WordPress security is an important consideration, but often site owners don’t think about it until it is too late. Like most things, the Pareto principle applies: If you can do a few simple things (20%), you can prevent most security issues (80%). In addition to prevention, you can also take a few simple steps that will help ensure you are able to restore your site in the event that it is compromised, corrupted, or even just accidentally deleted.
This article isn’t really targeted at developers, but rather non-technical site owners who want to make sure they have at least done the bare minimum when it comes to security. On that note, here are my quick and dirty recommendations:
- Keep WordPress up to date. – Older versions of WordPress are more likely to be hacked as they don’t include many of the security fixes that newer versions do. Just be sure you update all of your plugins as well as your theme before upgrading WordPress core to avoid potential issues when upgrading.
- Keep your theme and plugins up to date. – Again, older versions are more likely to be hacked as they don’t include many of the security fixes that newer versions do.
- Only use quality themes and plugins. – WordPress core is very secure and most often it is a bad theme or poorly coded plugin that makes your site vulnerable. Make sure that the software you install is of reasonable quality. If you are using a theme or plugins from the WordPress repository, you can do a little checking to see the last time it was updated, what types of reviews its had and how many downloads or active installs its had. For premium themes and plugins, you’ll just have to do more research on the company and ask experienced WordPress developers and/or users if the company and plugin are reputable. As a rule of thumb: Never download free plugins that aren’t listed in the WordPress repository.
- Set a secure password and change it often. – You should change your password about once every one to three months. Hackers have scripts that will try to guess your password. A more secure password will be harder to guess and changing your password occasionally will ensure that they have to start the guessing process over again and aren’t given an unlimited amount of time to discover your password. If an easy to remember password is important to you, then create an admin user with a super-complicated password and then create another user that has the ‘Editor’ role. You can then use that ‘Editor’ role to log in and do your normal content publishing. However, I’d recommend just using a tool like LastPass to help you keep track of your passwords.
- Backup your site regularly. – If your site is ever hacked or otherwise lost, at least you will be able to restore it. Obviously, your backup schedule will depend on how often you update the site and/or perform software upgrades. Be sure that you backup not only the filesystem, but also the database. There are some great tools out there for handling backups, like these:
- Make sure your site backups are stored offsite. – In other words, don’t count on or trust backups from your web host or backups that are stored on your site’s server. Your data needs to be somewhere that a hacker isn’t likely to delete it if they gained access to the server. Ideally, your web host will also provide backups so that you have some built-in redundancy.
If you do these things, you will be well on your way to securing your site and will be able to easily recover if something does happen. This is by no means an exhaustive list, so once you’ve taken care of these things be sure to check out the Next Steps section below.
If you are technical enough to add a line to your
wp-config.php file, you will get bonus points for adding this line to disable the WordPress file editor:
The tips listed here cover just a few things you can do to improve security. Here are a few resources to help you take security to the next level: