open up spammy emails, and try to avoid heading to spammy-looking websites. But many general users and website builders are a little less aware of the protocols for building a website with security in mind, and what tips and tricks to employ to keep out bots, spammers, and hackers.
Improving the security of WordPress websites is often simply called “hardening” a WordPress site, in large part because WordPress offers many native features which can be employed by the user to strengthen its defenses. Sure, there are hundreds of security plugins out there for WordPress but many such plugins come with their own can of worms: update compatibility with future WordPress versions, trustworthiness of the plugin author, and frequent plugin updates to improve efficacy against new threats being just a few! So we largely won’t be covering plugins, but instead user options native to WordPress and user habits which can contribute to your website’s security.
Because as of most WP vulnerability studies, as many as three quarters of all WordPress websites are considered insecure and vulnerable to attacks. And worse, some of the most vulnerable site plugins are also ones which are popular and available for purchase commercially.
Understand Your Risk
How risky is your WordPress website going to be? Having that in mind is a great way to gauge how much additional effort you should be putting into your website. Luckily, there are a few easy ways to gauge the relative riskiness of your website: the less users a website will have, the safer it is. The more complex and uniquely-coded the theme, the safer it is. The fewer areas for visitor interaction (comments, posting capabilities, etc.), the safer it is. The less plugins you use (and the higher their safety rating), the safer your WordPress website will be. In general, sites with a lot of users, with common free themes, with dozens of risky plugins which haven’t been verified for safety, will be among the most risky to operate, and should require extra attention to security.
Basic WordPress Security
One of the most basic tools in WordPress security is updates. When the WordPress framework prompts you to install an update, do so: WordPress updates are typically security related, and usually offer substantial security benefits. The same often applies to theme and plugin updates. You may not know it, but often plugins represent quiet ‘back doors’ into a website’s admin; and it’s not uncommon for clever safety gurus to discover and post critical flaws to the security of specific plugins to help encourage their authors to update.
Sure, there’s always the concern that installing will mean that themes or plugins might not be compatible; but you can always save a backup of your site just before updating to ensure that you can revert any changes, should you need to.
Keep Things Streamlined
Delete any plugins or themes that you aren’t using to help reduce the change that your website will be hacked; if you have them sitting unused, they can still be used as back doors into your website. And contrary to popular opinion, having a plugin deactivated is not enough! If you’re afraid you might want to begin using a plugin or theme which isn’t activated and don’t want to delete it, always ensure to install any updates for that theme or plugin.
Use Reputable Sources
Did you know that some plugin writers make plugins specifically so to make it easier to hack into the websites which install them? While WordPress does a good job of weeding these out, it still happens from time to time! So with that in mind, only download plugins from WordPress.org, as these have been scanned by the WordPress team; avoid buying and uploading themes from other websites! And even when you’re downloading from WordPress, triple-check the plugin’s security rating.
Keep Your Login Information Secure
Here’s a pro tip: don’t use things like ‘admin’ or ‘webmaster’ as your WordPress username. Similarly, make a difficult password, and try to change it relatively regularly: once or twice a year. If you’re stuck, WordPress now has a native strong password generator to make recommendations to you.