WordPress is the most powerful and most widely used content management system (CMS) in the world today. It currently has roughly 67% of the market share for all CMSs and is used to power nearly 20% of all websites on the internet.
That’s billions of sites using WordPress, so it definitely pays to keep your website secure, and it’s even more important if you have an ecommerce site. My name’s Seb and I’m a WordPress developer here at FHOKE, so I deal with WordPress and website security every day. Part of my responsibilities include making sure all our client sites are kept up to date, perform well, but most importantly, are secure.
It’s hard knowing where to start when it comes to security, especially if you’re not that involved in the tech industry. So over the next few months I’ll be putting together a five part series of articles around WordPress security. In my first installment I’ll take you through some basic tips you can use right now to help keep your WordPress site safe. If you’re an existing client and you’re reading this we’ve got you covered but feel free to call, we love a chat and we’d be happy to answer any of your questions.
1.) Don’t Use Plugins with Low Ratings
There are a huge number of plugins available from the WordPress plugins directory, however there’s a small problem, most of them are free. “So why is that a problem?” you might be asking. Well not everything that comes free will have the same level of care and attention that a good, paid for product gets. The passion the WordPress development community shows in everything it does is fantastic, but sometimes a few bad apples get through.
We’re not suggesting all free plugins are going to be poor quality, after all we use many for our own client sites. The best tip we can offer before you even download one is take your time to look at the reviews and be dubious about newer plugins that are yet to be rated. It definitely pays to be cautious in the long run rather than losing your entire site because you didn’t want to spend five minutes looking at what others had to say.
2.) Don’t Use Admin as Your Username
The default username for WordPress is “admin”, which is an easy target for hackers trying to gain access. If you take into account that around 20% of all websites on the internet (that’s billions!) are hosted on WordPress, it’s not hard to imagine people will be trying to hack the one account that the majority of sites will have.
This is something we make sure to do on all our website builds and something you should always do when setting up a new WordPress site, however there are plugins that can help you do this after your site is already set up.
One of those plugins is called Username Changer and it does exactly what it says on the box.
3.) Use Secure Hosting
Hosting is something that plays a huge role in the security of your website. In fact, a study found that 40% of hacked WordPress sites were down to the hosting company, not WordPress itself.
It doesn’t have to cost you an arm and a leg either as you can get very good web hosting at reasonable prices. Investing in your hosting should always be a top priority, no matter what.
When it comes to finding a good host, try to stick with reputable, well-known companies as they have a higher level of expectation around their services. We like to suggest Media Temple to host some of our client sites and can say without a doubt there support team is always around and more than happy to help with any questions you might have.
4.) Avoid Using Free Themes
You can download free themes from most places these days, but don’t be sucked in by every offer. Make sure you look into the site you’re getting it from and make sure they are reputable. Free themes can come back and bite you in the ass if you don’t.
Firstly, free themes tend be slapped together pretty quickly and generally lack the good, well-tested code you need for a CMS powered site. This can lead to security issues, styles not looking right or just generally not working properly and breaking your site.
Lastly, these “free” themes can on occasion be free versions of paid themes and are usually a way for hackers to gain access to your site. The idea is that they get a paid theme, inject malicious code into it and give it away for free. The problem here is that people who don’t understand code will grab these free themes as they’re not willing to pay for them. You’re essentially uploading a backdoor so the hacker can access your server.
5.) Use a Strong Password
We’ve lost count at the amount of times we’ve been asked to look into the security or functionality of a WordPress site, only to be told the password is barely more secure than “123”. If you’re getting serious about security, updating your password, and especially the passwords of others who have access to your site, are where you should start.
A good password will usually contain a mixture of numbers, letters and symbols. This makes it much harder for anyone trying to guess your password and will eventually lead to them giving up. Whereas if your password is easy, like the “123” example above, then a few tries and they’ll be logged in to your account.
Rubbish at remembering strange passwords? We definitely recommend you look at 1Password. It’s perfect for storing all your site logins and website hosting details. We use it here at FHOKE and it’s an invaluable tool for our day-to-day work.
6.) Delete Unused Themes and Plugins
When you first install WordPress, it comes with a bunch of pre-made themes and plugins for you to use right off the bat. This is great when you first setup your site, but it can be an issue on some web hosts when there are another 5 or 6 pre-made themes / plugins.
If you don’t keep on top of those themes and plugins, it can lead to security holes. This isn’t such a problem when you’re only using one or two and don’t activate the others, but if your site gets hacked and one of those themes or plugins is infected, it’s going to stay infected without you knowing.
If you are hacked, you can clean up the ones you’re using and your site will be fine, but you’ll likely forget those 10 or more pre-added themes and those 1 or 2 pre-added plugins that are just sitting there. Fast-forward six months when you switch themes or activate a different plugin and your entire site can be completely broken, or worse.
While it’s not an immediate security problem by keeping pre-added themes and plugins on your server, it can cause big problems in the long run. In the end it’s all about minimising risk to prevent problems before they happen.
After implementing the above tips and techniques, your site should be in a much better place than it was before. There’s more to it than that though, you can secure your files from being searched by hackers, disable file editing, hide your WordPress version number and more, which we’ll be covering in future articles in this series.
If you’d like help with anything from this article or advice on going further with your security, please don’t hesitate to get in touch with us!