WordPress Security: The Bare Essentials

WordPress is the most widely used content management system (CMS) in the world by a wide margin. Its user-friendly interface and cutting edge features, combined with its massive developer and support community make it second to none. Due to this popularity and ubiquity, however, it’s also no surprise WordPress is the most targeted website platform for hackers, spam bots and people who just want to do harm. From data theft, to malicious code injection to spam comments, there’s a variety of ways a site can become severely compromised.

Here at Glantz Design, we’ve made a name for ourselves with our custom WordPress development over the past several years. Our happy client list can attest to it. Along the way, however, we’ve experienced more than our fair share of website security issues and had to adapt at a moment’s notice. We’ve learned a lot, and while we could share a comprehensive list of technical advice, we do understand for some companies and organizations it’s not always possible to find the proper resources to monitor and maintain their website around the clock. You’ve got things to do and places to be, and for this reason, we’d like to share our list of the absolute basic things you need to do to keep your WordPress site secure and functional.

Here are the bare essentials:

Backup Regularly!

The single most important step before doing any maintenance work on your website is to ensure a backup system is in place should you need to restore a previous working version. Backups can be made through your web host or through the use of plugins. They can also be scheduled to run automatically in regular intervals. Our general recommendation is to backup website files at least once a week and the database daily while retaining the 10 most recent backups of each. The following are backup plugins we recommend:

• Updraft Plus
• BackWPUp

The free versions of these plugins should suffice, but you may find some additional features useful in the paid premium versions.

Hosting

The first point of entry for any sort of website traffic is at the server level. If your web host doesn’t have the latest server configurations, software versions in place or follow industry best practices, your website is at a higher risk for attack.

WP Engine Hosting

One of the most secure and highly touted WordPress hosting companies available is WP Engine. Among the many great benefits it offers:

• Purely WordPress-focused hosting with a very simple, intuitive back end.
• Easily create backup restore points, staging sites and cloned website instances with a few simple clicks.

Most importantly, WP Engine implements high security measures including but not limited to:

• Scanning: Provided by Sucuri
• Disk write protection: Disk writing process is limited
• Disallowed plugins: Website scans for and disables vulnerable plugins.
• Script protection: Website is scanned and vulnerable scripts are disallowed or replaced with updated versions.
• Guarantee: If your website gets hacked while on their servers, they will fix it for free.

We’ve worked with tons of hosts and we host sites and many locations. We have come to know the difference between good, and great. That difference is a peace of mind about the security of your site.

Learn more about WP Engine

Other hosting recommendations include: Pagely & Pantheon
Another helpful article from WPMayor

Plugins

All in One WP Security

All in One WP Security is one of the most popular security plugins with close to 1 million downloads and a five-star rating at the time of this writing. It comes with an impressive suite of features that addresses almost every security concern imaginable. Some highlights include:

• Brute force login prevention: Hide your admin page URL from hackers and spam bots by renaming it.
• Firewalls: Creates several security rules to watch for and block unauthorized access.
• Database table prefix renaming: This feature allows you to customize the WordPress database table prefix to something other than the default “wp_”.
• Login lockout: Set the number of times an IP address can attempt to login before it gets locked out. You also have the ability to set the lockout duration among other settings.
• File permissions: If any files or folders are detected to be insecure, you have the option to set them to the recommended security level directly within the plugin settings rather than on the server. (Note: If you’re using WP Engine as the web host, they automatically takes care of file permissions, so make sure not to use this plugin option.)
• File change scanner: An email notification is sent any time a suspicious code change is detected.
• Blacklist / Whitelist IPs: Add IP addresses to be permanently blocked or permanently accepted.

This is just a small list of features available. Learn more about All in One WP Security.

Theme Checker

Often times hackers attempt to gain entry to your website by exploiting security holes within the WordPress theme. This plugin stays on top of the latest theme review standards and scans for script vulnerabilities. A full report of errors and recommendations is provided.
Learn more about Theme Checker.

Monitoring

The latest WordPress vulnerabilities

Stay up to date with the latest security threats by visiting the following informative websites on a regular basis.

• Sucuri Blog
• WPScan Vulnerability Database

Website malware scanner

Although it’s not guaranteed to be 100% accurate, the Sucuri Malware and Security scanner is one of the best free scanning tools on the internet. The scanner searches for:

• Malware
• Website blacklisting
• Injected spam
• Defacements
• Missing firewall
• Vulnerable software

Scan your website here.

Strong Authentication

With the multitude of ways to infiltrate a website and the advancement of hackers and bots, it’s increasingly important to create complex passwords that are impossible to guess. However, if you prefer to stick with a simple password, and worse yet, use it across multiple accounts, then you might as well give away all your private information!
Save yourself the potential headache, lost hours and revenue by using a random password generator. Choose among the many on the internet such as Norton’s Password Generator.

Tips for a strong password:

• Choose at least 16 characters
• Create a mixture of upper and lower case letters, numbers and punctuation

Also consider two-factor authentication.
*Side note: Be sure to keep a separate, organized list for all of these passwords.*

Secure Public Access

For people who travel frequently or don’t work from the office, it’s extremely easy nowadays to find internet access through free Wi-Fi hotspots. Need to make a WordPress update but you’re on the road? Well just find a nearby coffee shop and connect to their hotspot, easy.
But here’s the problem. Whenever you log into an unsecured (not https) site from a public hotspot or any other non-password protected network, you’re exposing your login credentials and other sensitive data to whoever else is on the network. This could mean opening up your personal information, bank details or client information. Don’t risk it. Use a Virtual Private Network (VPN) to encrypt your data and essentially hide yourself from these sneaky thieves.

Here’s a list of the most reputable VPN software on the market today.
(VPNs featured in article: www.getcloak.com, www.tunnelbear.com, https://www.privateinternetaccess.com )

Conclusion

Your website’s security is a serious matter. We at Glantz take every measure possible to ensure that the sites we maintain are protected and kept up to date. If you have any questions, comments, or would just like to further the discussion, feel free to reach out to us here. Hopefully, some of these tips have helped clarify the importance of WordPress maintenance and security.
Want more info? Check out this Guide to WordPress Security blog as well!