WordPress is famous for it’s 5-minute install. You can host WordPress yourself or choose from numerous WordPress hosting providers who will give you a fully working starting point in minutes. This is tremendous for techies and non-techies alike. But now that you have a website, how do you keep it safe?
Start With a Good Foundation
Currently, there are over 36,000 plugins and 2,000 themes available through wordpress.org, not to mention all the premium providers out there. How do you know what’s a worthwhile investment and what’s not? Some evaluation criteria that we use here at Pixo for selecting plugins include:
- Number of downloads. Have a lot of people used this plugin or are you a pioneer?
- How many support requests are open. Is the plugin buggy or hard to use?
- How quickly the plugin authors respond to and resolve issues? The internet does not stand still. Nor should your website. If the plugin is not keeping up with the times, or at the very least striving to get better at what it does, it will hold you back.
Keep Everything Up to Date
Once you have your themes and plugins selected, it is important to keep them up to date. WordPress makes it easy to see what needs updating from within your site’s dashboard.
At a minimum, you should regularly log into your site to review and perform updates. The more plugins you have, the more frequently you should check for updates. (It never hurts to back up your site before applying updates. More on this later.) A lot of these updates will be minor improvements to these plugins and themes, but occasionally there will be security updates.
At Pixo our goal is to apply all security updates within one business day. Even if your goal is to log in and apply updates weekly, put it on your schedule and don’t skip it.
WordPress releases major versions of its platform roughly every 3-4 months, and it is not uncommon for them to release at least one security or maintenance update in between each major version. Additionally, with tens of thousands of plugins out there, updates become available on a daily basis. Many of our clients utilize a dozen or more plugins, and we frequently find our clients having to update their site at least once a week. Pixo uses several different sources to stay informed on the latest WordPress news.
WordPress.org does a great job of putting out releases for new versions of their platform. Not only do they also post their release announcements through Twitter and Facebook, but they also include security update notices too.
Another good WordPress security news source is Wordfence. They put out excellent security related articles regarding plugins that have known, published vulnerabilities. You can subscribe to their blog posts by following them on twitter @wordfence to stay informed on their latest security news. Everyone is bound to have a security issue at some point. The big question is how do they handle and respond to it?
Most widely used plugins will have a blog or news feed you can subscribe to. The good ones will even talk about their security issues openly and transparently. For example, SEO plugin provider Yoast recently discussed two back-to-back security releases and their goals for managing threats.
Plugins For The Win
Wordfence also makes a stellar plugin that helps you manage your site. One of it’s many features is to scan your site for available updates to WordPress or your plugins. It will then send you an email notification when it finds them. For the free version, Wordfence will scan your site once a day with no option to control the schedule. The premium version gives you control over the schedule when scans are run.
Wordfence is by no means the only player in the WordPress security landscape. Securi is another excellent option. Just remember that whatever plugin you pick, make sure you do your research.
Pick Strong Passwords
While not specific to WordPress, this point is important enough to bear repeating as often as possible. Your site is only as secure as it’s weakest password. Here are a few guidelines for selecting a strong password, although this is certainly not an exhaustive list:
- Do not use names, pets, or any other personal information easily findable on the web. It should be hard to guess, even by someone who knows you well.
- Use a mix of letters, numbers, and symbols. The more random, the better.
- Longer passwords are better. This means more combinations for an intruder to try.
Here is a more in depth article discussing what makes passwords weak and strategies for picking strong passwords. For some examples of what not to do, check out these lists of most commonly used passwords published in 2014 and 2013 compiled from publicly available security breaches. Is your password in this list? If so, change it right away.
WordPress offers a basic password checker in the user profile screen to give you feedback on the strength of your password. Building on top of that, the Wordfence plugin has several options to make your admins use strong passwords, lock user records after some number of failed attempts, and make it harder for the bad guys to guess your user records.
If your password is so complicated that you need to write it down on a sticky note at your desk, then consider using a password manager. (Let’s face it, you will never memorize 7j2j7!9Y^&D*#u@bEj7aM#WB^WrX%YAnPE#. I know I won’t.) Most browsers these days offer some level of password management. If you choose this route, make sure you also have the ability to secure your device. An even better option is to use a secure password manager like LastPass or 1Password. Both offer random password generation in addition to securely managing your accounts. Remember, passwords are the keys to your digital house. Keep them safe.
Backup, Backup, Backup
Even if you take measures to safeguard yourself and your site, there is still the chance your site could be compromised or lost. I find it helpful to think of this situation like you would a natural disaster. The chances of you being impacted by a tornado, flood, or other natural disaster may be low, but being prepared for it will allow you to get back on your feet in less time than if you didn’t have a contingency plan in place. Similarly, with your website it’s important to take regular backups of your database and content and be familiar with how to restore this information. This will help you get back online quickly after a disaster, be it a system failure or malicious intrusion.
WordPress offers very basic functionality for making an export of your site. However, it only covers your site’s content. There are plugins like WP-DBManager and Backup Buddy that offer a lot more sophistication in managing your database. This includes control over managing your backups, restoring your site from a backup, and optimizing your database.
Some hosting providers offer database and content backup as one of the services they provide, which means you can manage it through your hosting control panel rather than through WordPress. This can be a nice option if you are not comfortable managing backups and restoration yourself.
There are many facets to securing a WordPress site. It can seem daunting to take on security when you are just starting out. However, with a little bit of effort sustained over time, it can become a manageable process. If you ever wonder about how secure your site is, you can always contact Pixo for a security audit.