WordPress is one of the most popular platforms out there. Whether you are using it for just a blog or a full fedged website.
Along with this popularity, comes the potential for security attacks against it. WordPress does a good job of pushing out updates to help combat these security attacks, but it can’t do it alone.
In this article, I am going to talk about WordPress security, and give you some ways to help keep your site as secure as possible.
Why Would WordPress Get Hacked?
When I started my website, I didn’t know anything about website security. My site had never been “hacked” or at least, I wasn’t aware if it had been.
I didn’t learn until later, after I had installed a security plugin, how many times and how constant the attacks are.
WordPress is one of the worlds most user-friendly and wildly used website platforms, but just from the point of a new installation, it is very vulnerable to attacks.
According to WP White Security, over 70% of WordPress sites are vulnerable to hacker attacks.
Why would anyone attack your site? Well, its not for what you may think. You may ask yourself, I don’t have that much traffic and I am an unknown. Nobody would want to hack my site.
Well, its not that they want your data, they want to use your server to send spam emails. Hackers can upload a script that will send spam directly from your server.
70% of WordPress sites are vulnerable to hacker attacks.
This is a big issue, especially, if you are sharing websites with someone else on your server. If they hack one of the sites on your server, and send out these spam emails, then your site and others could be compromised as well.
This can cause your IP address to get blacklisted by ISP’s and email services. Which, can cost a lot of money to get corrected.
The WordPress software, in itself, is usually very secure, but it is a changeable format, which can be extended with themes as well as plugins.
We all love our WordPress plugins, as they can add a lot of neat functionality to your site. But, here in lies, where a possible security breach can occur. Questionable plugins are easy prey for security breaches, so it is always important to make sure you are using the most popular ones, and that they are updated on a regular basis.
Good plugin developers are always coming out with updates to maintain the security and integrity of their plugins. So, by keeping yours updated, they are the most likely to stay secure.
What Can You Do?
Even though WordPress is generally secure, you can make it even more secure by following best practices and hardening WordPress.
You should always keep the software updated. WordPress.org is always coming out with security updates to the software. Don’t hesitate to use these updates. If you don’t use the latest version of WordPress, you will always be vulnerable, whatever you do.
Choose your hosting well. Find out what security measures they have in place. You may even go so far as to use managed hosting, if its available, as all of the security measures will be taken for you. Of course, this will cost more, but it may be worth it if your worried about being hacked.
Keep your plugins updated. Good plugin developer are always quick to update their plugins with any security updates. Take advantage of this.
Backup your site on a regular basis. Choose a good backup method and use it. There are a lot of good backup plugins out there, some free and some premium based. These plugins will let you backup your site weekly, daily and some hourly. It is up to you to choose how often this should be.
Choose a good security method. This usually comes in the form of a plugin as well, again some paid and some premium. I am going to talk about these plugins next.
Choose A Good Security Plugin For Your Site
Of course there’s plugins for securing your site. Here are some of the ones that I am going to talk about:
- WordFence
- BulletProof Security
- Sucuri Security
- iThemes Security
WordFence is a very popular security plugin. It starts out by checking to see if your site is already infected. It scans your source code and compares it to the original WordPress repository for core, themes, and plugins.
If there are any changes, it prompts you to correct them right away. Then it secures your site.
It constantly keeps checking your website for malware infection. It scans all of your WordPress files, themes, and plugins. If it finds any kind of infection, it will notify you, usually by email.
It claims to make your WordPress website secure, and 50 times faster. It uses something called, Falcon caching to speed up your website.
This plugin also protects against “brute force attacks.” Without going into a lot of other technical details about this plugin here, let me tell you that you can download it here, and all of the other technical jargon is there, if you want to read about.
WordPress Security is 100% free and open-source, but you can get a premium API key that gives you premium support. It does have some really neat premium features that I won’t talk about here.
This plugin has over 1 million active installs.
I will say, that this is the security plugin that I use, and it works great for me. I use it on all my sites I develop and manage.
BulletProof Security is another popular security plugin for WordPress. It adds firewall security, database security, login security and more. You can just activate this plugin and relax.
It does a lot more technical stuff and I will just let you read about all that yourself by telling you where to download it.
This plugin does have a lot tutorials that go along with it if you are having trouble setting it up. There is also a premium version of this plugin as well. This plugin has 100,000 active installs
Sucuri Security is yet another popular security plugin for WordPress. This one is well known, as it is developed from the poplar website security and auditing company, Sucuri.
This plugin offers many security features such as, security activity auditing, file integrity monitoring, malware scanning and blacklist monitoring.
