When it comes to Content Management Systems, WordPress is the King of the Hill. WordPress powers almost 30% of all websites; which includes personal blogs, to government websites with huge site traffic. It’s not difficult to see why, as WordPress websites are highly customizable — thanks to its 50,000+ plugins — while being pretty easy to handle.
The popularity of WordPress makes it an obvious target for hackers too. Here are some ways we protect our WordPress deployments at protracked:
Up to date. Always!
The WordPress development team works vigorously to find security flaws and improve them. Such fixes are released to users as regular core version updates. Minor updates happen automatically, but major updates like migrating to the recent WordPress 5.0 have to be performed manually. Most users ignore these core version updates, as they can sometimes affect website elements. These issues then need to be fixed in a hurry. Not updating core version changes makes the hackers job easy and they love it.
Plugins and theme updates are very critical than WordPress core updates. 63% of reported WordPress security problems are caused by incompatible plugins or themes, while just 37% are due to the lack of core updates. That being said, be attentive while using questionable plugins/themes from third parties.
Installing a security plugin like Wordfence Security will alert us via email whenever there is an update.
Secure the Web Host
The web host you pick can have an impact upon your WordPress website’s security. Shared servers may be cheaper but pose a likely WordPress security issue. Hackers can simply find their way into your website by initially going through the other vulnerable websites on the shared server.
A fix for these WordPress security issues is choosing a managed WordPress hosting. Many of these web hosts automatically update and backup your WordPress website.
We do not host websites on shared servers due to security and performance reasons. Closing back-end access to server from all IPs other than our office’s static IP address has been a really effective way for us in securing our servers.
Rename default WordPress login
Another easy way to protect your Wordpress website is renaming your WordPress login page, making it inaccessible unless you have the direct URL. In case you’re not a developer, use the Rename wp-login.php plugin to rename. Don’t forget to bookmark the changed URL.
This WordPress security method works as long as your website only allows some administrator accounts. However, in case your WordPress website users are too many, make sure admins and users use different login pages (Just hide the admin login).
This is a wordpress website. Try logging in :p
Utilize WordPress Security Plugins
Even if WordPress does a neat job protecting itself you can still increase its security by installing security plugins. These plugins handle all manner of tasks including scanning, preventing threats, attaching firewalls, tracking logins, and more.
Wordfence is our personal favorite. It is one of the more popular WordPress security plugins. It’s a freemium plugin which includes firewall and malware scanners created especially for WordPress.
Backup! Automated Backups!
Just like the above tweaks, it is also important to have backups; that too, automated backups. It helps not just from hackers, but also from occasional screw ups that happen due to updates or mistakes. Use any of the popular WordPress backup plugins, and store your backups in the cloud on an independent account. Don’t store all your backups in the host itself. Instead, store your backups in the cloud on an independent account.
As a standard practice, we keep automated, snapshots of 1 month for all our servers. It has come in handy not just for recovery, but also for testing, migrations and identifying breaking of builds due to updates.