You’re sitting in a meeting with stakeholders in the business to discuss a new website. You are either on WordPress currently and plan to re-build the new site on the same framework, you have a non-wordpress website and plan to go to wordpress, or the content management system choice is up for debate. Inevitably someone throws out the comment “Wordpress is known for getting hacked” or “Wordpress is not very secure”. The comment usually comes from a non-techie resource in the room that has a developer friend.
This is a common misconception with WordPress website security. Many people believe that WordPress is un-secure and can be easily compromised, but as with all Content Management Systems, the security of your website is based on the effort that you take to lock it up. WP White Security wrote an article last year on statistics about hacked WordPress websites. Here are some of the stats that were brought up.
41% were hacked through a security vulnerability on their hosting platform
29% were hacked via a security issue in the WordPress Theme they were using
22% were hacked via a security issue in the WordPress Plugins they were using
8% were hacked because they had a weak password
As you can tell, none of these statistics are about WordPress vulnerabilities but other issues outside of WordPress website security itself. The highest form of hacking resulted from a vulnerability with the hosting platform. The best way to combat this is by choosing a good hosting company. We always recommend Media Temple to our new clients. The other vulnerabilities are due to a lack of security in external WordPress themes and plugins. Every website that we create comes with a pre-approved list of plugins that have been tested and are known to be safe. There are many plugins out there for WordPress that are not updated frequently enough to provide sufficient security.
As you can tell, the foundation of WordPress security is knowing how to properly install and harden the WordPress framework and working with the best hosting companies. Besides the foundational security measures, there are features that we use with every website that increase security of our client’s websites. Below are 5 features that we add to each site that we create to increase security for our clients.
- File Change Detection – If a hacker manages to get inside of your website, there is a security measure that will notify the administrator of the website that a file has been changed, edited or deleted. This gives the administrator of the website the opportunity to go and change the credentials of the website.
- Admin username change – Simple but necessary. The default admin username for WordPress is ‘admin’ …more direction or info here like briefly how to change it
- 404 Bot Detection – Whenever a bot is scanning the internet for WordPress sites, it has a predetermined path it takes to try and hit pages that will be inside of that website. If a bot scans your website, it will generate many 404 errors looking for pages that do not exist on your server. This feature will recognize the attempts and will lock out that IP address
- Keep up with updates – It is really important to keep your theme and plugins up to date. This will ensure that they are keeping on top of known vulnerabilities.
- Away Mode – You are able to make the admin area of WordPress inaccessible during specific hours during they day. This is useful for make sure no one logs into the admin area at night time. The administrator account is of course immune to this mode.
- Housekeeping – clean your site like you clean your house …regularly. Discard of unused themes, plug-ins, and unused files.
- Brute Force Protection – We are able to harden the WordPress login function by giving it stricter rules. We are able to limit the number of failed attempts when a bot is guessing the password. We are also able to whitelist IP addresses to allow specific people to be ignored by these rules.
- Strong Password Enforcement – You are able to require users to have stronger passwords for their accounts. When a user is setting up their password, they will be required to create a stronger password. This is one of the best and simple ways to increase security on your website.
- Choose Better Hosting – Go VPS. Don’t get lumped in with hundreds of other websites on a shared hosting plan. VPS stands for Virtual Private Server and it gives your website the space and attention needed.
- Backup Often – recent backups have you prepared for restore fast. We use ManageWP for automated backups of WordPress. We recommend incremental backups daily and full backups every 7 days. In some instances you’ll have backups provided by your hosting company but they can be dated and if in a huge hurry to get restored can take hours or days.
Now that you understand WordPress security a little better, you can see that it is a misconception that WordPress is vulnerable. There are other variables that contribute to the compromise of WordPress website security. It is usually due to the hosting platform that you are on, the WordPress theme that you are using, or plugins that are installed on the website. There are ways to harden WordPress, and it is smart to have a professional help you with it.