As part of our new series of blogs designed to answer commonly asked questions (so we don’t pull our hair out), Blak Ink Media’s Co-Director and Head of Development, Joe Ogden, destroys a few myths regarding the security vulnerabilities of WordPress.
The essential guide to WordPress security
WordPress has a bad reputation due to horror stories about websites being hacked, and a few clients have even experienced this themselves. We hope to dispel this myth since WordPress is completely secure and reliable when set up right, which is what we do for our web development clients.
It is true that somewhere in the world, a WordPress site is getting hacked right now, but this is usually due to a combination of two factors: its massive market share and abandoned installs. Premeditated or personal attacks are rare, as are attacks on fully updated active websites.
Most attacks are just automated bots looking for common exploits so they can commandeer the website for their own nefarious purposes, such as sending spam emails. Generally, if you keep a good eye on your website and implement some basic security precautions, you shouldn’t have much trouble.
So how should I secure my WordPress website?
Security is best implemented in layers, from the underlying server configuration, through the WordPress application layer, to an additional firewall and request-filtering where required. We’ve compiled some of our top WordPress security tips below.
1. Don’t neglect your software updates
Almost all WordPress attacks are due to people not keeping their installation or plugins up to date. There is a new version of WordPress released every 4 months or so. For major version releases you will have to manually click the update button, but minor release updates are installed automatically these days.
Your theme and plugins also need to be updated regularly since developers are always fixing bugs. Having updates to do is a good sign; it means the software or plugin hasn’t been abandoned. Be wary of any plugins that never have an update, since they could be years out of date.
2. Use legit software – never “nulled” themes and plugins
These are premium themes where the licencing code has been removed by an unscrupulous individual. There’s a good chance that while they were bypassing the licencing they were also inserting backdoors for bots to take over your site and use it for sending spam. Pay for your licences – being cheap isn’t worth the risk.
3. Install and configure security plugins
Just installing security plugins isn’t enough. You need to configure them too. Our favourites are Sucuri for hardening and alerts, Login LockDown for brute-force attacks, and Malware by Eli for automatic scanning. These three plugins form a key part of your multi-layer security. We configure Sucuri to alert us by email on every post change, plugin update or installation – this way you’ll be the first to know if there is suspect activity on your website.
4. Be picky when choosing plugins to use
One of the best things about WordPress is that it is easy to use without the website owner knowing how to code. It has a huge community of contributors and there are plugins available for almost all eventualities. But this benefit also has a downside: it means insecure code can easily make its way into the WordPress plugin repository due to negligence or simple lack of understanding from users and inexperienced developers.
Choosing the best plugins for your website is a skill in itself. When browsing the plugin repository you should check to see when they were last updated, how many sites they are used on, and if the developer has authored other plugins. Last but not least, always read the comments, as the community will often report incompatibilities and bugs.
5. Keep it simple
Your visitors won’t thank you for adding a ton of nonessential plugins or visual effects, especially buggy ones. By keeping your WordPress slim, you cut down on the potential weaknesses and points of entry for hackers. It’s also much easier to manage and perform the essential updates when you don’t have a load of conflicting plugins.
6. Choose a host that knows WordPress
Much of the essential security is done at the server level, through the firewall configuration and system hardening performed by the elusive system administrator who lurks in a nearby data centre. A good sys admin also helps prevent one of the main attack vectors – that of being affected by a compromised site that just happens to be hosted on the same server as you.
When choosing a host, you ideally want one that genuinely cares about your website and doesn’t just treat you as a number in their billing system. At Blak Ink Media we work with HostAsean.com, who are the first provider of Cambodia-based website hosting servers. Not only is this invaluable for making your website fast for your Cambodia-based audience, they also specialise in WordPress hosting and make security a priority.
So can WordPress be trusted for my business website?
The answer is a resounding yes, if your site is professionally managed and hosted.
While it started as a blogging platform over ten years ago, WordPress has evolved into one of the most flexible full-blown content management systems for websites today. WordPress is used and trusted by top worldwide brands like the BBC, Microsoft, Facebook, Mercedes-Benz, MTV, Sony, Walt Disney, and many more. They wouldn’t be using it if it was insecure or unstable.
Here at Blak Ink Media, our team has developed WordPress based websites for some of the biggest brands in Cambodia, and our security measures are proving to be robust. The bottom line: good processes, shrewd choices when adding plugins, and persistent vigilance.