WordPress Security

Website security is an important topic for all site owners. Tens of thousands of websites go onto that list every day. Getting on a blacklist is a quick way to de-rank your site and your work. It’s a headache that can be avoided. With WordPress, it’s easy.

When it comes to WordPress Security, security plugins do most of the work for you. If WordPress is kept up to date and you have configured the security plugin, you will have eliminated most of the security problems.

Staying on top of security is a full-time job, there are constantly new threats and solutions. In medieval warfare similarly, there was a constant tug of war between the attacker and defender as well. The attacker getting better at sieges and the defense building better fortresses. The open nature of the web makes this happen quickly.

When it comes to security I find it easier to think backward, or from the attackers’ point of view. Generally, most sites are not directly targeted by someone but part of a general attack. WordPress is the most used website content management system, at the same time it’s also the most secure. When done right, security is a minor concern.

From the image above, these things can be done in any order. The takeaway is that this process can be stopped at any point. There’s no such thing as perfect security. That’s why we call it “harden”. Make it tougher and less likely the website will be broken into.

The main security concerns

The most common point of failure I’ve seen is bad users and passwords. With a bad user/pass, there’s no hardening that will prevent intrusion. Well, except for two-factor authentication.

The next biggest problem is a bad host. Your hosting will only put up some security. With shared hosting, they have to be open enough to support a lot of software. This is not the best solution for all websites. For hosting it entirely depends on the system administrators’ quality and the people working on them. I don’t know of any hosting company that allows you to interview their system admins. What you can see is the quality of the support. A company that cuts corners will be cheap everywhere else.

The next biggest security threat is plugins and themes. All of this nice software for free sometimes comes at a price. WordPress has been good at preventing plugins from breaking websites. However, security is still another story. When it comes to finding malware or an entry point, it’s usually the plugin or theme. Each plugin can increase your risk.

If you’re interested in a more technical page on hardening WordPress, check the official source here.

Oddly enough, the best way to secure your site is with a plugin. For plugins, there are two main security plugins I would use. I wouldn’t recommend using both of them but picking and sticking to one of them.

The first one is WordFence. WordFence is created by security experts that specialize in WordPress security. The plugin has an intelligent scanner and many common features to harden WordPress. After a few minutes of options, your website will be more difficult to break into.

The second one is Securri. They are more general security experts, not just WordPress but websites in general. They even have a public scanner option. But like WordFence, once you go through the options, your site will be a lot more difficult to get into.

Most of these plugins work on the server-side of things. If you’re on a public shared hosting, likely you’re using software called Apache to host websites. Apache usually has a local configuration file called “.htaccess” that configures core components of the site. This is something that runs even before your site starts to render.

I mention this because it’s a good thing to have a backup of it. The .htaccess file can make or break a website, which usually results in 500 errors in the browser.

What about the premium options?

You really don’t need them. The base level security is generally good enough for most people. I’ve never had a problem with it. Provided you’re on good hosting.

What about hosting?

Hosting seems to be the main issue with security. I’ve had secure sites just fall apart with bad hosting. I’ve transferred the same sites to a good host, and it doesn’t have any more issues with security. Your hosting company will be the most important decision when creating a website. This is why I prefer to set up my own environment.

If you’re on an unsecure hosting company, no amount of work on your part can ever fully secure your website.