Secure your WordPress websites, kids.

I’ve spent the last two weeks putting out fires and restoring/rebuilding WordPress websites for clients due to a recent rash of new WordPress hacks and attacks. Securing and maintaining client WP sites has suddenly jumped to the top of my To-Do list.

WordPress is arguably one of the most popular online blogging and content management platforms and continues to grow. As of February 2015, it is powering more than 60 Million online websites and 23.3% of the top 10 Million blogs are powered by WordPress including sites run by Tech Crunch, Variety, ESPN, The New Yorker, Time and Reuters. While this is great news for most of us, it does mean that hackers now specifically target WordPress and are honing their skills and tools for hacking WordPress sites more and more each day. It is now more important than ever to keep your WordPress site up-to-date to keep it secure, as well as create backups in the instance that something undesirable does happen.

Many of our clients already have hosting when they come to us, but for those that don’t I’ve been referring them to IBS Ltd. for hosting. I’ve developed a good relationship with Gary Nightingale there and he stays on top of security issues pertaining to WordPress and is very proactive with regards to securing WordPress installs and hack prevention. He has taught me a few things as well. An added bonus is that he’s local to me and most of my clients and it’s nice to keep the business in the community.

I’ve only been developing WordPress sites for a few years now and I’m even less familiar with the security side of things, but here’s a few things I’ve learned and/or am doing now to try to stay one step ahead of the game.

  • Core and plugins have to be kept up to date. They don’t issue these updates and security fixes for no reason folks. These developers know a lot better than me what needs fixing and whats vulnerable and if they say I need to update, I update.
  • Back, the hell, up. Make sure your hosting provider is running regular backups and is willing to or has an apparatus whereby you can restore your site easily from a backup. If they want to charge you for this service (some do, some offer it free), pay for it. It’s worth it. If they don’t – take advantage of one of the dedicated WordPress backup plugins out there to do it for you. I’ve taken to using Backup Buddy. It’s easy to set up, and offers live, continuous backups to either your existing server, your local machine or services such as Google Drive, DropBox, etc.
  • Take out the trash. Delete anything you’re not using on your server. Plugins, Themes, data, images, whatever. If you don’t need it, nuke it. Anything extemporaneous is a possible doorway in for someone looking to do no-good. Plugins and themes especially. You can always install/download it again if you think you might want to re-use it.
  • Password is not a password. Shouldn’t need to be said, but for real’s, use a decent password yo. C’mon. There’s a ton of sites on the web that will even generate ’em for ya.
  • Get some help. Take advantage of some reputable plugins to help you secure your site against hackers. There are all kinds out there. The three main ones I’m using are WordFence, Stealth-Login and Limit Login Attempts. They’re all great for their various uses. I discovered WordFence through online research and in addition to providing a great suite of tools for site protection and monitoring (even with only the free version), they have a great blog that is constantly on top of new threats and issues facing WP users. Stealth-Login and Limit Login Attempts are two plugins that were suggested to me by Gary as must-haves and go into every one of my WP installs now. In addition, if you have a WordPress.com account, the Jetpack plugin offers some nice tools for site protection and monitoring as well.
  • Pay attention. You can’t expect to become a security expert, but you can stay informed. Pay attention to WordPress security trends online and take a few minutes once in a while to read up on current issues and best practices. Be informed. Do what you can. Don’t assume that your hosting provider is going to take care of it for you. That said, it doesn’t hurt to develop a good relationship with your provider either so that when you have questions or issues, you know you can count on them to be responsive.

I’m no security expert, but I’m learning. And one thing I’ve learned is that the playing field is ever-evolving so you have to be alert, stay focused and adapt with the changes and challenges. What I’m doing is working for me so far (knock wood), but if you’ve got thoughts, suggestions, or tools you’re using you dig, feel free to leave ’em in the comments. Always good to hear new ideas.