Is WordPress secure or insecure?
Well it all depends on you the end user and the steps you take regarding your site’s security whether the answer to the above is yes or no.
On the internet nothing can really be 100% secure as long as you have a page or site which is open or accessible in some way to the general public. However there are certain actions and things you can do to your WordPress site which will mitigate the various security risks which most websites face.
Therefore your real aim is to minimize the risk because the security threat itself can never really be totally eradicated when it comes to Internet security.
Security maximization is something which you should be considering at the very beginning of your WordPress site’s life. After all your site and its data might be your livelihood and a hacked site filled with malware can spell disaster to your business.
I recently listened to a talk by Dre Armeda from WordPress who is an expert in security and I’ve summarized some of his points here and added my own too.
So below is a list of some common-sense and not so common-sense things you can do to mitigate security risk to your WordPress site.
Regularly update your computer’s software
Windows PCs in particular have the automatic updates which quite often contain security fixes. Other operating systems have something similar.
Always make sure to keep your machine up to date with its software and patches.
Use anti-virus software on your machine
Installing anti-virus on your computer is something which everyone should do. There are some great free and paid solutions out there, most of which of which automatically update their virus definitions.
Ensure you securely connect to your WordPress site
- Use SFTP/SSH or explicit FTP over TLS instead of FTP
During the day to day maintenance and operation of your site you will no doubt be using FTP to connect to your site.
A lot of people are unaware that when using a plain ole FTP connection, their username and password are actually transmitted unencrypted. Thus if somebody was listening or snooping your connection they can quite easily get your credentials – this is especially apt in public WI-FI connections etc.
- Try to use SSL (HTTPS) if possible
A lot of host providers offer the ability to have SSL certificates for your site for increased security. Note that this usually costs a little more to buy the certificates but well worth the money for those people running business-sensitive sites.
Use Stringent Password Management
Statistics show that over 15 percent of passwords used by people are made up of someobody’s name – either their own name or somebody that they know.
Also, the top password used in the internet today is apparently “123456”.
Second most popular password is the word “password”.
All of the above password practices are an example of what NOT to do when setting your password.
When creating a password try making it over 8 characters long at the very minimum and if possible use phrases instead of single words mixed in with symbols, numbers, caps and lowercase.
Choose a Hosting Provider Not Prone to Security Compromises
Not all hosting providers are created equal and quite often you get what you pay for.
You are probably aware that there are a slew of providers out there which are “free” or extremely cheap compared to their competition.
Well guess what? If you want free or very cheap hosting, then that’s what you’ll get……and don’t complain when your site has been hacked or is infected with malicious software.
It is very important to choose a stable and reputable hosting provider especially if you are running a business online.
Before buying a hosting plan don’t be afraid to ask your prospective provider questions about their security policies and if you feel that something doesn’t add up move on to another provider.
There is also a useful “Safe Browsing” tool provided by google which you can use to check the integrity of a hosting provider’s site.
Simply use the following URL and type the address of the site at the end after the equals sign:
The above will display the last 90 days assessment of the site’s security diagnostics and it will tell you if there were any malicious infections and how many and on which sites.
Not all hosting providers actively mitigate potential security holes, but there are a lot of good ones which do. So make sure that you do your research and choose the right provider.
Always keep your WordPress version up to date
As for your computer’s OS, quite often many of the WordPress updates will contain security updates and fixes.
This is especially true for many of the minor releases which follow the major releases etc.
I know a few people who like to wait a short time after a major release because a lot of the time there are still some bugs which need ironing out. But always make sure that you eventually update your version and don’t wait till the next major release which might be more than a year later. Remember that minor WP releases will never contain new features but will mainly contain bug fixes and security patches.
Another tip is that if you have the capability, try testing the update (especially a major release) on a test site first before plonking it on the live site just to be sure that it doesn’t break your main site.
At the very least, take a backup of your site’s DB and filesystem before you do any (major) update.
Always keep your plugin versions up to date
As for the core WordPress files you should always try to keep your plugins up to date too because the same applies to these regarding security fixes. Also, make sure that you look at the changelogs of a plugin to see what has been changed.
Use child themes when possible
Child themes are a great way to do your customizations to a theme without messing with their code.
Therefore you are encouraged to always try to create your own child theme whenever you want to customize a theme.
This means that you are also not going to lose any changes if you have to update your theme version (especially if there is some kind of security fix).
Change your default DB table prefix
The default table prefix for WordPress is “wp_”.
It is always a good idea to change this to another value to mitigate DB security holes.
Typically it is easiest to do this before you actually install WordPress on your site because the installer allows you to specify a new prefix.
You can also do this at a later stage too but it is a bit more complicated. There are various plugins which will enable you to change the prefix after installation so you might want to check those out too.
Use Secret Keys
Adding secret keys makes your site harder to hack because they add random elements to your passwords.
Along with the secret key there is an element called a “salt” which further enhances the encryption of the passwords.
You can specify secret key and salt values in your wp-config.php file.
To read more please see this link:
wordpress secret keys and salts
Lock down your WordPress login
Just like the title above there is a handy plugin called “Login Lockdown” which can enforce limitations to the number of login attempts to your site or even IP range restrictions. This is simple yet effective little plugin which adds tremendous piece of mind regarding the security of your site’s backend.
Also as mentioned earlier, you can force the use of SSL upon login to your WP admin panel by adding a line to your wp-confi.php such as:
See the wordpress codex which explains administration over SSL in more detail.
Note that in order for SSL to work you will need to have your host configured properly with the required certificates to be able to use SSL (talk to your host provider for more info).
Do regular full backups of your site
Doing scheduled backups of not only your WordPress DB but also your complete file system is a must. Depending on how often you produce content you should tailor a backup schedule based on your needs. Also after backing up your site you should transfer the backup zip file to a safe offboard location (eg, your computer AND a backup drive).
This way you will always have a reasonably up to date backup of your site and should things really go pear-shaped, you can at least restore your site with minimal data loss.
The best WordPress plugin out there which does backups is BackupBuddy. This plugin will do scheduled automatic full backups and it will even automtaically FTP your files offboard. Also if you ever need to restore your site BackupBuddy will also perform the restoration.
Limit access to your site
You can restrict access to your WordPress site based on IP address by setting up whitelists in your .htacces file.
For example you could put the following code in a .htaccess file which you would place in your /wp-admin directory:
AuthName “Access Control”
deny from all
# whitelist home IP address
allow from 126.96.36.199
# whitelist work IP address
allow from 188.8.131.52
allow from 184.108.40.206
The above will only allow the IP addresses specified to access your WP admin environment.
If you’d like to use IP ranges you can also use CIDR notation to specify IP ranges instead of individual addresses.
Only install software from reputable/trusted sources
There are a lot of free themes and plugins out there and not all are good or trustworthy. SO do your due diligence and make sure you research well before you commit to using any piece of software on your site.
Change the default username “admin” to something unique
Doing a simple thing such as changing the username of your WP login from “admin” to something else goes a long way in adding an extra bit of security to your site. You’ll be amazed at how many people still continue to use the default “admin” username, which makes half the job of cracking your site easier because the hackers don’t have to guess the username.
Remember that if you already have a site with admin user you can change it by creating another user account with a unique name which has administrator privileges (very important!). Then you can delete your “admin” user account.
Use correct file and folder permission on your host’s filesystem
Do not tamper with the file permissions of your WP installation.
The standard and secure setup is usually the following:
Folder permissions should be 755
File permissions should be 644
If you can afford to tighten up the above to be even more restrictive then by all mean do so.
You can change your permissions via FileZilla or cpanel.
Never use 777 as a permission setting!