About one in every four websites in the world uses WordPress as a website creation platform and content management system. That represents about 76 million websites, so you have likely visited a good number of websites on WordPress. This may convince you that WordPress is probably a good platform for your website, and you would be right. However, one of the biggest drawbacks to WordPress is the issue of security.
WordPress is free, open-source software, dependent on the community for software development. While this ensures the continuous improvement of the features of WordPress, it makes it vulnerable to security breaches. There is no monitoring over the quality or security of plugins and themes available in WordPress. According to this article, almost a third (29%) are hacked because of a WordPress theme, while about 22% is because of a WordPress plugin.
It is important to make sure to maintain the security of your website no matter what platform you use, but especially when using WordPress. This is especially true if you have an ecommerce site, because you are maintaining a database that contains sensitive personal and financial information. A malicious attack can also bring down your website, if nothing else. Here are 10 key points to keep in mind for WordPress security.
1. Choose a good host service
The same report states that 41% of hacked websites is because of security hacks on a hosting platform, so it is also important to choose the right host provider that places a premium on security, and accommodates PHP and MySQL, which is the scripting language used in WordPress. Ask a potential hosting provider has malware scanning and an optimized firewall.
2. Check your settings
The basic WordPress package has built-in security keys starting from the 2.5, 2.6, and 2.7 versions of WordPress. In order to activate the WordPress Security Keys, you have to change the configuration keys in the wp-config.php in the root of the WordPress installation.
3. Regularly update your WordPress version
Updates in WordPress fill up gaps in security of previous versions, so it is important to keep your website updated. You can set up your website to automatically update, a feature introduced with version 3.7. You can also update it manually.
4. Minimize the use of plugins
You can avoid security issues by keeping the use of plugins to a minimum. When you do need to use a plugin, choose one that has been updated recently. You can also check the quality of the plugin.
5. Check the theme
It may be tempting to use any of the numerous free WordPress themes available from different sources, but beware of using themes from unknown sources. Before choosing a theme, make sure it is safe. You can do this using something like Theme-Check.
6. Use the right permissions
You need to make sure that you use the proper permissions. You can change it to prevent third parties from uploading unauthorized and probably malicious files to your website. The recommended parameters are 755 or 750 for all directories, 640 or 644 for all files, and the wp-config.php at 600.
7. Deactivate PHP error reports
You might think that you should be informed when a theme or plugin encounters an error, but this provides hackers on the prowl with your server path information. You should deactivate automatic error reporting.
8. Use the right security plugin
While you should minimize the number of plugins you use on your website, the right security plugin could make your site hard to breach. You can choose WP DB Backup to backup and secure your database, and WP Security Scan to sweep your site for vulnerabilities. You can check other plugins as well.
9. Pay attention to access
A good way to prevent security breaches on your site is to use strong administrative passwords and to change them frequently. You can use a password generator and password manager to make it easier for you. You can also require your users to create strong passwords by using a plugin. It is also important to change your administrative username, and not to use an obvious username such as “admin,” which used to be the default username for administrative access in WordPress. Many hackers use “admin” because they know many website owners continue to use “admin” as a username.
10. Restrict access attempts
Hackers are going to keep trying to force their way into your site if you don’t take some measures to keep them in check. The best way us to limit the login attempts using a feature such as Login LockDown, which you can configure to refuse access after a predetermined repeated attempts at failed logins from a specific IP address for a predetermined period. If you have administrative access, you can manually reactivate any user locked out unwittingly. You can also permanently block out users using any identified IP address indefinitely using the htcaccess technique.
You can also use two-step authentication solutions to make it more difficult for a brute force attack to work. You can use this technique to require anyone that wants to access your site to have the login credentials as well as an authorization code to be sent to a mobile phone or email address.
You need to protect your site from security breaches not only for your own benefit, but for your visitors and customers as well. Using WordPress as a platform for your site is a good move if you remember that you may have to deal with security risks. You can do this in many ways without too much trouble if you make the effort. The 10 key points above are some of the best ways to do this, but they are not the only ways. If you have some suggestions for other key points that might be useful, please leave a comment below.