Despite the fact that it runs over 25% of the ten million largest websites in the world, some IT professionals treat WordPress with something they just wiped off their shoe. Just in the last couple of months there have been two major security updates, and 100,000 WordPress sites were apparently hacked, so is it secure? Like most “Is product [x] secure?” questions, the answer is “It can be”, read onto find out how.
I’ll be clear here, I’m assuming you’re reading this because you’re using a self-hosted WordPress instance, not WordPress.com. I’m also assuming you’re only in control of the WordPress installation, and not responsible for the operating system, web server and database server software. If you are responsible for the whole stack, you shouldn’t be reading this article (at least not on its own!)
In self-hosted WordPress on a managed hosting provider like Tsohost you typically get access to some kind of control panel, where you get to access backups of your files and databases, setup SSL certificates, change PHP versions etc. This, and the WordPress dashboard is where you do your work. No need to understand HTML, PHP, UNIX shell commands or Apache config files.
Master the fundamentals
A legendary football coach Vince Lombardi is credited with the quote “Excellence is achieved by mastery of the fundamentals” and this is as applicable in security as it is anywhere else. In WordPress, there are a number of simple steps you can take, none of which require any more technical skill than it takes to use the WordPress dashboard.
- Make sure any account on your WordPress site has a good password, especially for any accounts with administrative privileges.
- Change the username for the default ‘admin’ account to something random (which some hosting providers like Krystal hosting will do during the WordPress installation process) or at least something you can remember which isn’t ‘admin’.
These two simple steps protect you against ‘brute force’ attacks, which is automated attacks on WordPress sites using the default username (admin) and a list of commonly used passwords (like the attack found last week by WordFence).
- If you can, install a two-factor authentication plugin and require that for all administrative accounts (more on that once I find a replacement for Clef!)
- Don’t share the password for your WordPress account (especially one with administrative privileges) with any other account (like LinkedIn, Yahoo or Tumblr, all of which have been hacked in the last five years).
Leaving stuff lying around in your WordPress site is a bad idea. Remove any unused themes or plugins, and make sure all the plugins you do use are updated. Depending on the complexity of the plugin, if its not updated consider whether it should be replaced by something being actively maintained. Un-maintained plugins are a common cause of security breach (and I speak from painful experience).
Make sure you’ve got backups! Any hosting provider worth their salt should be backing up the files and databases which make up your WordPress installation every day, and giving you the option to restore one or both of those via control panel.
In the unfortunate event your site is compromised (and it’s best to assume it might be, and have measures in place to deal with that, than hope it never will) making a backup of your compromised site will help any investigation, and restoring a ‘clean’ version of your site will get your website back online.
If your site is particularly valuable, you’ll probably want a hosting provider who will keep several days or weeks of backups. That means if there’s a delay between your site being hacked and you knowing about it (which is quite common) you can go back to before the site was hacked to restore part or all of your site. You can also add another layer of protection by downloading your site backups once a week/month and keeping those offline.
If you do only one thing, please update your WordPress installation. Fortunately most hosting providers will now support automatic updating of WordPress, and you can chose whether to automatically update just minor releases (maintenance and security updates), major core releases (which you might want to test first), and you can also auto-update plugins (check your plugins for support for auto-update).
Even if you don’t automatically update (which may be wise for more complex sites where updates risk breaking the system) you should monitor your dashboard at least weekly and check for updates, and apply/test those as soon as possible. Subscribing to the WPScan Vulnerability Database alerts will ensure you know if there’s a vulnerability, and you can then stay on the lookout for a patch.
Some people may be tempted to install plugins of dubious provenance, or even try and find free versions of commercial plugins to save money. Don’t do that, because you risk installing malware onto your own site. Only install plugins from trusted sources, and check reviews and frequency of updates for plugins and make an informed decision about the reputation of that developer as far as possible.
None of the steps I’ve outlined above require anything more complex than a web browser to complete, and they’ll significantly reduce the risk of your site being compromised. As I was once told by a member of the local police Cyber Crime unit, 80% of cyber crime is trivially preventable. Don’t be one of that 80%, master the fundamentals.