At the time of this writing, WordPress continues to grow faster than any other competitor, powering 40% of all websites on the internet including those without a content management system or with a custom-coded CMS. Keeping your WordPress website secure is critical to prevent hackers from exploiting it.
Our web development team at GTMA takes web security very seriously and does everything we can to make sure your WordPress website is regularly patched and free of vulnerabilities.
But there’s more that can be done to keep your site protected.
4 TIPS FOR SECURE WORDPRESS SITES.
WordPress itself has a team of developers that are dedicated to security. This means that whenever vulnerabilities are found, they are quickly addressed and patches are put in place to resolve the problem. Also, WordPress can auto-upgrade minor updates so these kinds of fixes can be implemented immediately and without user intervention.
For major WordPress core updates, however, regular maintenance is required. You need an experienced, highly trained team of WordPress professionals to ensure your website is free of core software vulnerabilities. Luckily, GTMA’s in-house web design & developers are WordPress experts, who are ready to help you keep your website up-to-date.
2. UPDATE CORE, THEMES & PLUGINS.
It’s critical to maintain an up-to-date WordPress Core, as well as your themes and plugins. Because any developer can create a plugin, the quality and security threats can wildly vary.
According to the WPScan Vulnerability Database, ≈20% of the known security threats logged are in WordPress themes and plugins. Some are malicious, while others are the result of bad programming, or use third-party libraries that introduce vulnerabilities.
Plugins must be updated along with WordPress core to help make sure your website has the most current and secure versions installed. Not to mention all of the new features and bug fixes that come with the site updates.
At GTMA, we vet plugins from the WordPress developer community carefully and use them sparingly on our custom themes. Plus, we perform and automate regular security checks to scan your site and applications for things like security threats, accessibility, and uptime performance.
Tip: Remove unused plugins. In some shared hosting environments, even inactive code can be accessed from other sites on the server and exploited.
3. MANAGE USERS & PASSWORDS.
Another common vulnerability is weak passwords and exposed usernames. If hackers manage to find the email or username associated with your WordPress account, they could use a variety of password-guessing bots and tools to break their way into the account. Strong passwords and user policies protect websites from a range of attacks.
Minimize Administrator Level Accounts.
Not every user on your site needs to be an administrator. The Editor role will give your team the access that they need to add and modify pages to a site and do most of the daily work. Even as the site owner, we recommend using an Editor role for most things. Reserving the Admin role only for logging in to perform administrative duties like updating themes, plugins, and core, or managing users.
You’ll ward off many “brute force” attacks by not using admin as a user name, and limiting the number of login attempts a user can make. Admin is the default username, and even WordPress no longer recommends using it.
Tip: Make sure your profile is set to show your display name and not your username. You can do this by going to the Users menu in the WordPress dashboard, and checking that the user’s first and last name is chosen in the “Display name publicly as” dropdown and not the nickname or username.
Strong passwords use symbols, caps, and a combination of letters and numbers to make sure that guessing the password is difficult if not impossible. Changing them regularly is also a great practice. Of course, most users have a hard time remembering passwords as-is and regularly updating them would require force, so using a plugin like Wordfence can help make sure this is required. One solution that helps motivate users and is easy to use is a password manager. I currently use LastPass, but there are other great tools out there that all do the same thing.
Tip: Limit the number of login attempts that a user can make. The simplest way is to use the Limit Login Attempts plugin. A more complete and robust approach would be to use the Wordfence plugin that includes limiting login attempts and requiring strong passwords, in addition to several other great security features like a Web Application Firewall (WAF).
An important part of the security of your site lies within the server the site is hosted on. Not all hosts are created equal! Here are some important things to look out for when considering a new hosting solution:
You need a support team that is ready to take any tech issue off your plate, so you can focus on running your business.
You need proactive security protocols backed by contingency preparations and backups to keep your site online in any situation.
You need performance optimizations, so load times cost you leads, sales, or conversions.
You need a host that prioritizes your site’s speed and stability, so you don’t lose customers.
You need a host that makes your online performance feel automatic, so you can focus on what you do best.
Need some hosting recommendations? Contact our GTMA Partnerships team for more information!