If you run an online business, you will want to need to secure your WordPress website. Even if you are not running a WordPress website, you will still need to secure your website. I have worked with clients over the years that have been the victim of a hack and I can assure it is not something you want. Your business, at best, comes to a stand still but, more likely, it actually regresses. To ensure long term sustainability, you should view online security as a high priority in your business adventure.
In this article, I will cover the following;
- Is WordPress secure?
- Reasons why WordPress could not be secure
- How to secure WordPress without plugins (many of these tips apply to non WordPress sites too)
- How to secure WordPress with plugins
Is WordPress Secure?
Before I can answer the question, I think I better give a little background. WordPress drives over 30% of all the websites on the internet. The data shows that it is by far the most popular way to build a website. If you want to build your WordPress website, I have a tutorial on it here. Being popular is great but it also makes you a target.
According to a Sucuri report in 2018, they showed that WordPress accounted for 90% of the hacked sites that year. Shocking right?
They did highlight that it is important to note that “Sucuri is well established in the WordPress community and offers a free security plugin which likely influenced the results.”
Does this mean that you should not use WordPress for your current (..or next..) website?
Well, when you look at how these WordPress websites were hacked, it does tell a different story. So in this article I am going to dive into some of the reasons of how the sites got hacked and then see if your site is at risk too.
Reasons why WordPress could NOT be secure
Since WordPress is such a simple platform to use, it allows just about anyone to create a website in no time. The trouble is that if you do not understand the fundamentals of website security, you will only concern yourself with how pretty or functional your site is. This leaves often leads to you not keeping your site updated, which leads us to the first reason WordPress sites are not secure.
1. Not updating the Core WordPress files
WordPress is an actively developed system. This means that developers are constantly working on it to add features but also, more importantly, plug an security vulnerabilities that may have come about over the years.
This makes it vital that your WordPress site is always kept up to date with the Core files. Let’s take a look at Sucuri Report from earlier with regards to out of date core files
As per the graph above you can see that 36.7% of clean up requests came from an outdated version. You can see the importance of keeping up to date but the reality is that only 42.8% are using the latest version (5.7 at the time of writing) for their WordPress site.
2. Not updating Themes or Plugins
A great drawcard of using WordPress is how easy it is to extend the functionality of the site by just adding in a theme or a plugin and it automagically transforms your website from a boring site to a dynamic site fulfilling all your dreams.
Like all good things, this unfortunately also has it’s draw backs.
A survey done by WordFence showed that some of the top reasons their sites were hacked was in fact either not updated or poorly coded themes and plugins.
The other point to keep in mind is the difference between using free and premium themes and plugins. WPScan statistics show the difference in vulnerabilities reported between them.
Often times these vulnerabilities were already fixed but the user had not updated the plugin or theme to get the security patch.
Bad Passwords
What was shocking to me is that even with all the advice offered by security specialists over the years, below is the top 10 passwords used in 2021.
Once someone has access to your site through a bruteforce attack, they will have free reign to do as they please.
Poor Hosting
I appreciate that not everyone has the budget to get premium hosting like Kinsta (my top choice of hosting) but it is important to place a priority on your quality of host that you use for your online business. The reason being that if your site is compromised, you want to know that your host will be able to act quickly and isolate the threat before restoring a clean back up for you to continue from.
Sadly this is not the case with most hosts. As shared hosting packs as many hosting accounts on one server to maximize their profits.
Another issue I find with hosting companies is that they often do not upgrade their hosting environments. I have dealt with clients where their hosting was still only offering PHP5 which opens your site up to many vulnerabilities at a fundamental level.
How to Secure WordPress WITHOUT plugins
Use a Proper Hosting Company
Your first line of defence is always to get the best host that your budget can afford. I always recommend my clients to go for Kinsta if their budget allows. Some of the reasons are they keep your core updated at all times, they provide a WAF with DDoS protection, all sites are provided with free https certificates, they provide the latest hosting environment technology and if your site is hacked – they fix it for free!
Use Cloudflare
Cloudflare is a great option to use if you can’t afford Kinsta. You could get a Dreamhost account and place it behind a free cloudflare account until your site is making enough money to move to Kinsta.
Cloudflare is a network which is connected all around the world. They offer a service where instead of a user connecting directly to your site, they instead jump onto the Cloudflare network first. This helps in a number of ways but from a security perspective it adds an extra layer between you and the visitor. This layer comes with protection against DDoS, malicious bots and other nefarious intrusions. On the free plan, you can add up to 3 extra firewall rules – so use them wisely.
Use a Password Manager
With so many things to log into these days, it can become quite burdensome to remember all the passwords. This is likely what leads to all the wonderful passwords we have listed above in the top 10.
I have found the easiest way to mitigate this is to use a password manager.
A password manager is basically an app that stores your passwords for you. It can be installed across devices and, trust me, makes your life far simpler.
I have been using 1password for a number of years but you could easily use any reputable password manager. Examples are lastpass and Zoho Vault.
Don’t use Admin as Your Username
Admin is the default user of WordPress. Using this makes it even easier to perform a bruteforce attack on your site as you have provided 50% of the info required. So best not to use Admin as your username.
It is best to ensure that your admin user has a very difficult username and password (..the longer the better..) and then you can create a user with lower permissions that you will use to login on a daily basis.
Keep Everything Updated
I spoke of the importance of keeping everything updated earlier. So going forward if you are using WordPress as your content management system, do try to keep all your plugins, themes and WordPress core files up to date.
If you partner with a good host, they can offer to keep them all updated for you. I do want to caution you that going this route you must ensure that you are hosting with a WordPress specialist hosting company. Cheaper shared hosting companies may offer the service but all they do is a mass bulk update which often breaks your website and to try to get it fixed again can take quite some time depending on your expertise or support.
How to Secure WordPress WITH plugins
WordPress plugins offer the easiest way to plug many of the vulnerabilities. If you are not proficient in server administration or writing code, simply installing and activating the security plugins is definitely the way to go.
My 5 Best Plugins to Secure WordPress
Wordfence
Wordfence has built up the reputation of being the best security plugin for WordPress over the years. The only issue many have complained about is that it is a bit of a resource hog and can slow your site down at times. So keep this in mind if you go with any budget hosting.
Sucuri
Sucuri is a security company that specializes in ..well …security. They are not specific to WordPress but have definitely become a part of the community which has lead to them developing their own plugin.
If you sign up for their paid plan and your site gets hacked, they will sort it out for you.
Defender
Defender is a product of wpmudev who offer a suite of plugins for small businesses. While it is still a relatively new plugin in comparison to others on this list it is quickly rising in the ranks.
It is very easy to use and does automatic setting up of many of the known vulnerabilities as well as active monitoring of your site.
iThemes Security
iThemes security plugin has a load of features that has made it a trusted partner of many WordPress agencies. It is secure and relatively lightweight which is great for those seeking performance on cheaper hosting but still remaining secure.
JetPack
JetPack is an offering from Automattic, the creators of WordPress. They still actively manage wordpress.com and have taken over the development of JetPack to use there. You can install and use it on your own installation too. It has had issues with performance, which made me stop using it in the past, but i have heard they seem to have sorted that out.
So if you want a product that is maintained by the “original” creators of WordPress, Jetpack would be your option.
And that is all you need to secure your WordPress website
As the heading says, if you follow the best security practices to secure your WordPress website, the likelihood of your site being hacked drops tremendously. So I would encourage you to follow these few steps listed here and thereby sleep easier at night.
