{"id":3633,"date":"2017-07-04T15:05:39","date_gmt":"2017-07-04T15:05:39","guid":{"rendered":"http:\/\/wordpress-397385-1251243.cloudwaysapps.com\/?p=3633"},"modified":"2021-01-30T11:51:21","modified_gmt":"2021-01-30T11:51:21","slug":"securing-wordpress-website","status":"publish","type":"post","link":"https:\/\/www.glassmountains.co.uk\/campfire\/securing-wordpress-website\/","title":{"rendered":"Securing your WordPress website"},"content":{"rendered":"
WordPress is everywhere,\u00a0it powers over 74.6 millions websites<\/a>. The reason WordPress is so prolific\u00a0is because it offers a free, friendly content management system (so that you can look after your website pages), it offers countless themes so even non-designers can get their website looking half way decent, and there is a huge library of third party plugins which allow you to bolt on enhanced functionality to your site (such as better forms<\/a>, stronger security<\/a>, and even a plugin which adds snow falling<\/a> to your homepage!).<\/p>\n This thriving community is great news. And it’s the reason why all our work<\/a> here at Glass Mountains is based on WordPress – as, by using it, it stops us having to reinvent the wheel every project, allowing us to concentrate on the actual core of our client’s problem.<\/p>\n However, for every up side, there is a downside.<\/p>\n Because\u00a0Wordpress powers so much of the web, it has become a target for hackers. These shady ne’er do wells\u00a0know that, if<\/em> they can exploit a weakness in WordPress, there are many potential victims out there.Wordpress isn’t particularly less secure than any other web platform\u00a0– \u00a0but the number of sites involved makes it a very appealing target for hackers.<\/p>\n Note: it’s worth pondering for a second what we mean by a ‘hacker’ here. The media would instantly conjure up a Russian teenage computer expert – however, it’s not necessarily like that. What tends to happen is that as exploits become known in community (whether WordPress or something else), enterprising individuals can create ‘scripts’ (simple-ish computer programs) which anyone can run to exploit the weakness. These scripts tend to get run en mass against as many websites as the hacker can find out about – so, if you’re website has even been infected etc – then it’s highly unlikely that you or your business\u00a0was specifically\u00a0targeted out of maliciousness\u00a0– it’s much more likely that that the publishing platform itself put you in the hacker’s crosshairs.<\/em><\/p>\n WordPress, like any software, is being added to all the time. New features are included, bugs are squashed, security issues addressed. All of these additions are rolled into a new version of WordPress. If that new version of WordPress contains security fixes then what we’ve now got is an arms race between you updating your website, and hackers finding your site, and discovering that the latest patch\u00a0has not been installed – it is during that window of opportunity that most exploits occur. Many people never<\/em> update their WordPress version, which means for many sites, the window is left open a very long time!<\/p>\n Bare in mind that not only does WordPress core require\u00a0updating, but any plugins you have installed, and any themes you use, also will need attention. Oh, and here’s something else to throw into the mix – many folks (including us), don’t automatically update to the latest version of WordPress immediately (unless it contains security fixes) as this latest release, with all the code it is adding, may inadvertently add new security exploits – sometimes it’s better for a ‘latest release’ to settle down before upgrading. We didn’t say WordPress security was straight forward ;)<\/p>\n So, a simple rule of thumb is to make sure your WordPress website is always up to date in terms of what we’ve discussed above – doing that alone will help reduce your risk profile drastically.<\/p>\n What I’d like to do next is to mention some<\/em> of the approaches we take in handling security and WordPress:<\/p>\n We tend to host all of our WordPress websites with WPEngine (WPE). Why? Because they only deal with WordPress and can handle aspects of updating security flaws etc for you. Just moving your\u00a0hosting of your WordPress website to WPE, would be a step forward. WPE also offer additional security checks etc. Highly recommended.<\/p>\n There are some great, heavy duty plugins out there which extend the security which WordPress offers out of the box. We tend to use IThemes Security Pro<\/a>, but there are others (e.g. Wordfence<\/a> is highly rated). Such security plugins take some configuration but, if you know WordPress\u00a0a little, then it won’t be too much trouble. Adding an a properly configured security plugin essentially hardens your website from many simple exploits and attack routes.<\/p>\n iThemes Security Pro can be considered a toolkit of security measures including things like:<\/p>\n Note: If this plugin is too much for you, you can certainly consider the free(ish), excellent Jetpack<\/a> plugin, as that too contains some great security enhancements in its mix bag of features – best of all, it’s easy to configure.<\/em><\/p>\n CloudFlare<\/a> is another layer we like to add into the mix – primarily because it helps make our customers sites nice and zippy fast. But, there are other benefits as well. For one thing, CloudFlare (CF), makes it super easy to add SSL to your website; whilst that doesn’t really help protect against hackers, it is still a good thing to do. CloudFlare do also offer a Web Application Firewall <\/a>(WAF),\u00a0which we love – basically it’s a line of defence which helps keep your WordPress site shielded from some known exploits. Using CloudFlare’s WAF is no substitute for keeping your website up to date, but it’s a great weapon to have in the armoury.<\/p>\n If you have a few WordPress sites to look after, then ManageWP<\/a> can give you excellent, central visibility of which of your sites need updating.<\/p>\n Note: you may wonder why we don’t simply automatically update all sites when there is *any* update (whether core WP, a plugin, or a theme). Whilst this is possible, it’s not always desirable. Performing updates directly on a live site is always a tad dangerous – if something goes wrong (and believe me, it can!), you can all too easily be left with no website. Uh oh! Depending on the circumstance, we may well prefer to create a test version of a client’s website, and perform all updates there to ensure there are no issues; whilst this takes longer, it’s better for the risk averse.<\/em><\/p>\n Hopefully that gives you some food for thought in terms of security your WordPress website. If you want help with any aspect of WordPress & security, please get in touch<\/a>.<\/p>\n Joel<\/p>\n p.s. there are no referrals links etc with the above, they are being recommended purely on merits sake.<\/p>\n <\/p>\n <\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" WordPress is everywhere,\u00a0it powers over 74.6 millions websites. The reason WordPress is so prolific\u00a0is because it offers a free, friendly content management system (so that you can look after your website pages), it offers countless themes […] Read more <\/i><\/a><\/p>\n","protected":false},"author":2,"featured_media":3634,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[166],"tags":[],"acf":[],"yoast_head":"\nThere is no such thing as a free lunch<\/h2>\n
A few ideas<\/h2>\n
WPEngine.com<\/h3>\n
iThemes Security Pro<\/h3>\n
\n
CloudFlare WAF<\/h3>\n
ManageWP<\/h3>\n
Final Thoughts<\/h2>\n