How To Keep Your Wordpress Website Secure
April 13th 2015
No matter what your website needs, WordPress provides an attractive and easy-to-use option for building it. There are many things to keep in mind when starting a WordPress site, and security should top the list. Many solutions exist to help keep your site secure. Some of them are easily implemented, some of them take a bit harder work. SilverServers would like to cover some of the simple tips for how to keep your site secure and as protected against hackers and malicious code as possible.
One of, if not the biggest, source of security problems for WordPress is the multitude of plugins available on the web. Plugins can help enrich, add features, and provide many ways for you to control the way your website is presented. Some of them make management easier, some of them add visual flair. It can be demanding and frustrating to search through all the provided plugins to find one that will solve your problem, but research and comparison can be worth their time in gold.
Here are a few simple guidelines to help protect your site when using plugins:
Only use plugins from long-standing trusted sources
Check the developer's history and read as much information from other users as you can. Very often, even upstanding widely used plugins like MailPoet or Slider Revolution can be compromisedlong after they are widely used. Anytime a plugin has an update, the update can contain new malicious code used to get past your site's basic security. This is a recurring theme throughout the WordPress community with the above-mentioned plugins being great examples of once secure plugins being hijacked for nefarious purposes. (MailPoet: http://www.pcworld.com/article/2458080/thousands-of-sites-compromised-through-wordpress-plugin-vulnerability.html, Slider Revolution: http://www.fudzilla.com/36560-thousands-of-wordpress-sites-infected).
Audit Before Hitting Update
Before using or updating a plugin, have a security expert do an audit of the code. While time-consuming and possibly expensive, this could be the only place you can catch a malicious piece of code in an otherwise trustworthy update. WordPress requires constant updates to function properly, both core code and any plugins you use. Hackers and other shady characters ride the coattails of thisculture, knowing that knowledgeable WordPress users keep on top of their updates. Without security experience and direct viewing of the code you are using there is no way to know that the update you are downloading is free of problems.
Keep Your Website Login-Free, if possible
Any plugins that manage a user login system are targeted substantially more than plugins that simply manage photo galleries and the like. As of October, last year, sites with user login/management plugins suffered 59% of all directed attacks, also representing 63% of all SQL injection attacks. The more numbers we find the more it is obvious that WordPress user login plugins are the largest target for would-be WordPress hackers (http://www.itproportal.com/2014/10/10/why-wordpress-is-hacked-more-than-all-its-competitors-combined)
Avoid 3rd-Party Plugins
The only way to be sure that your site is safe from possibly dangerous WordPress plugins is to only use official plugins from WordPress. While these plugins are still open-source and can have their existing security holes exposed, they at least have their code supported by WordPress staff and developers. If a third-party plugin becomes compromised, there often is no recourse and no solutionother than to remove the plugin and (hopefully) revert to a previously clean version of your site (you are backing up right?). Official WordPress plugins do offer more support and defense against harmful outcomes.
In short, WordPress security is a growing whirlpool of information and is an integral part of starting/running a WordPress site. Doing your research, making good choices, and keeping on top of your site's security situation will go a long way to helping your WordPress site stay up and running.