WordPress Security
The main security concerns
The most common point of failure I’ve seen is bad users and passwords. With a bad user/pass, there’s no hardening that will prevent intrusion. Well, except for two-factor authentication.
The next biggest security threat is plugins and themes. All of this nice software for free sometimes comes at a price. WordPress has been good at preventing plugins from breaking websites. However, security is still another story. When it comes to finding malware or an entry point, it’s usually the plugin or theme. Each plugin can increase your risk.
Oddly enough, the best way to secure your site is with a plugin. For plugins, there are two main security plugins I would use. I wouldn’t recommend using both of them but picking and sticking to one of them.
The second one is Securri. They are more general security experts, not just WordPress but websites in general. They even have a public scanner option. But like WordFence, once you go through the options, your site will be a lot more difficult to get into.
Most of these plugins work on the server-side of things. If you’re on a public shared hosting, likely you’re using software called Apache to host websites. Apache usually has a local configuration file called “.htaccess” that configures core components of the site. This is something that runs even before your site starts to render.
I mention this because it’s a good thing to have a backup of it. The .htaccess file can make or break a website, which usually results in 500 errors in the browser.
What about the premium options?
You really don’t need them. The base level security is generally good enough for most people. I’ve never had a problem with it. Provided you’re on good hosting.
What about hosting?
Hosting seems to be the main issue with security. I’ve had secure sites just fall apart with bad hosting. I’ve transferred the same sites to a good host, and it doesn’t have any more issues with security. Your hosting company will be the most important decision when creating a website. This is why I prefer to set up my own environment.
If you’re on an unsecure hosting company, no amount of work on your part can ever fully secure your website.