Featured article written by Drew Strojny of The Theme Foundry.
WordPress has a less than stellar security reputation. You may have even heard some horror stories from friends or colleagues who’ve had their site hacked. So, is WordPress actually secure?
Yes. Very secure. To understand why, consider the popularity of WordPress. It now powers around 20% of the internet. It’s extremely popular. WordPress is also open source software. This means the underlying code can be reviewed by anyone. WordPress security issues can be uncovered and reported by any of the thousands of developers that use the software, so they tend to be discovered and fixed quickly. If you’re the president, would you rather have fifty secret service agents looking out for you, or just one? More eyeballs and more scrutiny equal better security.
The popularity of WordPress is also a weakness. Imagine those millions of WordPress websites as a roaming herd of buffalo. Now imagine some hungry wolves (malicious hackers) hunting for a meal. The thundering herd is obviously going to attract some attention. But, what buffalo will they target? The stragglers of course. The old, the young, and the weak. Your goal is to not be one of those stragglers. Let’s review some basic WordPress security practices that will help you keep up with the herd.
Always be on the latest version of WordPress. Period.
Using the latest version of WordPress is the single most important thing you can do for the security of your WordPress website. WordPress doesn’t release any security updates for old versions of WordPress. Let’s be clear about what that means: If you use an old version of WordPress and an exploit is announced, you’re vulnerable until you update. To be secure,you need to be using the latest version of WordPress. If you stay up to date, you’re effectively running with the herd.
WordPress introduced automatic security updates in WordPress 3.7. You no longer have to worry about updating WordPress quite as often, but you still have to update WordPress. The new automatic updater only performs minor maintenance and security updates (eg. WordPress 3.8 to WordPress 3.8.1). You still need to update WordPress manually (by clicking a button) when a new major version is released (eg. WordPress 3.7 to WordPress 3.8). This may become automated in the future, but for now, you still have to do it manually.
Another option is to just find a web host that updates WordPress for you. There are quite a few different hosts out there that do this, but I’d recommend WP Engine. They’ll automatically keep WordPress up to date for you. And no, that isn’t an affiliate link. I recommend them because they do a great job and come highly recommended from others. We don’t get any kickbacks or monetary gain for recommending WP Engine.
Stay on the main roads
If you were trying to avoid getting mugged, would you explore dark alleys late at night, or would you walk down busy main street in broad daylight? Consider this advice when you’re choosing a WordPress plugin or theme. Get your themes or plugins from reputable sources and they’re much more likely to be kept up to date and monitored for security issues. Do your best to stick to the official WordPress directory and established theme and plugin providers. Consider our guides on finding the best WordPress themes and finding a WordPress plugin.
Three other WordPress security tips related to themes and plugins:
Keep a list of your active themes and plugins and follow the blogs of the authors. Make sure it’s easy for them to communicate with you. Sure, it might make your inbox a bit noisier, but you’ll be the first to know if there is a security problem.
Sign in to your WordPress dashboard around once a week, even if you don’t have anything to do. If you don’t sign in to your WordPress site very often, consider a plugin like WP Updates notifier. It will send you an email whenever there are available updates for your WordPress site.
Review the lists of disallowed plugins on popular hosts like WP Engine. Some of these are disallowed for speed optimization reasons, but other are related to security.
Secure your login page
Almost every WordPress website has the same URL for signing in. Type/wp-admin/ at the end of the site name and you’ll be taken to the sign in page. This is the front door to your WordPress site. Adding an extra layer of protection is akin to installing an extra deadbolt. You can use some of the basic security built into Apache to require an extra password before someone can even see the sign in page. This will help prevent brute force password attacks. If you want to take things even further, consider a plugin like Wordfence Security. Either way, an additional layer of security around your WordPress login page is a good idea.
A secure WordPress hosting environment
Hosting Quick Tips
- Change to a non-standard SSH port.
- Set up iptables to block unwanted traffic.
- Disable root logins.
- Disable password login (only use SSH keys).
- Disable remote database access if you don’t need it.
- Install an automatic package updater or actively monitor for security updates through a mailing list.
We’ve covered WordPress. We’ve covered your themes and plugins. The only thing left is your hosting environment.
Hosting generally falls under two categories: managed and unmanaged. Managed WordPress web hosts like WP Engine, Laughing Squid, orPressable manage your hosting environment for you. You don’t have to worry about keeping the environment itself secure, you just have to worry about keeping WordPress and your themes and plugins up to date. Some of these hosts (like we mentioned earlier) will actually keep WordPress up to date for you and actively monitor WordPress for security problems. If you just want to focus on writing your blog or building your website, go with a managed web host. The more updating and monitoring they do for you the better.
If you’re going with an unmanaged web host you’re likely looking at a VPS or a dedicated server. If you need a VPS, I’d recommend Linode. We’ve used them for years, and they’ve been cost effective and reliable. I’m not going to get into all the details of securing an unmanaged server, as the topic deserves its own blog post, but here are some quick tips:
This is just a short list. If you’re running your own unmanaged server or VPS, it’s worth doing some more research on hardening your server.
Stick to the basics
WordPress security can be intimidating, but if you get the basics right, you’re unlikely to ever have any issues. Remember, the most important thing is to keep WordPress up to date. If you’re using an old version of WordPress, you’re a straggler, and you’re more of a target for hackers. If you always stay up to date, and use a good managed web host, you won’t have anything to worry about.
If you have any other WordPress security tips, let us know in the comments.