Imagine the safest bank vault ever designed. It’s got 10-foot walls of solid concrete lined with foot-thick steel. The door alone weighs 20 tons, able to withstand everything short of a nuclear blast. The locking mechanism combines face recognition, fingerprinting, retinal scanning, DNA testing, and a randomly generated password that changes every five minutes. It’s the most secure place on earth. Now imagine the door is standing wide open.
Like that hypothetical vault, WordPress is designed with security in mind. It’s core is continually developed to close exploits and stay safe. But without the right implementation, you can leave the door open to attacks. Security by design is meaningless without security through implementation.
In our upcoming Quickstart Guide to WordPress Security we’ll take an in-depth look at how to implement and administer WordPress for maximum protection. In the meantime, here are four quick steps to better WordPress security you can take today.
1. Keep Your Site Updated
The most important thing you need to do to keep WordPress secure is to keep it updated. When security updates come out you need to have a strategy to apply them quickly and confidently. There are a variety of strategies to do so, from the WordPress Background Updater to a professional web development workflow with version control and managed deployments. Add automation and testing for the ultimate setup.
2. Harden Your Login Page
A lot of WordPress exploits get in through the front door—that is, your login page. There are a few ways to throw extra security at the biggest target on your site.
First, change your admin account name. The old default used to be ‘admin’ and it’s not an uncommon choice. Don’t do it! Because it was so common, some brute force attacks assume the admin account is still named “admin.” If you already have an established site, you can manually change the name or use a plugin to change it.
Second, limit the number of login attempts. WordPress does not have a limit by default, which can leave your site vulnerable to brute force attacks. Use a plugin like iThemes Better Security or BulletProof Security to limit the number of unsuccessful tries before the system locks someone out.
3. Practice Good Password Hygiene
There are two components of password management: Technological and human. For the technology side, make sure everyone with a login creates a robust password (this password generator can help). Consider using a service like LastPass or 1Password to securely store passwords behind one robust password.
It’s possible, though, to have the strongest passwords imaginable and still be vulnerable to the human element. Encourage your team not to write down passwords, share them, or stick them all in a shared doc. Simply making your organization aware of security can go a long way to creating a secure environment.
It’s worth considering two-step authentication as well. It does add a little extra hassle to the login process, but definitely increases security.
4. Use Secure Connections
HTTPS used to be a luxury, just for banks and high-security government sites. As the technology becomes easier and cheaper to implement, though, it’s no longer a nice-to-have. Your site should definitely be using HTTPS as the default stance.
If you’re hosted on Pantheon, you’re covered: We just rolled out global CDN and automated HTTPS for every site on our platform.
Make sure to keep your file transfers secure, too - use SFTP or FTPS to keep your server and code safe..
5. Choose Plugins Wisely
The ability to modify WordPress core with plugins is a major factor in its appeal as a CMS. But it’s also an easy way to introduce vulnerabilities. As with any software, it’s important to know it was made by a reputable developer, recommended by trusted peers, and distributed through a trustworthy site.
It’s especially important to avoid sketchy knockoffs of premium plugins. You may save a few bucks, but the end cost could be steep. Many of these have accidental or purposeful security vulnerabilities built-in, and some may even introduce malware into your system.
This beginner’s guide can help you choose plugins that enhance your security, not compromise it.
Security Is an Ongoing Commitment
Despite its status as a high-profile target for attacks, WordPress is remarkably secure. There has never been a major exploit on the most updated core of WordPress. But just like our bank vault in the introduction, security is equal parts design and implementation. Don’t think of it as a one-and-done; make security a part of your organization’s DNA. With the right technology, the right policies, and a commitment to keeping your site safe, you can slam the door on your vault and keep attackers out.
Test drive a hosting platform with security best practices built in. Create a free Pantheon account today.
You may also like: