A Guide to WordPress Security

Over 90,000 hacking attacks per minute strike WordPress sites and WordPress hosting around the world, hitting not only large corporate websites packed with sensitive data, but also sites belonging to small businesses, independent entrepreneurs, and individuals running personal blogs. Security of WordPress sites typically tops the list of concerns for new and experienced website owners alike. For owners of WordPress sites, statistics like that one raises particular worries about the security not just of individual WordPress sites, but of WordPress itself. No platform is ever completely safe from malware, hacking, and other kinds of cyber attacks — but WordPress security includes protections on the source code itself, as well as precautions taken by both a hosting provider and site owners themselves.

Is WordPress Secure?

As you read this blog post, you may be wondering, “Is WordPress secure?” The number of cyber attacks striking WordPress websites of all kinds may seem extreme, suggesting that WordPress itself is inherently prone to dangerous security lapses. The fact that WordPress is a free and open source software package that anyone can not only download but also modify and share makes it appear especially vulnerable to any skilled hacker who can insert a snippet of malicious code into the WordPress core.

But, although WordPress is a product of developers and designers around the globe working to keep it updated and stable, security is the work of a team of dedicated developers who monitor WordPress for security vulnerabilities and install patches as soon as one becomes known. Between its launch in 2003 and early 2018, nearly 2,500 security vulnerabilities have been patched. WordPress releases frequent updates to the software, which includes those patches, so it’s important for users to install updates whenever they become available.

WordPress developers working to keep the platform as secure as possible are the first line of defense for your website, but they aren’t the only one. Both hosting providers and site owners have jobs to do in keeping up their WordPress site security.

Website Hosting and WordPress Security

Trusted, quality website hosting providers also have protocols in place to protect WordPress and other sites they host. It’s the hosting provider’s job to maintain the security of servers used in hosting and to implement essential security monitoring features. Shared hosting poses more risks than dedicated or VPS (Virtual Private Server) hosting simply due to the number of sites sharing space on a given server. 

In situations like that, security measures must apply to all sites being hosted, regardless of the platform being used, so those measures may not be equally effective for all sites. Dedicated hosting designed for WordPress sites can add more useful security features aimed at WordPress-specific vulnerabilities.

DIY Security for WordPress Sites

Along with efforts by WordPress itself and responsible web hosting providers, owners of WordPress sites can also take many steps to tighten security and thwart cyberattacks of all kinds. Below are some WordPress security best practices:

Keep WordPress Updated

Many cyberattacks on WordPress sites strike smaller ones or those running older versions of WordPress that haven’t received the latest patches and other updates. Owners of these sites might not expect that their sites might be targets, but they may be even more vulnerable than larger sites containing stores of sensitive data. Installing all of the frequent updates released by WordPress is a key step in keeping a site secure — and that includes updates not only to WordPress itself, but also to its themes and plugins installed from WordPress and from third-party developers.

Keep Devices Secure

WordPress security won’t help if the devices used to manage the site are compromised. Security experts recommend making sure that all computers and mobile devices used for accessing and managing a WordPress site be regularly monitored and updated with effective firewalls and malware scans. 

Secure Passwords and Permissions

Hackers often attempt to get access to a site by “brute-force attack” — entering usernames and passwords again and again until one works. Because the default username for a WordPress website is “Admin,” which is an easy one to guess, it’s wise to change that to something unique as soon as possible.

Restricting permission to access the site and its directories and disabling file editing can also help, since WordPress code can easily be edited by anyone who can open it. Likewise, limit login attempts and set notifications for excessive logins — a sign of login attempts to hack into a site using brute force tactics.

Install WordPress Security Plugins

A long list of plugins for security and site monitoring are available from WordPress and from numerous third-party designers and developers worldwide. These can be installed on any compatible WordPress website for added security that’s specific to a site’s unique functions. Any security plugins that are installed to protect your site will need to be updated as recommended, independent of updates made to WordPress itself.

Backup Your WordPress Site

Backing up your WordPress website at least once, and preferably multiple times, is always a good idea in case of accidental loss or errors when editing WordPress, but it makes good sense from a security standpoint, too. If a site is compromised with malicious code or viruses, a clean backup can be restored at any time, or the site can be moved to a new host if necessary using the backup versions.

Stay on Top of Spam

New WordPress sites and those that aren’t regularly maintained are prime targets for spam — and that can easily infect a site with malware. Set tight spam filters and keep them updated with the latest version, monitor commenting carefully, and block questionable comments from your site’s Admin WordPress dashboard.By its very nature and its massive popularity, WordPress can appear especially vulnerable to hacking and other kinds of cyber attacks for its users. But WordPress sites can be secured on every level from WordPress itself to hosting and site owners themselves — and regular updates and practical steps can keep WordPress sites of all kinds secure.

Desiree Johnson
Desiree Johnson | Content Specialist
Desiree Johnson is a Content Specialist at Bluehost where she writes helpful guides and articles, teaches webinars and assists with other marketing and WordPress community work.

Leave a comment

Your email address will not be published. Required fields are marked*