{"id":3633,"date":"2017-07-04T15:05:39","date_gmt":"2017-07-04T15:05:39","guid":{"rendered":"http:\/\/wordpress-397385-1251243.cloudwaysapps.com\/?p=3633"},"modified":"2021-01-30T11:51:21","modified_gmt":"2021-01-30T11:51:21","slug":"securing-wordpress-website","status":"publish","type":"post","link":"https:\/\/www.glassmountains.co.uk\/campfire\/securing-wordpress-website\/","title":{"rendered":"Securing your WordPress website"},"content":{"rendered":"

WordPress is everywhere,\u00a0it powers over 74.6 millions websites<\/a>. The reason WordPress is so prolific\u00a0is because it offers a free, friendly content management system (so that you can look after your website pages), it offers countless themes so even non-designers can get their website looking half way decent, and there is a huge library of third party plugins which allow you to bolt on enhanced functionality to your site (such as better forms<\/a>, stronger security<\/a>, and even a plugin which adds snow falling<\/a> to your homepage!).<\/p>\n

This thriving community is great news. And it’s the reason why all our work<\/a> here at Glass Mountains is based on WordPress – as, by using it, it stops us having to reinvent the wheel every project, allowing us to concentrate on the actual core of our client’s problem.<\/p>\n

There is no such thing as a free lunch<\/h2>\n

However, for every up side, there is a downside.<\/p>\n

Because\u00a0Wordpress powers so much of the web, it has become a target for hackers. These shady ne’er do wells\u00a0know that, if<\/em> they can exploit a weakness in WordPress, there are many potential victims out there.Wordpress isn’t particularly less secure than any other web platform\u00a0– \u00a0but the number of sites involved makes it a very appealing target for hackers.<\/p>\n

Note: it’s worth pondering for a second what we mean by a ‘hacker’ here. The media would instantly conjure up a Russian teenage computer expert – however, it’s not necessarily like that. What tends to happen is that as exploits become known in community (whether WordPress or something else), enterprising individuals can create ‘scripts’ (simple-ish computer programs) which anyone can run to exploit the weakness. These scripts tend to get run en mass against as many websites as the hacker can find out about – so, if you’re website has even been infected etc – then it’s highly unlikely that you or your business\u00a0was specifically\u00a0targeted out of maliciousness\u00a0– it’s much more likely that that the publishing platform itself put you in the hacker’s crosshairs.<\/em><\/p>\n

WordPress, like any software, is being added to all the time. New features are included, bugs are squashed, security issues addressed. All of these additions are rolled into a new version of WordPress. If that new version of WordPress contains security fixes then what we’ve now got is an arms race between you updating your website, and hackers finding your site, and discovering that the latest patch\u00a0has not been installed – it is during that window of opportunity that most exploits occur. Many people never<\/em> update their WordPress version, which means for many sites, the window is left open a very long time!<\/p>\n

Bare in mind that not only does WordPress core require\u00a0updating, but any plugins you have installed, and any themes you use, also will need attention. Oh, and here’s something else to throw into the mix – many folks (including us), don’t automatically update to the latest version of WordPress immediately (unless it contains security fixes) as this latest release, with all the code it is adding, may inadvertently add new security exploits – sometimes it’s better for a ‘latest release’ to settle down before upgrading. We didn’t say WordPress security was straight forward ;)<\/p>\n

So, a simple rule of thumb is to make sure your WordPress website is always up to date in terms of what we’ve discussed above – doing that alone will help reduce your risk profile drastically.<\/p>\n

A few ideas<\/h2>\n

What I’d like to do next is to mention some<\/em> of the approaches we take in handling security and WordPress:<\/p>\n

WPEngine.com<\/h3>\n

We tend to host all of our WordPress websites with WPEngine (WPE). Why? Because they only deal with WordPress and can handle aspects of updating security flaws etc for you. Just moving your\u00a0hosting of your WordPress website to WPE, would be a step forward. WPE also offer additional security checks etc. Highly recommended.<\/p>\n

iThemes Security Pro<\/h3>\n

There are some great, heavy duty plugins out there which extend the security which WordPress offers out of the box. We tend to use IThemes Security Pro<\/a>, but there are others (e.g. Wordfence<\/a> is highly rated). Such security plugins take some configuration but, if you know WordPress\u00a0a little, then it won’t be too much trouble. Adding an a properly configured security plugin essentially hardens your website from many simple exploits and attack routes.<\/p>\n

iThemes Security Pro can be considered a toolkit of security measures including things like:<\/p>\n