WordPress Security and the #1 Way to Stay Protected
I am not generally a rule-follower in real life, which is why it is super-ironic that I got myself all messed up in computers. Because if there is one thing that computers love, it is rules. So people in this industry talk a lot about rules. A. Lot.
Today’s thoughts are about ‘the rules’ (or let’s say ‘best practices…so much nicer to my ears) that govern security issues around your WordPress website.
Is WordPress Less Secure Than Other Platforms?
This security myth has been around for a long time. WordPress is currently used on more websites than any other open source content management system (CMS). This makes it a bigger target and gives it more users who make more mistakes. If you can use this CMS without a lot of technical knowledge (which you can), it leaves more sites vulnerable to being hacked or compromised. A larger user base leads to more security breaches.
It could also be said that because of its greater ‘ease-of-use’ rep than platforms like Joomla or Drupal, WordPress attracts a less sophisticated or technical user. Each has its own set of pros and cons, with WordPress definitely coming down on the side of out-of-the-box readiness.
There are four ways that your website can be vulnerable:
- hardware (for example, the server – which is a computer – where your website files are stored gets physically damaged)
- software (for example, the program files that are used to execute your website become infected with malware)
- administration (where the person doing the upkeep of the site does not), and/or
- users (ack)
Guess which area is most likely to lead to your site being compromised? (hint: I wrote ‘ack’ beside it)
Yes! Users create the most vulnerabilities for websites. They. Are. The. Worst.
However, without users, your site is nothing, so here’s what you do.
One Rule to Rule Them All: Update
Most hacks are due to poor security management. Vulnerabilities are discovered all the time for WordPress and, once discovered, they are either patched or you are advised to remove the plugin and use something else (which can really suck). If you keep your plugins, theme(s) and WordPress core files updated, you will have decreased the risk without incurring much cost.
When a vulnerability is discovered in a plugin, sites get hacked not because they are specifically being targeted, but because the hacking bots scour the internet searching for that particular vulnerability. When they find it in your site, they do their bad stuff (i.e. insert malicious code or a virus). It was not personal against you. You can rest easy – no one is out to get you; they are out to exploit the holes that you are leaving open.
And while we’re at it, deactivate and delete unused plugins and themes. A vulnerability can still be exploited in a deactivated plugin because the code is still on the site.
Use a Good Great Hosting Service
I have been using SiteGround since 2005 and, although I’ve worked with many other hosting companies, I have yet to find one that is better. Their support is excellent and they are very security-conscious. Because of their attention to security, they have become one of the best WordPress hosting companies in the world. There are also other good ones out there – just make sure you use one of them.
Up Your Password Game
Do you use the same password on multiple sites? (Probably yes…) Has a site where you have an account ever been hacked and had the passwords stolen? (Probably yes…) How long do you think it would take to guess your password? (Probably less time than you think…)
If you are curious, check out an article called Estimating Password-Cracking Times. Just as a little aside, they have a tester where you can enter a password, but I would advise you never to use a real password. There is a disclaimer saying that they don’t collect passwords (and they probably don’t), but it isn’t a good idea. In fact, there is another disclaimer telling you not to use a real password. This is just for testing what ifs, people.
Get this: your super-secure password from 2001 is significantly less super-secure in 2021 because technology has improved. Change your passwords frequently. And because it would take a computer-brain to remember all of your passwords, use a password manager like LastPass. Excellent tool.*
For your WordPress site, make your users at every level use significant passwords. For many tools, this is called ‘forcing strong passwords’. Make sure that option is checked off.
Because the #1 best defense in your WordPress security plan is to train your users to follow best practices, but usually you have to make them.
*Update March 2023 – LastPast breach. In an ironic twist, LastPast has copped to a security breach that was disclosed in December 2022 and happened earlier in the fall of 2022.
Update July 2023 – Another tool to test your password that I was recently made aware of is vpnmentor.com/tools/passwordmeter Any hesitations I have about using these types of tools is that you are actually putting your password out there and possibly into a database. There is a list of good password-making tips on the page.
If your site ever does get into trouble, Sucuri specializes in fixing sites that have been hacked (as well as securing sites before they ARE hacked).