We build WordPress websites. Lots of WordPress websites. WordPress is a good fit for many of our clients’ public-facing web needs, whether for putting up a quick site with a stock theme, customizing WP to match a one-off custom design, or integrating some external legacy system or API through a whole lotta custom code. The number of active installs flying under the Bentley Hoke flag is certainly in the dozens, perhaps hundreds, as of this writing.
Our experience mimics that of the broader web community: as WordPress becomes a better and better tool, and powers more and more of the web, security becomes more and more of a risk. We’ve certainly experienced our share of headaches – especially from older, not-maintained sites – with respect to hacking and other security issues. Here’s a summary of some of the strategies we’ve found most effective.
Choosing a Good Hosting Vendor
Given that more than 80% of our clients utilize some kind of monthly-fee shared hosting, the choice of vendor makes a big difference with respect to security. A good host has automated backups, automated updates of WordPress core files, and blocking of use of known-to-be-risky plugins. With a better host, there’s less of a chance that the hacking of another customer’s site – hosted on the same server as our client – leads to a problem with our client’s site. Unrelated to security, better hosting vendors offer Varnish or some other caching mechanism and, thus, better performance.
Recently, we have used WP Engine with great success: their lowest-end hosting plan is affordable for most of our clients, their service is phenomenal, and SSL is available even for their base offering.
A good backup plan is critical for handling security issues. A good hosting vendor like WP Engine offers automated full backups (of theme files, uploaded content, and database content). Without a hosting-vendor-based backup in place, we use VaultPress: their $5-per-month backup plan offers easy one-click restore, and their security tools are great.
Usernames & Passwords
An easy one, but an important one: bruteforce attacks (repeated guesses at logging in to the WordPress admin area on your site) are made much more difficult by avoiding “admin” as a username (“admin” is the default WP username) and by picking passwords that are long, contain random characters, and are not “password”.
WordPress Security Plugins
We use a number of security plugins to protect against WordPress brute-force attacks, scan for core- or theme-file changes, and block malicious strikes against our clients’ sites. One plugin we have used with great success of late is Simple Security Firewall, which offers a range of useful features:
- The firewall feature blocks GET or POST requests of the site that contain PHP code, WordPress terms, or other dangerous content; optionally, one can block or allow IP addresses (or ranges of IPs).
- The login-protection features include 2-factor authentication (where, for example, users who try to login must next click a link from an email automatically sent on login), renaming of the default /wp-login.php admin URL, and other brute-force-login protections.
- Other useful features include tools to better handle automated updates of WordPress core and plugin files, comment-span protection, and protection of the security plugin itself.
WordPress Core and Plugin Updates
Perhaps the easiest – and most useful – tactic in keeping ahead of potential WordPress security threats is to make sure your site is up to date: whether via automation or regular checking, do be sure that the core WordPress files and all plugins are updated as soon as a new version becomes available, since newer versions address known security vulnerabilities.
Similarly, the very choice of which plugins to use on a given site makes a big difference as regards security for your website. While it’s tempting to throw up a plugin – which seems to address a current need so nicely (for free!) – it’s important to check to make sure the plugin is in wide use and is regularly updated.