Kiiff.com takes its security very seriously. We think that our clients should too. We don’t think of security as a burden, but build it into our infrastructure and applications. Because we just talked about how to speed up your WordPress site, today we will share some of our knowledge to examine how to toughen up and secure your installation of WordPress. As a note, the title of this post is to harden WordPress, this means to make it tougher for hackers to compromise your website, but never assume that your website is 100% secure.
The Number 1 Security Problem in WordPress Installations
WordPress is not as safe as many people think, even though it powers around 75 million websites. However, it isn’t necessarily the base of WordPress that is vulnerable. The number one attack vector for a hacker in WordPress is themes and plugins. This means that you must be very careful of the plugins and themes that you install onto your site. The vulnerabilities are not often introduced intentionally, but are a result of developers writing code that is sloppy or otherwise overlooked. When these vulnerable plugins or themes are running on your site, an attacker can use them to inject malicious code into your website and hijack it or infect other visitors. That is the last thing that you want!
When vulnerabilities are discovered by developers, they will release a patch or new version of their software that is safe to use. If a plugin is not being maintained, it is probably not safe to use the plugin on your site. If you don’t have an inventory of your plugins, go look at them now and update or delete them.
This one can often get admins in a lot of trouble, but goes without saying: only install updates from https://wordpress.org! It also features automatic updates, use them! Not only introduce new features, but they also occasionally patch vulnerable code in previous versions!
Controlling Access to Your Site
Access controls are important from organizations of two people to corporations of 100 thousand. What users are able to do (privilege) and where they can go / what they can see (access) must be kept in check. Your average visitor should not be able to interact with anything but the top of your site. If you have a developer for your site, they probably do not need to have access to certain files that are critical to safeguard. It isn’t that you don’t trust the developer, it is in case their account is compromised and a criminal is trying to attack your site with their account.
Passwords passwords passwords! They are cruicial to your environment and a bad one can ruin your business’s bank account, reputation, and your own morale. It is highly suggested to use a strong password generator like https://passwordsgenerator.net/ for all of the accounts that are on your website. The main complaint clients have when they have to generate many passwords for their website is that they can’t keep track all of them. The solution is to use something like Keepass to manage all of your passwords with one strong password that you will not forget.
Backing Up Your Data
Backups are also an important part of your website’s security. However, they are not a substitute for it. Just because you can restore your website after it was hacked does not fix the vulnerability that allowed it to be attacked in the first place. That is out of scope for this post, but regularly back up your website and store your backups in a secure location. You don’t need to keep them for a year, or even a week, but you need to be able to go back in case something happens. This is a healthy part of any webmaster’s disaster recovery plan.
This is not a comprehensive guide to how to secure WordPress, but the tips here will leave you in a much better spot than you were before. Look for an Advanced WordPress Hardening post to release in the coming months where we go further in depth into access controls, file integrity monitoring, and even firewalls!