It seems like every other day now that we hear about another major website hack or data leak.
Just in the past few years, dozens of major companies have had their confidential information exposed: Yahoo, Oracle, Adobe, JP Morgan Chase, Sony, Target…the list could, and does, go on. Even kids’ toys aren’t immune!
With so many high-profile data breaches, it’s no wonder that WordPress users are concerned about the security of their own sites. In my conversations with business owners and IT managers, I am frequently asked, “Is WordPress secure?”
The answer?
Yes . . . and no.
It’s about you
WordPress is an incredibly popular website management system. In fact, according to recent surveys, over 27% of all websites on the internet are powered by WordPress.
That statistic may seem unbelievable, but it’s actually not too surprising. WordPress is a powerful platform that makes websites approachable for people without a technical background. While it’s a myth that it’s “easy,” WordPress is something that anyone can master and use to achieve their business goals.
And because WordPress is so popular, it is a regular target for hackers.
But that doesn’t mean that it’s not secure. In fact, WordPress is just as secure as any other platform as long as you take the correct security measures.
Luckily, these measures aren’t complicated—they’re mostly housekeeping. But if you let these things slide, then yes, your WordPress website is easily hacked. In the end, your website security is about you.
So what measures should you take?
What to do to keep your WordPress website secure
To keep your WordPress website secure from hacking, follow these industry best practices:
Choose a well-known, reliable website hosting company
Website security starts not within WordPress itself, but with your hosting company.
There’s a time and a place for local businesses (I love Small Business Saturday)—but your website hosting is not it. Your choice of hosting company is one of the most important choices you’ll make for your website security.
Go with known names in the website hosting industry. A good indicator of quality is offering 24-hour telephone customer service with a real human being. I personally use and recommend SiteGround and WPEngine.
Stay current on WordPress, theme, and plugin updates
This one is pretty easy—whenever you see the little red-orange flag next to your plugins (or a banner at the top announcing a system update from WordPress), click on it and download the update.
Updates often contain essential security patches and fixes. Studies have shown that the majority of WordPress hacks originate from outdated WordPress installations, themes, or plugins.
Keep your site secure by making sure you’ve always downloaded the latest updates.
Regularly back up your WordPress website
Your WordPress database contains everything on your site: your pages, blog posts, comments, images . . . everything.
To make sure your website content is secure (and never gets lost), perform regular backups of your database and files. At the very least, you should do a site backup before you update your WordPress installation.
Although it’s possible to do manual backups of your WordPress website, they can be tricky. Many users install plugins to do it automatically. I personally use and recommend the plugin Duplicator Pro.
Only download trustworthy themes and plugins
This is the WordPress version of the classic Nigerian prince email: you wouldn’t wire transfer $10,000 to rescue far-off royalty—so why would you give an unknown plugin from an unknown developer access to your website?
It’s simple: check the trustworthiness of anything you install on your WordPress site.
Do this by looking for recent activity from the plugin’s developers: When was the plugin last updated? You should also thoroughly read the reviews and ratings: Have users had issues with bugs, crashes, or hacks?
Be careful with custom themes and plugins
Now is the perfect time for an important note: Customized themes and plugins make updating WordPress, plugins, and the theme itself risky.
Too often, website owners hear the words, “Whatever you do, don’t update anything!” Companies end up having to depend upon the original theme customizer to make little tweaks to their own code in order to stay compatible with WordPress and plugin updates.
This is a security nightmare.
Do yourself a favor and choose a premium theme that doesn’t require customization. By choosing a theme with good documentation and a wide user base, you’ll get regular updates and won’t have to worry about chasing down a developer to keep your site secure.
Clean out your plugins
Like any room in your home, over time, we accumulate tons of stuff we don’t need and probably can’t remember why we ever got in the first place.
It’s a good idea to apply the principles of spring cleaning to your website. If you don’t use a plugin, don’t remember why you have it, or aren’t sure what it even does, remove it.
Deleting unnecessary plugins will increase your site speed, and you won’t have to bother with a million updates to keep your site secure. Simpler is better.
Assign user permissions on an as-needed basis
Chances are, you aren’t the only person who needs to write articles, manage comments, or upload images to your WordPress website. To reduce the chance of accidental or intentional damage, only assign the permissions that are absolutely necessary to each user’s role. If someone is editing your already-published articles, that person can be assigned the editor or author role in WordPress—she won’t need administrator access to your plugins, themes, or site settings.
Use strong passwords, and make sure your other users do, too
By now, you’ve heard this over and over. But it bears repeating, especially given that the most common passwords in the last five years have been password, qwerty, and some sequential combination of 1234567. Not so secure.
WordPress helps you out by providing a strong password as your default—so make sure to choose a strong password when you change it.
The best passwords are a nonsensical combination of letters, numbers, and special characters that use no publicly available information (like your name, birthday, city of birth, or physical address). If you need help, try a tool like Strong Password Generator.
Don’t keep your “admin” username
By default, WordPress gives website administrators the username of “admin,” something that many people never bother changing.
Don’t be one of those people.
If you don’t change the pre-set “admin,” someone trying to hack into your site already knows your username! All they have to do is run a script that can enter an infinite number of passwords over and over, and voila—your WordPress site is hacked. Here’s what you do to fix this:
- Add a new user with a new (and secure) username and password and give this new identity Administrative level access
- Logout of the account that uses “Admin” as the username
- Login to the new user account and delete the account that uses “Admin” as the username
- Going forward, use the new user account to login to your WordPress dashboard
Limit login attempts
Requiring strong passwords is a good first step, but to prevent the hack described above (often called a “brute force” attack), you should also limit the number of logins allowed.
WordPress doesn’t do this automatically, so you’ll need to download a plugin to do it for you. Like we discussed above, be sure to choose one that’s well reviewed, up to date, and currently active.
Your WordPress website security is about you
Because WordPress is an open-source platform, the responsibility of website security falls on the website owner—probably you.
Not paying attention to updates, usernames, passwords, and backups opens your WordPress website up to potential hackers.
Even if you aren’t managing your website yourself, it’s important to keep these security measures in mind. Ask your website developer or agency what steps are being taken to keep your site secure. A quality developer will be open with this information and will work with you to make sure your site is as secure as possible. (And if they aren’t working with you, it may be time to fire your website designer.)