Is WordPress Safe?
It has probably crossed your mind, or at least I hope it has, whether WordPress is safe or more particularly, whether your own website is safe. Or you may be wondering whether choosing WordPress as you web-publishing application of choice has exposed you to additional vulnerabilities over another platform. What is it you can do to ensure your website is protected? I’ll answer those questions and more below.
We often hear about sites being attacked, passwords stolen, customers’ personal information leaked, credit card information leaked, etc. Obviously with all this news comes a lot of fear. Just a simple Google search for WordPress security will show millions of articles talking about WordPress being under attack or sites being hacked. While I’m not saying these articles are wrong, I want you to have a bigger picture. WordPress is the most popular web publishing application in the world and as a result, it is the most obvious target for hackers. The reality is that the web and technology is constantly changing, and while there will always be vulnerabilities, WordPress is among the most secure applications on the web. There are many reasons why this is the case:
One of the major reasons why WordPress is secure, which on the outset seems almost contradictory is the fact that WordPress is open-source. WordPress’ open-source community has allowed it to amass the large user-base and community of contributors it has to-date. The sheer number of experts and users contributing to the platform, by writing code, looking out for security holes and reporting issues, means that there are a lot of people that can help fix problems. This open nature of WordPress is its biggest strength security-wise.
Quick Security Patches
WordPress is one of the most rapidly developed applications. There are continuous releases for updates that address security issues and other improvements. This is powerful and important as issues are quickly patched for as soon as they are discovered.
How To Protect Yourself
While WordPress is about as secure as it can be out of the box, there are always things you can do to make it more secure. In addition to hacks, you want to protect your website from break-ins and data loss. To reiterate, while WordPress is secure, there are certain actions you must take. For example, if you’re using outdated WordPress versions or outdated themes and plugins, you are putting yourself at risk even though those problems have already been discovered and fixed! Our lack of pro-activeness can be our downfall, not the WordPress application itself. In addition, there are a lot of services out there that can help protect your site. Some of them are free, some of them cost a bit of money, but all of them are well worth the investment. I’ll outline a few that I recommend below.
1. ALWAYS Update
First rule of thumb is always keeping WordPress itself as well as your themes and plugins up to date. I know that oftentimes people are hesitant to update because when they do something on their site breaks. While that may happen in the rare case, you should stick to the rule of thumb and always update. It’s much less of a headache to fix some small issue that broke on your site due to an update then it is to figure out what to do after you’ve leaked customer credit card data. More often then not, updates will run smoothly but in some rare cases, theme or plugins may not have been coded properly so when you update WordPress, there will be a coding conflict between a theme and WordPress itself, or a plugin and WordPress itself and in those cases, the update experience will actually take down the side completely. Again, don’t fear this, it’s more dangerous to leave your WordPress site un-updated. If this happens, something wasn’t coded properly, you’ll have it fixed and your website will have better standardized code which will be able to withstand future updates anyway. You can’t avoid the inevitable fix.
2. Use a CDN to Filter Malicious Attacks
Using a Content Delivery Network (CDN) can help you filter malicious attacks, plus it has the added benefit of making your site speedier as it will cache content for you. The way CDNs work is when people visit your site, they’re not necessarily getting content from your server; they’re getting it from the CDN servers. Since it’s kind of the middle-man between your server and servers requesting your website, a CDN like CloudFare will actually block malicious attacks for you. It will detect if a certain computer or certain block of computers are just coming into your site and hammering it with a request, CloudFare will automatically block it for you so your site doesn’t go down in that attack. The second benefit, the speed, is possible because it’s a caching service. Usually when you get a lot of traffic, it’ll quickly overload your server but these services will take some of that load away. I recommend something like CloudFare as it also has a free version and is easy to install.
Regardless of whether your site gets attacked or not, it’s also a good idea to have proper backup and security for your WordPress site. Sometimes things can go wrong and you might lose your content. Even if your hosting provider claims to have proper backups, sometimes these backups may be two weeks old or two months old. A service I recommend is called VaultPress. They will run backups and security checks and you can restore your site with a one-click feature.
4. Block Spam Comments
You may have seen this, as it’s one of the pre-installed plugins on WordPress. Akismet scans every single comment that comes into your site and makes sure it’s not spam. And it’s actually very good at its job. On average, Akismet will catch about 98 to 99.9% of all the spam comments that come into your site. It will automatically put them in the spam folder, and then deletes them after you’ve checked them. It’s free for a personal blog but you have to pay for it depending on whether you have a commercial site.
5. Limit Login Attempts
Helps you protect against brute force attacks. You can use Limit Login Attempts or you can just use the Jetpack plugin, which comes with something called Protect that does the same job and also does a bit of other types of black listing IP’s, etc. Jetpack is pretty much everything you need bundle into one single solution.
6. Use a Secure Username and Password
I think this is a given, but you’d be surprised at how many people still use extremely insecure passwords and wonder how hackers have managed to figure it out. Brute force attacks happen when attackers try to “force” their way into your system. They use trial and error, with the help of speedy application programs to decode encrypted data such as your passwords. The harder you make it, the less likely these programs will guess it right. For your administrative login credentials, ensure you use a secure password. Try to avoid the generic “admin” username that will most likely be the first username tried during a brute force attack.
It’s quite simple to take security measures, with the help of automatic updates and some security plugins. This will also provide you peace of mind, and I truly believe it takes less time to be proactive then it does to try to fix the issue when it arises later on. Keep your website secure, understand that WordPress is safe but know how it works, what security measures you must take yourself to ensure it’s performing optimally and how you can further enhance it’s security. Sometimes, security holes are introduced by poorly coded themes and plugins. You want to make sure you find themes and plugins that you trust, have good reviews and provide regular updates. I find that professionally developed themes and plugins, while they sometimes come with a small price tag are fully worth the investment because there is often a team of experienced developers keeping up with the WordPress updates for you so you can ensure you’re up-to-date with all the new security releases. You’ll also have peace of mind knowing that it has been tested and won’t break on you. Lastly, if you purchase support or if it comes with free support, you can get your questions answered. As a business owner, or anyone in that matter that values their time, I think the decision is a no-brainer.
But again, it’s up to you to understand and be aware of the tools available and how it can help you. I’ve outlined some that I recommend at the moment but new plugins and themes are constantly being developed. I find the best way is to learn how to properly analyze a theme and plugin before you install it. The best ways to do that is to look at the rating read the reviews on WordPress.org. Take a look at the experience that the developer or team has in terms of working with WordPress. Take a look at whether support is provided in case an issue does occur and always take measures to backup your site.