The open nature of software such as WordPress can be both a blessing and a curse. On one hand, it has been nothing short of a game changer, powering millions of websites worldwide. What started out as a humble blogging platform has transformed the way websites are built. Looking for a blogging platform? WordPress is pretty good. Looking to get started with eCommerce? Pair WordPress with WooCommerce and you’re there. What about a social platform? BuddyPress fits the bill which runs on… you get the picture.
However, with that freedom and flexibility comes a price. WordPress itself is open source – its code is freely available to developers – like us – as well as less savoury characters, looking for weaknesses and vulnerabilities to give them access to those millions of sites. Fortunately, WordPress is mature and is maintained by seasoned professional developers, ensuring that releases are stable and, on the whole, very secure.
Whilst it is impossible to eliminate all risks, there are a number of steps that you can take to minimise the chances of your WordPress site being compromised.
A security system is only as strong as its weakest point, and in many cases this starts with the humble password. Whilst we acknowledge that it has to be memorable – nobody wants to have to hit the reset password link every time they want to log in – it has to be difficult to guess or generate. Ensure a mix of upper and lowercase characters, numbers and special characters. Each of these adds a layer of complexity that makes your password more secure.
Or Completely Automated Public Turing test to tell Computers and Humans Apart. No doubt you have come across the (sometimes frustrating) images containing hidden phrases which you have to replicate to submit a form – that is a CAPTCHA. Although they can be irritating, they perform a valuable task in preventing automated systems attempting to log in to your website. Some web hosts have CAPTCHA enabled automatically to prevent the use of automated ‘bots’ which run through common username/password combinations to try and gain access to the dashboard.
WordPress has an excellent user management system built in, allowing different members of your site to have different permissions to perform tasks such as adding posts, editing content, installing plugins and so on. If you have a website that is maintained by multiple people, consider limiting their roles to just what they need. If they are adding or editing existing content, Editor may be sufficient, for example. Having fewer high-privilege Administrator-level accounts is generally better.
There are a wide range of plugins which claim to improve the security of your WordPress installation. These can include notifications when users log in to your dashboard, automated banning of IP’s attempting to log in, warning of users with simple passwords and regular scans of your site’s files against the repository to detect file changes which could be the sign of a compromised site. One that we keep coming back to is the excellent WordFence, which offers a number of tools straight out of the box, along with some more advanced features for the premium version. Do be wary of these however – they aren’t a guaranteed catch-all, and some plugins and/or specific features can impact on performance such as audit logs.
Staying up to date
Software is updated for many reasons, and whilst it’s always great to see new features, often these updates also contain security fixes for problems which have been discovered. It is crucial that you keep WordPress itself, plugins and themes up to date to close any potential security issues with your site. We recommend that prior to any update that you perform a backup of your website. Most of the time it’s plain sailing, but now and again you may find something breaks.
It can be heartbreaking when an update goes wrong and you’re left with a blank screen, or your site is compromised by malware and you’re faced with starting again. Backups provide you with the safety and security of being able to ‘roll back’ to a previous copy of you site to minimise any loss of data if the worst should happen.
Backups should be regular to ensure you have a recent copy of your site to hand, they should be stored off-site (that is either downloaded locally to your machine or synced with a service such as Dropbox – just generally somewhere not on your hosting account), and they should be checked periodically to ensure that they are useable should you require them. Most web hosts also offer automated backups of your hosting account, but don’t rely on these alone.
You can go further, removing FTP accounts, limiting the permissions of your database user, using .htaccess files to limit dashboard logins, remove authors from the sitemap to disguise usernames and so on, but most of these steps aren’t practical or necessary for the majority of users, especially those who aren’t storing sensitive information.
If you’re worried about the backups and security of your WordPress website, get in touch and we will be more than happy to help.