At the point of this writing, WordPress makes up over 29% of the sites on the internet, and it’s growing faster than any other competitor many times over. W3Techs – extensive and reliable web technology surveys. Since we make a living on WordPress themes and Plugins, so this is pretty exciting (yay, job security!). However, keeping is secure is critical because of the huge target on its back for hackers looking to exploit it. The team at Automattic takes this very seriously and are doing their part to make sure WordPress is secure and patched regularly, but there’s more that needs to be done to keep your site protected.
So what do we do about it?
1. Keep WordPress updated
WordPress has a team of developers that are dedicated to security. This means that whenever vulnerabilities are found, they are quickly addressed and patches are created to address the problem. WordPress now has the ability to auto upgrade minor updates so these kinds of fixes can be implemented immediately and without user intervention. For major WordPress core updates, regular maintenance is required.
2. Updating Themes and Plugins
WordPress core updates are critical and so is keeping your themes and plugins updated. Any developer can create a plugin, so quality and security can vary wildly. According to this stat, plugins represent 52% of the security threats. Some are malicious, others are the result of bad programming, and some use third party libraries that introduce vulnerabilities. At Indevver we vet plugins carefully, and use them sparingly on our custom themes.
It’s critical that plugins are updated along with WordPress core to help insure that you have the most current and secure versions installed, not to mention all of the new features and bug fixes that come with those updates.
Tip: Remove unused plugins. Even inactive code in some shared hosting environments can be accessed from other sites on that server and be exploited.
3. Manage Users and passwords
Another common vulnerability is weak passwords, and exposed usernames.
Tip: Make sure your profile is set to show your display name and not your username. You can do this by going to the
Users menu in the WordPress dashboard, and checking that the users first and last name is is chosen in the “Display name publicly as” dropdown and not the nickname or username.
Tip: Limit the number of login attempts that a user can make. The simplest way it to use the Limit Login Attempts plugin. A more complete and robust approach would be to use the Wordfence plugin that includes limiting login attempts, and requiring strong passwords, in addition to a number of other great security features like a Web Application Firewall (WAF).
Minimize Administrator Level Accounts
Not every user on your site needs to be and administrator. The Editor role will give you the access that you need to add and modify pages to a site and do most of the daily work. Even as the site owner, we recommend using an Editor role for most things, and only reserve logging in as administrator for admin duties like updating theme, plugins and core, or managing users.
admin as a username
You’ll ward off many “brute force” attacks by not using admin as a user name, and limiting the login attempts. Admin is the default username, and even WordPress no longer recommends using it.
Mind Your Passwords
Strong passwords use symbols, caps and a combination of letters and numbers to make sure that guessing the password is difficult if not impossible. Changing them regularly is also a great practice. Of course we all know that users are going to have to be forced to do either of these things, so using a plugin like Wordfence can help make sure this is required. One thing that helps soften the blow to users is recommending a password manager. I user LastPass, but there are other great ones out there that all do basically the same thing.
4. Quality WordPress-tuned hosting
An important part of your sites security lies on the server the site is hosted on. Not all hosts are create equal!
Tools we use
Hosting with flywheel