WordPress is a fantastic Content Management System (CMS), which allows for a highly flexible and functional website. As the most popular website system in the world, this means it’s also a high value target for hackers to find compromises.
Many of these security compromises aren’t in WordPress itself, but third party plugins and themes where the development process may not have the same level of scrutiny and security design as the WordPress core. This means, for every plugin and third party theme you install, you must remain vigilant in order to keep your website secure.
Steps to keep your WordPress site secure
Use Managed WordPress hosting
Managed WordPress hosting is a step above normal web hosting whereby the hosting provider will take care of the updates to WordPress for you. It’s important to check also if they only update the core, or if they also update themes and plugins (which is where the real risks are).
Or, manage your own updates
If your site isn’t big enough to justify the costs of a Managed WordPress plan, you will need to manage the updates yourself. The important fact to remember is hackers don’t care about the size of your website. You have just as higher chance of compromise if you’re running a local bowls club website as you are if you’re running a large eCommerce platform. If your site is visible on the Internet, it’s always going to be a target.
We highly recommend the use of WordFence to assist with keeping your website secure. It features:
- A firewall service,
- Malicious fire scanner,
- Brute force login blocks
- Secure password check
- Can enable Two Factor Authentication
- And more
We have a guide on installing and configuring WordFence available for you to follow.
Review your backups
Backups of your website are critical, especially when dealing with compromised websites. We very highly recommend that you ensure you take (and test) backups regularly for your website and ensure they’re stored away from your website (eg Dropbox, S3 or other remote storage).
If you need to take a backup, we have a guide on creating a backup with Updraft Plus available.
Review all users
Often we find Websites have been compromised where the account used wasn’t one the business owner new still existed. It could be an old developer or even multiple older developers where accounts have been created but never removed.
These accounts can potentially be hijacked, especially where the developer’s business no longer exists and someone has grabbed their domain. This would allow them then to receive the password reset emails and log straight into your website with full administrator rights.
Remove unused plugins
Disabling a plugin isn’t sufficient to protect you against exploits which affects that plugin. As we’ve detailed in a previous blog on disabled plugins, it’s still possible for the plugin files to be called directly and therefore compromised.
If a plugin is no longer required, you should delete it.
Check for Nulled plugins
If you’ve found a copy of a WordPress plugin which normally costs money for free, chances are you’ve installed a nulled plugin. In most instances, this means that you’ve uploaded an already infected plugin, as the site giving away the “free” plugin is doing so in order to compromise websites.
We recommending reviewing all plugins used to determine their origin and if they’re a paid plugin then you must only download from the original developer and have a valid license installed.
Ensure any compromises are cleaned correctly
If you’ve been unfortunate enough to have had a website compromised, there’s significant work required to ensure it’s secured again.
We have a guide on cleaning a compromised website, however this is aimed at highly skilled developers. For most business owners and general WordPress users, we recommend engaging with WordPress security professionals in order to ensure your site is cleaned correctly.