WordPress Security Fundamentals, Best Practices and the Arms Race

It seems like every week there’s a new story about Internet security, whether it’s the breach of a major corporation like Yahoo or Target, or a political hack like those reported to have come from Russia during the 2016 Presidential Election.

These breaches happen so often that IBM made a commercial where the news was that a hack didn’t happen.

The reality is that, if you own a website, you are open to being targeted or hacked by someone looking to breach your site and cause chaos. And if your site runs WordPress — more than 1 in every 4 website online — then your security holes could be publicly known.

However, that doesn’t mean you should avoid WordPress; it just means you need to protect yourself. Think of it this way: hackers are going to go after the software that has the most users, since there’s the biggest chance of someone doing a poor job of security their system.

Just like viruses tend to target Microsoft Windows PCs because there are more of them, it’s the same with WordPress.

In almost every instance where we’ve helped fix a hacked site, the site wasn’t specifically targeted for what they do or who they are. They’re targeted because they have a known vulnerability that hackers are looking for and can be easily exploited.

So how can you protect yourself? Here are a few tips for improving your website security, specifically for WordPress as well as fundamentals for any website.

WordPress Security Best Practices

If you’re running a WordPress-powered website, here’s a few best practices to keep your site secure.

  • Ensure your plugins and software are always updated. The easiest way to get hacked is to run an old version of WordPress or outdated plugins. They almost always have vulnerabilities that are well-known, and hackers look for them to get in.
  • Delete inactive plugins and themes. If you’re not using a plugin or a theme, get rid of it. It serves no purpose if it’s not being used, and could have a security hole.
  • Use a trusted security plugin. We recommend iThemes Security Pro, which offers both a “one-click” secure that implements best practices and the ability to dive deeper with custom security settings.
  • Limit access to your dashboard. The fewer users with permissions to modify the website, the better. If you need to set up users to write content, don’t make them administrators where they can also install or edit plugins. Only give users the access they need.
  • Enforce strong passwords. Thankfully, WordPress does a decent job at password generation, but make sure that users are required to have a complex password to access the dashboard. A hacker running the right brute force script can easily figure out simple passwords, especially if they can determine usernames.

Security Fundamentals for Every Website

Whether you’re running WordPress or not, there are a number of fundamentals you should implement to ensure your website is secure.

  • Work with a trustworthy web host. Don’t use cheap web hosting — it’s cheap for a reason. Make sure that your host is transparent about the security on their servers and implements security best practices.
  • Install an SSL certificate. If you switch to HTTPS, it’s clear to your users that your site is secure. More and more browsers are calling out to sites that aren’t using an SSL certificate, so it’s becoming more crucial to make the switch.
  • Ensure you have proper file permissions. Having secure file permissions means that only the right users can read, write or execute files on the server. Here’s more on that.
  • Allow only SFTP access. Most web servers allow FTP accounts; make sure your host is allowing secure SFTP access only. When you connect via SFTP, the data is encrypted when transferred; with FTP, it’s not.
  • Regularly scan for malware. Using a tool like Sucuri, you can scan your website for possible malware infections and see if your site is listed on any blacklists. This should be done on a regular basis.

The Arms Race and the Reality of Securing a Website

When I talk to clients about website security, I’m brutally honest about the reality that if someone really wants to hack your site, they can find a way.

It’s not that safeguards can’t be set – they can. But hackers are always working to find new ways to break through encryption and security, and you need to be steadfast in implementing best practices to make it as difficult as possible for them to break in.

Most hackers (especially ones targeting WordPress websites) look for the easiest targets — outdated software, poorly generated passwords and a general lack of security.

If you’ve invested the time in making your website difficult to hack, you’ll be in good shape and hackers will most likely move on.

Jason Unger
About Jason Unger
Jason Unger is the Founder of Digital Ink, the creative and digital team that builds brands and helps companies grow. Based outside of Washington, D.C., Jason has done it all, from website strategy, design, development, troubleshooting, maintenance, content and marketing.