As websites become increasingly easy to create with no developer knowledge, anyone can have their own website. Even your grandparents. If you have a website, it is your responsibility to create a great site that others can safely use and submit information into. Users need to trust that their data is safe and secure.
WordPress is a popular platform being used by 25% of all websites on the internet. With the popularity comes a price. Hackers focus much of their attacks on WordPress sites because it is so widely used. Without adequately securing your website and backing it up, you run a high risk of your website being compromised. One standard way attackers can hack into a WordPress site is through a plugin. They will use vulnerabilities in a plugin and inject their own code to gain access to the backend of your site and all your stored information.
WordPress Security Tips
Here are some tips to make sure you are keeping your WordPress website safe from attackers:
- Regularly update your WordPress site to make sure you’re always running the latest version of your theme and plugins.
- Avoid using older WordPress themes. The newer themes are more secure and prepare against vulnerability attacks.
- Make sure the plugins you use are compatible with your current version of WordPress and avoid older plugins by checking when they were last updated.
- If you are stuck in deciding between two different plugins that perform the same functions, choose one that has a higher rating and a more significant number of downloads.
- Keep the number of plugins that you use to a minimum and delete the ones you are not actively using.
- Only download plugins from the WordPress Plugin repository. The repository does its own research before offering it to users.
- Use WPScan’s Vulnerability Database to monitor plugins known to have vulnerabilities, as well as to learn when they are patched.
WordPress Security Plugins that I use
Here are a few plugins that I have used on my WordPress website to help avoid security issues:
Wordfence – This plugin currently has a rating of 4.8 out of 5. It has a ton of great security features for free, but you can upgrade to their Premium version for a monthly cost. Included in the free version are these services:
- Web Application Firewall
- Block Brute Force Attacks
- Malware Scanner
- View Blocked Intrusion Attempts
- View Google Crawl Activity
- View Bots and Crawlers
- View Logins and Logouts
- View Human Visitors
- Repair Files
- Monitor Disk Space
- Get Detailed IP Info
Unlike most security plugins, Wordfence runs locally on your server instead of on the cloud. A server-based security plugin means that your firewall is on your local machine, rather than on the cloud. While this practice can slow down your website especially since this is a pretty heavy-duty plugin, it’s a good practice to have a caching plugin to help speed up browser caching. Having a locally run firewall gives you more control and flexibility over your security.
Backup Buddy – This is a free plugin by iThemes that backs up your WordPress site for an added level of security and protection. It backs up your entire WordPress site including all files and your database. If your website or files become compromised, Backup Buddy has your back. Backup Buddy comes with these free features:
- Scheduled and automated backups
- Customization of the type of backups you want to run
- Ability to store your backups safely offsite like on Google Drive or Dropbox
- You can also restore individual files from a backup instead of having to rebuild the entire site
Website Security is never set it and forget it
Hackers are continually becoming more sophisticated in their methods and their research into discovering vulnerabilities. Your website may have been deemed impenetrable last year, but that doesn’t mean it’s equally as safe now. To make matters worse, even outside of WordPress, any data you share over the internet could be compromised, as we’ve seen through data breaches with Target, Equifax and much more. Most recently was an attack on Wi-Fi creating a vulnerability on all Wi-Fi devices. I have an Android phone, and as of this posting, a patch and update still haven’t been issued that I’m aware of.
Ok, enough of the scary stuff. The best thing you can do as a responsible WordPress developer is to make sure your plugins and website are updated. I get emails almost every day on plugins that have been updated. It may seem annoying, but at least I know that the developers are working hard to make sure their product and my website stay safe.