This plugin has a lot more features then the two previous plugins, but can be complicated to use. There is also a premium version of this plugin. You can’t go wrong with Sucuri as they are a well known website security company, but you pay a premium price for their services. This plugin has 200,000+ active installs.
iThemes Security is a well-know plugin that claims to offer you 30+ ways to secure and protect your WordPress website. And it does it all with the one-click installation.
It also claims to fix common security holes in your website. It tracks user activity, password expiration, malware scanning and other technical stuff.
This plugin is also very technical to setup, and certain features could break your site. So, it is very important, if you use this plugin, to read all of the setup instructions and activate correctly.
I will say, that this plugin is probably more well-know, for WordPress security then then any other plugin, and has over 700,000+ active installs. It does a really good job of security you site, you just have to ensure its setup correctly for your site.
Backing Up Your WordPress Site
Backing up your website on a regular basis, is by far, the most important thing you can do to help with the security of your site.
You can take all of the necessary steps to secure your site, and then it could still get hacked or broken. Sometimes the only way to fix this is by restoring your website from your most recent backup copy.
Most hosts, that I have worked with, make weekly backups of your site, but then to restore it will cost you, as well as possibly losing a weeks worth of data.
Here are some backup plugins that I recommend:
- VaultPress
- BackupBuddy
- BackUpWordPress
- BackWPup
VaultPress is a Product of Matt Mullenweg and his team at Automattic, the creators of the WordPress platform. It is a subscription based service and is highly recommended. It has about 20,000 active installs.
BackupBuddy is a creation from iThemes. It is also a premium plugin that is really popular as well. This one is a subscription based service as well and runs around $80 a year. I am not sure of their number of active installs, as this plugin is not out on the WordPress plugin repository. But, if you have ever been an iTheme user, I am sure you are already aware of this plugin.
BackUpWordPress is a free plugin you can use to backup your site. It is very easy to use and setup and your can schedule weekly, daily, or hourly backups of your site. You can have the backups emailed to you. The premium version allows the backup to be sent the cloud via, Dropbox, Google Drive, or Amazon S3. It has about 200,000+ active downloads
BackWPup is another free plugin you can use to backup your site. It is also very easy to use and setup, and it offers you the ability to send your backups to the cloud (Dropbox, Amazon S3, RackSpace, etc.) without the extra charge. Maybe that’s why this plugin has over 400,000 active installs.
My Methods For Keeping My Site Secure
I have to say, that until I installed my security plugin, I had no idea of the type of attacks that a W0rdPress could be under. My main security methods are a good security plugin and daily backups of my site with a backup plugin.
I had always felt that it was very important to backup your site. You just never know when your site can go down, and sometimes the only way to fix it, is with a backup.
Now this is great if you do regular backups of your site, not so great if you don’t. Not to be alarmed, most hosts do regular weekly backups of your site, but there will be a cost for this, not to mention, you could loose a week worth of data.
I know this happened to me once with a site I volunteered to manage, somehow I broke the site, and was only able to recover from a backup that the host provided. This, at a charge of $36, and it was only a weekly backup, so I lost about 3 days of data.
I was able to quickly recover the data and update the site, but as you see, this could have been a major issue.
So now I use BackUpWordPress to run daily backups of my site. This is a very easy backup plugin that once setup, will email me a daily backup of my site.
This is free plugin to use, but it will cost you $24 a year, if you you want to backup your site to a cloud service, like Google Drive, Dropbox, or even Amazon S3. To me, this is worthy investment to protect my site.
As I have already mentioned, I use WordFence as my WordPress security solution. I just love this plugin and I highly recommend it for your security solution as well.
This is widely used security plugin, and the most poplar with over 1 million active installs. This has to say something about the reliability and security protection this plugin offers.
There are really good video tutorials out there that will show you how to set it up properly and once you do, you will just be amazed at the protection you are getting.
I get notified almost daily, of failed login attempts to my site. Probably more than I like, but it is comforting to know that my site is being protected from these hacks.
What I really think is amazing about this plugin is that it has all of the core files, theme, and plugins that are in the WordPress.org repository, and it can compare those files to ones on your site, to make sure none have been modified. If they have, you can change them back to the original. This is what really sold me on the plugin.
What Security Measures Do You Use?
We all know website security is important. Apart from having your WordPress managed for you, the tools I mentioned above, should give you some piece of mind about the security of your website. Let me recap a little:
- Keep your version of WordPress up-to-date
- Update your plugins to the most current version
- Backup you site daily
- Use a good security plugin to protect your site from hackers
Well that’s it. If you follow the 4 steps above you should feel pretty confident about the security of your site.
If you have any questions about the use of these plugins or the security of your site, then feel free to contact me about them. I would be glad to help you, as there is no worst feeling then having your site hacked or even broken.
What security plugins do you use? How often do you backup you site? Do you update WordPress? Do you update your plugins? These are all ready good questions I would like to hear about. Please share them in the comments.