According to Pandalabs, 18 million new malware samples were captured in Q3 2016 alone; roughly 200,000 per day. By all accounts, cyber threats are expected to continue to rise in 2017, with cybersecurity spending hitting more than $1 trillion from 2017 to 2021.
The kinds of massive data breaches and ransomware attacks affecting companies like HP, Verizon and Yahoo might not seem relevant to your small WordPress blog. But given that the cost of recovering from a cyber attack can hit $1 million or more, it’s clear that web security must be a priority for every business.
Making your WordPress website more secure requires an understanding of what security options are available to you from within the platform and from third-party tools.
WordPress is an open source content management system (CMS), which means that its founders have made its source code available to those who want to study it, change it, distribute it or develop supporting technologies that work with the platform. Because of this open source nature, WordPress users are able to access the platform’s vast selection of free and paid themes and plugins that work seamlessly with the CMS.
Understandably, this extensibility has made WordPress popular with users who can customize the look and feel of their sites, without much manual coding. Indeed, the WordPress team reports that the CMS is used by 27% of the world’s top 10 million websites.
Keeping WordPress Secure
In an effort to protect WordPress users, the platform’s developers have built-in a number of features intended to support site security. Taking advantage of these settings, introducing third-party security plugins and following WordPress security best practices offer the best odds of keeping your site safe.
Built-In Security Features
A few of the options built into WordPress for the purposes of security include:
- Automatic WordPress version updates
- Theme and plugin notification updates
- User roles that allow you to control access to different capabilities within your site
- Complex password generation
Behind the scenes, WordPress shares sets of functions and APIs with developers which can be protect data and to limit hackers’ ability to penetrate WordPress installations. These and other similar efforts were instituted as part of WordPress’s compliance with the recommendations of the 2013 Open Web Application Security Project (OWASP).
Third-Party Security Plugins
Despite the steps taken by WordPress, many users take the additional step of installing a third-party security plugin. These security plugins can be broadly categorized into two groups: full security suites and single-issue security plugins.
Full security suites encompass multiple security needs within a single plugin. Both plugins that can be installed within the WordPress dashboard and ongoing monitoring services that watch WordPress activity remotely for security risks can be included in this group. Popular options include:
These tools cover everything from bot-driven brute force attacks to manual blocking of malware injection attempts and other hacks. They may be available on a free or paid basis, and represent a great choice for beginning WordPress owners who want one solution to cover multiple needs.
Beyond these security suites, more targeted security plugins exist that remedy specific weaknesses within the WordPress platform. Some of the most commonly used include:
The specific plugins you’ll want to install will depend on your own assessment of your security needs. Whichever you choose, practice good WordPress hygiene by not installing more plugins than is necessary and by monitoring the plugins you do choose for ongoing security issues.
Further, don’t assume that you’re safe just because you’ve purchased a paid security plugin – either a full security suite or an individual-need plugin. In 2013, of the top 10 most vulnerable plugins, five were commercial plugins available for purchase, according to wpmudev.
WordPress Security Best Practices
Finally, all the built-in security features or third-party plugins in the world won’t protect you if you don’t actively manage your site’s security.
While the list below is by no means complete, it represents a good starting point for beginning webmasters who are learning to keep their sites safe.
- Regularly update your passwords
- Regularly update your WordPress installation, theme and plugins (if you don’t have these set to update automatically)
- Limit the people who have access to your website, and remember to revoke access from those who no longer need it
- Avoid using WordPress’s default usernames, as hackers are familiar with these common options
- Keep your personal computer updated, as hackers who have gained access to your personal information may be able to use this to access your website
- Choose a WordPress host that prioritizes WordPress website security and takes the steps necessary to keep their clients’ websites safe
Ultimately, WordPress security isn’t about turning on or off a few options. It isn’t about adding a security plugin to your site and calling it a day.
Instead, it’s about being proactive regarding your site’s security. It’s about regularly checking in on your website to ensure the options you’ve chosen are functioning appropriately, as well as continually familiarizing yourself with new vulnerabilities that have been discovered.
Security is everyone’s responsibility. While taking the steps described above won’t guarantee your site will never be put at risk, they’ll go a long way towards making you a less-appealing target to hackers.
What other steps are you taking to protect your WordPress website? As this article is only intended to give a surface overview of WordPress security, there’s still plenty of additional ground that can be covered. Leave us a note on your experiences in the comments below.