Securing your WordPress website
WordPress is everywhere, it powers over 74.6 millions websites. The reason WordPress is so prolific is because it offers a free, friendly content management system (so that you can look after your website pages), it offers countless themes so even non-designers can get their website looking half way decent, and there is a huge library of third party plugins which allow you to bolt on enhanced functionality to your site (such as better forms, stronger security, and even a plugin which adds snow falling to your homepage!).
This thriving community is great news. And it’s the reason why all our work here at Glass Mountains is based on WordPress – as, by using it, it stops us having to reinvent the wheel every project, allowing us to concentrate on the actual core of our client’s problem.
There is no such thing as a free lunch
However, for every up side, there is a downside.
Because Wordpress powers so much of the web, it has become a target for hackers. These shady ne’er do wells know that, if they can exploit a weakness in WordPress, there are many potential victims out there.Wordpress isn’t particularly less secure than any other web platform – but the number of sites involved makes it a very appealing target for hackers.
Note: it’s worth pondering for a second what we mean by a ‘hacker’ here. The media would instantly conjure up a Russian teenage computer expert – however, it’s not necessarily like that. What tends to happen is that as exploits become known in community (whether WordPress or something else), enterprising individuals can create ‘scripts’ (simple-ish computer programs) which anyone can run to exploit the weakness. These scripts tend to get run en mass against as many websites as the hacker can find out about – so, if you’re website has even been infected etc – then it’s highly unlikely that you or your business was specifically targeted out of maliciousness – it’s much more likely that that the publishing platform itself put you in the hacker’s crosshairs.
WordPress, like any software, is being added to all the time. New features are included, bugs are squashed, security issues addressed. All of these additions are rolled into a new version of WordPress. If that new version of WordPress contains security fixes then what we’ve now got is an arms race between you updating your website, and hackers finding your site, and discovering that the latest patch has not been installed – it is during that window of opportunity that most exploits occur. Many people never update their WordPress version, which means for many sites, the window is left open a very long time!
Bare in mind that not only does WordPress core require updating, but any plugins you have installed, and any themes you use, also will need attention. Oh, and here’s something else to throw into the mix – many folks (including us), don’t automatically update to the latest version of WordPress immediately (unless it contains security fixes) as this latest release, with all the code it is adding, may inadvertently add new security exploits – sometimes it’s better for a ‘latest release’ to settle down before upgrading. We didn’t say WordPress security was straight forward ;)
So, a simple rule of thumb is to make sure your WordPress website is always up to date in terms of what we’ve discussed above – doing that alone will help reduce your risk profile drastically.
A few ideas
What I’d like to do next is to mention some of the approaches we take in handling security and WordPress:
WPEngine.com
We tend to host all of our WordPress websites with WPEngine (WPE). Why? Because they only deal with WordPress and can handle aspects of updating security flaws etc for you. Just moving your hosting of your WordPress website to WPE, would be a step forward. WPE also offer additional security checks etc. Highly recommended.
iThemes Security Pro
There are some great, heavy duty plugins out there which extend the security which WordPress offers out of the box. We tend to use IThemes Security Pro, but there are others (e.g. Wordfence is highly rated). Such security plugins take some configuration but, if you know WordPress a little, then it won’t be too much trouble. Adding an a properly configured security plugin essentially hardens your website from many simple exploits and attack routes.
iThemes Security Pro can be considered a toolkit of security measures including things like:
- Defence against brute force attacks (where hackers try to simply guess your password)
- Enforcement of strong passwords (no more using ‘password’!)
- Automatic blocking of people/scripts trying to hack
- Integration with Google reCaptcha (great for deterring automated attacks)
- File change warnings (if things change when you weren’t expecting, then you could have a problem)
- and much more….
Note: If this plugin is too much for you, you can certainly consider the free(ish), excellent Jetpack plugin, as that too contains some great security enhancements in its mix bag of features – best of all, it’s easy to configure.
CloudFlare WAF
CloudFlare is another layer we like to add into the mix – primarily because it helps make our customers sites nice and zippy fast. But, there are other benefits as well. For one thing, CloudFlare (CF), makes it super easy to add SSL to your website; whilst that doesn’t really help protect against hackers, it is still a good thing to do. CloudFlare do also offer a Web Application Firewall (WAF), which we love – basically it’s a line of defence which helps keep your WordPress site shielded from some known exploits. Using CloudFlare’s WAF is no substitute for keeping your website up to date, but it’s a great weapon to have in the armoury.
ManageWP
If you have a few WordPress sites to look after, then ManageWP can give you excellent, central visibility of which of your sites need updating.
Note: you may wonder why we don’t simply automatically update all sites when there is *any* update (whether core WP, a plugin, or a theme). Whilst this is possible, it’s not always desirable. Performing updates directly on a live site is always a tad dangerous – if something goes wrong (and believe me, it can!), you can all too easily be left with no website. Uh oh! Depending on the circumstance, we may well prefer to create a test version of a client’s website, and perform all updates there to ensure there are no issues; whilst this takes longer, it’s better for the risk averse.
Final Thoughts
Hopefully that gives you some food for thought in terms of security your WordPress website. If you want help with any aspect of WordPress & security, please get in touch.
Joel
p.s. there are no referrals links etc with the above, they are being recommended purely on merits sake.