WordPress Security

Why WordPress Security is Important and 6 Ways to Improve It

WordPress is a great Content Management System (CMS) and has become very popular for general website development because of its extensive plugin library, it’s free license cost, and easy-to-use user interface. However, WordPress has long been a popular target for hackers due to plugin vulnerabilities, its open-source code base, and frequent lack of management oversight. If your site isn’t managed and if there isn’t sufficient security in place, the odds of being hacked go up significantly, which could result in stolen data, site vandalism, and embarrassment for your organization. Without taking preventive measures, hackers can easily take control of a WordPress website through CMS or plugin software vulnerabilities or cracking administrative logins. Additionally, hackers can overwhelm a website by repeatedly accessing parts of the website, also known as a denial-of-service attack.

Here are some simple ways to improve WordPress security.

1. Update the WordPress core software and plugins regularly and often

WordPress makes it easy to update most plugins with the click of a button. Since plugins occasionally have compatibility problems and some plugins reach end-of-life without telling you, it’s wise to update plugins on a regular schedule. Vulnerabilities are discovered and revealed to the WordPress community all the time, so keeping plugins up-to-date helps keep your site secure.

2. Hide the administrator login page

Hackers and bots target the WordPress administrator login page, which comes with a default URL out of the box. Not only do they try multiple usernames and passwords to try to login, but simply attempting to do so can use so much processor power that the website can go down for periods of time by using up the allowed resources of your hosting plan. You can use a special plugin to hide the administrator login page thereby reducing the risk and frequency of automated attacks.

3. Use a software firewall

A software firewall puts limits on what kinds of traffic can access your website from where and how often. Managed WordPress hosting packages may include a type of firewall, but budget hosting typically does not. Not all WordPress websites necessarily need firewalls, but the more popular or more full-featured the website is, the more important it is to have a firewall to limit the attack vectors. iThemes Security and Wordfence are two popular software firewalls.

4. Use a captcha for forms

Captchas usually require you to type the characters on the screen or click certain photos, in order to login. While slightly annoying to humans, they also provide obstacles to automated hacking software and spam bots.

5. Use two-factor authentication

Two-factor authentication requires you to enter a code from email, text, or an authenticator app in order to login, in addition to your normal username and password. This is highly recommended, as it not only provides a bigger obstacle for hackers, but also greatly decreases the odds that someone is lurking in your account without you knowing it.

6. Backup your WordPress site regularly

It’s wise to plan a regular backup, which includes an offsite version in case the host is compromised. A backup not only allows you to revert to a previous version of your website if there is a problem, but it also gives you a clean version of your website to compare the hacked version against, and is often the fastest way to get your website functional again. We typically recommend a monthly backup routine, but it makes sense to update more regularly if content is updated frequently or before and after a major update to your website. Managed WordPress hosting packages may include automated backups, but budget hosting may not.

Additional measures are available

As a site grows in popularity or has e-commerce functionality, it’s a good idea to consider more sophisticated measures to improve website security and mitigate risk to your organization. Upgrading to a more suitable hosting subscription or specialized provider will probably be needed at some point. There are hosting providers specialized in e-commerce, for example. We recommend managed WordPress hosting, which usually includes a type of firewall and automated backups. Installing security plugins still makes sense, however, along with testing and vetting any new plugins before widespread deployment. Doing background research of plugin developers takes time, but is usually worth it. If in doubt, hiring a technical consultant or managed service provider to help you manage your site often makes sense.

Have questions? Crown Point Solutions staff are available to answer your WordPress security questions. Feel free to contact us for additional information.

See All Publications

Ready to Talk? Contact us at 970-221-0082 to get started!