As you can read in David’s post this week, WordPress is a great tool for small businesses. and is a significant playing in the world of internet publishing. Here are few stats to illustrate my point:
WordPress currently powers:
- 60% of all CMS powered websites
- 14.7% of the world’s top websites
- 22% of the worlds top 1 million eCommerce sites
Finally, there have been over 1.25 billion plugin downloads on WordPress.org.
Add to this the fact that the code is public domain so it can be analysed to identify potential vulnerabilities.
Add all this together and it is no surprise that it has a reputation of being susceptible to hacking.
But how valid is this reputation? Below, I look at the reality of WordPress security, and look at 4 top tips for keeping your site safe.
The reality of WordPress security
There is a flip side. It’s ubiquity on the web, and the open nature of its code, are also key to it remaining secure.
Because it is so widely used, there are a-lot of developers interested in keeping it secure, and thwarting hackers. As a result there is an army of people communicating about and fixing vulnerabilities as they are identified. there are also great tools for being kept up to date and alerted whenever a vulnerability is identified, and informing what fixes are available. The result of this is that usually the window for hackers between a vulnerability being identified & fixed is narrow.
Another consequence of the wide use of WordPress is that it mean the economics of creating world class security plugins for the system are attractive, and as a result, there are a number available at either no, or low cost. the plugin we use is Wordfence. Wordfence is available as a free of paid for premium plugin. In our experience, the free version does an excellent job of protecting and monitoring the health of your WordPress site.
Keeping your site secure
With all of this in mind here are my 3 top tips for keeping your site secure:
Keep your site up to date
This is the number one way to keep your site secure. In our experience, security issues usually occur where sites are running out of date code. Experience that is backed up by the stats which suggest that over 60% of compromised sites are out of date.
One of the great features of WordPress is the easy of keeping it up to date. Updating plugins, themes and core can be done at the click of a button. Whats more, use a backup plugin like Updraft plus, you will be prompted to perform a backup before you do the update. As a result, if you experience any issue with the update, rolling back is again a click of a button. Just one footnote on plugins. The need for reliable updates means you should always consider the support available when you install a plugin. If you are installing a mission critical plugin, it is always worth considering the paid version, as this will usually come with enhanced support. Furthermore, the fact that developers are earning an income will incentive the update process for then
Use a good security plugin
We use Wordfence on all our WordPress sites. Wordfence performs 3 useful tasks:
- Brute force protection – Wordfence will monitor attempts to login to your site, and restrict or lock out visitors whose login activity is seen as suspicious. It will also monitor visitors generating a lot of “Page not found” errors as this can often be an indication of a hacker trying to find vulnerabilities on a site.
- It provides an Application Firewall. This is a set of rules. This monitors all attempts to run code on the site, and passes them trough an algorithm to identify suspicious activity. Again any activity deemed to be a threat to the site is blocked before it ius run. Furthermore, the algorithm is constantly updated by Wordfence based on what it learns from the 1000’s of sites running the plugin. The speed with which this is updated being one of the benefits of the paid version of WordPress. However in our experience the free version does a respectable job in this area.
- It will scan your site for anomalies. Most compromises to sites involve adding or changing the code running your website. To protect against this Wordfence will scan the site for suspicious files. It does this by comparing the code on your site to the original code published by WordPress & plugin developers. Where it identifies unexpected code, it will send you an alert. In circumstances where your site has in-fact been compromised. fixing it is usually simply a case of restoring a recent, clean, backup. This brings me to my third tip.
Implement a backup routine
Make sure your site files & database is regularly backed up. By doing this, you ensure that even if your site does get compromised, you can make repairs without too much disruption.
For this task we use the UpdraftPlus plugin. This will automatically take backups of your site as scheduled by you. It will also automatically copy backups to a cloud storage system like Google drive or Dropbox, so that even if your web server is irrecoverably compromised, you should still have the necessary data & file to get up and running on a different server. We recommend backing up the database daily, and the site files weekly, we then keep a minimum 30 days worth of backups, just in case you take a few days to identify an issue.
Harden your login
The final tip is around login credentials. Be sure to use secure passwords on your site (WordPress will monitor these as you set up users). Its also a good idea not to use “admin” as your default username as this is the first one a hacker will use when trying to get in by brute force. You can select your admin username when you set up WordPress, and if you are using admin, Wordfence will help you to change it easily. Wordfence also offers the facility to implement 2 factor Authentication (2FA) should this be deemed to be appropriate.
Be vigilant, Stay Secure
In our experience, if you follow the tips above, then in the real world, WordPress is a great and secure website development tool. Add this to the benefits outlined in David’s post, and you have a fantastic & flexible tool for promoting your business.