WordPress is the most widely used CMS in the world, now powering over 20% of the internet. This popularity unfortunately draws it’s fair share of attention from malicious code making WordPress the most commonly targeted CMS by hackers. WordPress itself is actually very secure, the risks of having your site exploited start arising as you add 3rd party plugins, use insecure passwords and let WordPress and your themes/plugins get out of date.
We’ve put together a few simple tips to ensure your site has the lowest risk of being exploited:
Keep WordPress up to date
It only take a few minutes every week to log into your WordPress dashboard, check for available updates and run the updater. These days it’s very unlikely that updates will break your site providing you’re using reputable plugins. Just add this as a weekly task to complete on your to-do list/calendar and you won’t fall behind.
NOTE: Always have a backup available in case of an update failure. There are plenty of free backup plugins available that you can run manually or even set to a schedule.
Use a security plugin
Security plugins can help you quickly patch many potentially vulnerable areas of your website such as limiting the number of login attempts to your WordPress admin and removing the user admin which is commonly used to try and brute force a site. There’s many different plugins available both free and paid so I’ll just go ahead and list some known reputable options. Feel free to do your own research and pick the one that best suits you.
- iThemes Security
- Wordfence Security
- BulletProof Security
- Sucuri Security
- All In One WP Security & Firewall
Remove unused plugins/themes
Remove any themes you are not using and remove (rather than just disable) any plugins you are not using on your site. We commonly see new plugins or themes installed when a site is exploited, giving attackers another way into your site once you’ve updated.
Use secure passwords
The most common way services in general (not just WordPress) are hacked is due to a weak password that was guessed using a dictionary based attack. Put simply a hacker has a big list of commonly used passwords that are tested against a list of usernames hoping for a match. Most peoples objection to using a strong password and separate passwords for different services is trying to remember them all. To get around this challenge there are now password management tools like LastPass and KeePass which provide and encrypted vault to store all your passwords in safely ready to pull them out as required. These tools also help with the generation of strong passwords.
By just following these three tips your WordPress site will be protected against the vast majority of the everyday attacks on WordPress sites. If you want to take things a step further there’s additional things you can do to WordPress like using a 2-factor authentication plugin, locking down wp-admin to particular IP addresses or using a 3rd party detection/prevention service like Sucuri.