There are four main points of vulnerability for self-hosted WordPress powered sites which account for nearly every successful WordPress hack: webhost security breaches, out-of-date versions of WordPress, using or storing plugins or themes that are out-of-date poorly coded or contain malicious code and brute force attacks. In this article we will discuss some of the technical options for securing your site. But if you do not manage these four components well, limiting the file permissions and adding extra code to your .htaccess file will provide nothing more than bloated code and a false sense of security. So let’s take a closer look at each of these points and learn how managing your WordPress powered site well is the most valuable security tool available to you.
Choosing Secure Web Hosting
Webhost security has more to do with what host you choose and what services they provide. Then what actions you can take to make your server more secure. So we won’t spend too much time on this.
Speed, options, services, security, backup solutions, control server type and price point are all features you should consider when choosing a host. Choosing the right hosting solution for your site is extremely important which is why we prepared comprehensive reviews of many of the top hosting providers and a complete article series on hosting a WordPress powered site.
It’s important your research options thoroughly before making a decision on who should host your site. Choosing wordpress as your CMS means it’s the foundation of everything on your site. The fact that it’s free and open-source carries many benefits. However with each update the exploits of the previous version are made available to the public, making previous versions even more susceptible to being hacked.
Secure Your WordPress CMS
Employing basic security through security tactics you can remove or hide the version number of your WordPress installation from displaying. You can even choose more simple solution like the ultimate branding plugin by wpmu dev to hide the version number. This may help you to make attack to your website more complicated for hackers but this does not patch any holes found in older versions of WordPress.
Only updating your WordPress installation as newer versions are made available will remove the published exploits. Updating CMS is simple, especially since the release of WordPress 3.7 with automatic updates. In previous versions of WordPress a new version banner would display at the top of your dashboard when the CMS was ready to update, now your WordPress install will automatically update to new minor versions without you having to lift a finger.
Minor versions are usually for security updates. You will however still need to update to a new major versions. For a multisite network navigate to network admin and select updates. Backing up your site before updating is highly recommended! With a trusted server and an up-to-date version of WordPress your site should be secure. As we said before, the quickest way to compromise your site is by adding poorly, maliciously coded or out-of-date themes, or plugins from untrusted developers or sites. Due to the open source nature of WordPress, many themes and plugins are distributed under GPL or GPN license, so it’s easy for themes and plugins to be forked and redistributed on free WordPress plugin and theme sites with the addition of hidden malicious code that may just simply add hidden back links, redirect your site or even install a virus or expose your users to identity theft. These types of attacks can be avoided in five ways:
- Firstly when you using free plugins you should research the author and download the plugin files from the author’s site only! Or you can download them from the WordPress plugin repository if the original developer has it listed there.
- Secondly ask advice regarding the safety of a plug-in or theme from a trusted WordPress community or support forum such as the WordPress support forums.
- Thirdly if you’re going to use free trusted plugins or themes, check the version compatibility listing and verify that the plug or theme is still being supported and updated. Many free themes and plugins are slow to receive updates or simply abandoned.
- Fourthly if you don’t use it – lose it! Code from plugins and themes you no longer use still leave vulnerabilities even if they’re not activated. So if you are not using a theme or a plugin delete it.
- Lastly and arguably the best way to protect yourself from week or malicious code is to use paid supported themes and plugins.
Companies and communities who sells themes and plugins provide one hundred percent guaranteed time tested support, updates and plugins that help ensure your site is prepared for a hacking attack. While using trusted well coated plugins and themes will not defend your site against all attacks, experience shows that nearly all wordpress attacks could be defended against and protected by simply using safe up-to-date and trusted plugins and themes.