Sometimes, the very conventional wisdom that’s supposed to solve a problem can make it worse. Spreading butter on a burn can trap in the heat. Blowing on a skinned knee can introduce infection. In so many cases, what we think we know keeps us from doing what will actually help.
The internet is full of conventional wisdom about WordPress security. Too often, these myths not only fail to help, they can create a false sense of security that leaves your site vulnerable. The most serious security concerns may be what you don’t know you don’t know.
To help bust the myths and get at the truth, we asked a panel of experts to share their wisdom. Each of these WordPress wizards has years of experience coding, developing, and administering WordPress sites.
Read on for eye-opening truth bombs from our esteemed panel:
David Bisset, Freelance WordPress/PHP Developer
Aaron Campbell, WordPress Security Team Lead, WordPress
Patrick Rauland, eCommerce Educator & Entrepreneur
Three WordPress Security Myths Busted
Myth 1: It’s Easy to Tell Which Plugins Are Hackable
David Bisset: I’ve sadly seen clients being hacked from unsafe plugins. Sometimes it’s been a plugin bundled with a theme purchased, or just a plugin that they found on a random website. Even if the plugin is updated, there may still be unsafe “hackable” entries in that plugin. Often you can't quickly tell if an unknown plugin is safe or not.
Myth 2: Hiding Usernames Boosts Security
Aaron Campbell: I think the top one is that usernames should be secret, that if someone knows your username they're "halfway" to hacking your account. This just isn't the case.
Usernames are for making a claim—"I'm aaroncampbell"—and passwords are for securing things so only the right people can successfully make that claim. Many services, such as Twitter, make your username completely public. Many more, including WordPress, let you log in with your email address, which you give to people all the time.
Instead of trying to keep your username a secret, focus that energy on choosing a good password. A good password is three things; long, random, and unique. Make it at least twenty characters, let a password manager randomly generate it for you, and only use that password for one thing. Then breathe a little easier and don't fret about your username.
Myth 3: WordPress Isn’t Secure Enough for eCommerce
Patrick Rauland: I'm surprised how many people think WordPress can't handle ecommerce because it's "made for blogs." Some of the largest ecommerce websites on the web use WordPress and it's incredibly secure. With free SSL certificates from Let's Encrypt (and awesome hosts that install it automatically for you) and payment gateways like Stripe that tokenize credit cards, you have very little to worry about. The payment information is sent directly to the gateway. Your site never touches it, which is fantastic for security.
Don’t be Myth-Informed
WordPress security is too important to let myths inform your approach. Whether you’re a developer, agency lead, or system administrator, security is everyone’s responsibility. That’s why we created the Quickstart Guide to WordPress Security, a comprehensive resource for anyone at any level of security sophistication. Check it out now to fill in the security gaps in your technology, best practices, and even your company’s culture.
You may also like: