Web Security is one of the most challenging, complex, and honestly scary topics that can come up for owners of web businesses. This goes doubly so when it comes to security in the world’s most popular CMS, WordPress. In writing this article, I’ll give you an overview of the topic of web security, and a few pieces of common-sense advice that should allow you to put your security worries for your own web project to rest.
Web Security: An ever-evolving subject
I want to start this article with a disclaimer that Web Security is a topic that is more of an art (or a battle) than a science. New vulnerabilities in sites and software are constantly being exposed by those who wish to exploit them, and constantly being patched up by web security experts. It’s a topic that is evolving quite literally by the day.
If someone is telling you they can make your site 100% secure, I would consider that a big red flag..
I say this to dispel the notion that any site can be 100% secure, something I’ve been asked to achieve several times as a web developer. If someone is telling you they can make your site 100% secure, I would consider that a pretty big red flag that either they don’t understand web security as well as they claim, or that they’re building up their own abilities in order to make a sale.
Even though I can’t promise 100% security, there are easy steps you can follow for any site that will make it secure 98%+ of the time. This is because a vast majority of attacks on sites are coming from bots looking for easily exploitable, and easily avoidable, vulnerabilities.
But first, a brief aside about WordPress.
Is WordPress secure?
In short, yes it is.
It may be that you’re asking this question because you heard from a friend, a colleague, or a developer the quite the opposite: that WordPress is insecure, and instead you should use whichever platform they heard is better: SquareSpace, Wix, Drupal, Joomla, etc.
Powering an estimated 30% of the web, WordPress is the world’s most-used CMS (which stands for Content Management System). Finding a vulnerability in WordPress is potentially a gold mine for a bad actor, as it could suddenly expose tens to hundreds of thousands of sites. For that reason, WordPress has its fair share of attackers. But for the exact same reason, WordPress also has an enormous community dedicated towards patching any vulnerabilities that come up, as soon as they come up.
It sort of reminds me of the old Windows vs. Mac security debate. Yes, WordPress, like Windows, has more people looking to exploit vulnerabilities, because it has a larger user base. However that doesn’t mean your Joomla, or insert other CMS site doesn’t have vulnerabilities itself, and when they do get found, it might take longer for those security flaws to get patched.
I can tell you with confidence that if you follow good security practices, then your site will be safe from almost all attacks.
Ultimately, if security is the sticking point for you in deciding whether to choose WordPress, I can tell you with confidence to choose WordPress. If you follow good security practices, which I will discuss below, then your site will be safe from almost all attacks, and is highly unlikely to be compromised. If that small chance is still too much for you, perhaps because your site will be storing highly sensitive data, then you may need a more specialized, custom-developed solution than WordPress can provide you, anyway.
Who is trying to attack my site?
The vast majority of attacks are not what you might be picturing: individuals in dark basements staring into screens of code. Instead, probes into your site by botnets: automated attacks, controlled by a person, but implemented by computers.
If you have a site in WordPress, it’s almost guaranteed that at some point, your site will be probed for an attack. But don’t panic.
If you have a site in WordPress, it’s almost guaranteed that at some point, it will be probed for an attack. But don’t panic. A vast majority of these botnet attacks are looking for really simple, easily exploitable things that should be easy enough for you to prevent if you follow good security practices.
But why are they trying to attack my site?
Most likely not to try to steal your pet photos, your blog posts, or even your site data.
Instead botnets are scouring the web for sites that they can take over to use to their own benefit. With control of your site, they might be able to accomplish various things, such as:
- Redirect traffic to their own sites
- Take over your SEO rankings to send “Google-juice” to their pages
- Deface your site to broadcast a political or personal message
- Drive-by-downloads — make visitors to your site download malware, etc.
- Create a ‘back-door’ in your site for later use
- Gain access to sensitive site data — user lists, purchase history, etc.
- Send spam — if your site can send email, they can use that sending for their emails too
- Use your site’s server to do useful computation, most likely mining crypto-coins like Bitcoin
So rather than thinking about the value of your site in the content it holds for someone who might be trying to take it over, think about the value it holds as more computing power, and a new way to spread malware. The more sites a bad actor controls, the more power they have to do whatever they’re trying to do.
For this reason, the fact that your site is small—a little site about Boston Terriers, or whatever it may be—doesn’t provide it protection, and is no excuse for following best practices for keeping it secure.
5 Simple Practices for Keeping your Site Secure
Luckily if you follow a few simple steps, it’s quite easy to keep your site protected from almost all possible forms of attack. This advice is written with WordPress users in mind, as that’s our specialty, but all of them are good rules of thumb no matter what framework your site is built in.
Use secure, unique passwords
One of the primary ways that WordPress sites are attacked are by computers making many attempts to guess the login information to gain access to your site. These bots can guess up to 1000 passwords a minute, and it’s not going to take them long to guess it if you went with pa55w0rd, your site name, or anything else that too many other people use.
Instead, using a secure password is a huge benefit towards keeping a site secure and happy. How to write a secure password is itself a topic for a whole other article, but the general rule of thumb is: the more complex, the better. This complexity could come in the form of using both upper and lower case letters, using longer passwords, and using other characters such as numbers, and symbols (!#$%^&*). I often use this helpful and simple web tool to create a secure password that will be very unlikely to be guessed by a bot.
The only issue with complex, highly secure passwords is that they are often very difficult to remember. To help with this, password managers like 1Password, KeePass, or LastPass can be lifesavers. You also don’t have to go quite that far: even just creating a password that uses a few words along with a few symbols or numbers is going to be as secure as you need it to be in most cases.
Even if your password is the most secure it could possibly be, if you’re using it on another site and that site gets compromised, it won’t do you much good.
Another important thing is to keep unique passwords for each site your using: even if your password is the most secure it could possibly be, if you’re using it on another site and that site gets compromised, it won’t do you much good.
Check your site regularly, and keep WordPress, themes, and plugins updated
This one is simple, but is the Achilles Heel of many a WordPress site’s security.
Bad actors are constantly searching for vulnerabilities in the software of WordPress. These vulnerabilities are often patched right away, especially in the core WordPress software and among big, reputable plugin and theme developers, but if you’re not logging in your site regularly to hit “Update,” your site is potentially exposed to vulnerabilities that could leave you regretting it later.
The most important piece of advice here is: check your site regularly.
The most important piece of advice here is: check your site regularly. Make sure it’s up, login to WordPress to hit update on all the themes and plugins, and make sure you’re running the latest version of WordPress (which is exactly why I believe everyone should update to the latest version of WordPress). If you keep up with this, you’re closing off one of the major avenues for bad guys and gals to get into your site. If you have a hard time remembering to do this yourself, installing a security plugin can also help you keep on top of this.
One addendum I’d like to make is that it’s good to keep an eye on whether the plugins (and to a lesser extent, themes) on your site are being actively updated by their developers. You can do this simply by clicking on the title of the plugin, and checking the last time that they were updated. A yellow flag is when it’s been several years since the last update, but even that does not mean you “must remove this now,” as fairly simple/well-written plugins can operate for years without any security issues.
Here’s a little flowchart I’ve made to help you decide whether to keep a plugin on a site.
Notes on the flowchart:
How do I know if I’m using a plugin on the site? This is an important question as it may be that the plugin is Active on the site, but not actually doing anything. The best way to know is to disable it and then try using your site like normal. Does something break? Then you were using it. The description of the plugin should give you a clue of what to look for.
How do I check if it’s been updated by the developer? On the Plugins page, hover over the plugin and click the “View” link. This should take you to that plugin’s WordPress.org repository. On the right hand side, just below version, should be a field titled “Last Updated.” If that lists a time of a year or less, than it’s likely that the developer is keeping this plugin updated, and thus patching any security flaws as they come. Note that this isn’t a guarantee that it’s safe (nor is a plugin not updated for over a year necessarily unsafe), but it’s a good rule of thumb.
How do I check if a plugin was created or added by a developer I hired? One easy way is: do you remember adding it? If no, someone else did, whether it was a developer working on your site or another person who has administration access to the site. Another clue: who is the author of the plugin? If it’s a person or agency that you hired, then they definitely made it.
When to call for help. It’s quite likely that following this flowchart you’ll end up in this category, as many WordPress sites are constructed with plugins that are not frequently updated because they’re either A) Abandoned by the developer or B) So simple that they just haven’t needed updates for a long time in order to work. If you want to be really sure, hiring a WordPress Developer who understands what is and isn’t secure code to look it over will be fine. But if you’re budget restrained, a common sense way to determine whether you’re really going to need help is to Google the plugin name along with “vulnerabilities” or “security issues” and see what pops up. If reading that has left you concerned, then it’s probably time to invest in a developer or deactivate the plugin and see if you can find another way to accomplish what it was doing.
Update your site to SSL
This one is important enough that I wrote a whole article about it. SSL won’t keep your site from getting hacked, but it will create a barrier from others listening in to your internet connection and stealing crucial information, like your login, when you’re in situations where your internet might be compromised, like a coffee shop or a park.
Follow the steps in the article above to get your site updated to SSL.
Control access you provide to your site
If you are going to have multiple people editing the site, it’s important to make sure that they’re not accidentally or intentionally providing an easy way in for bad actors. In general, create user accounts for your other users that only have the level of access that they need. If someone’s only creating posts or editing pages, then just give them “Editor” access, rather than the full “Administrator” access that should be reserved only for Developers and Site Owners. Also, make sure that other users are maintaining secure passwords, either by asking them to, or installing a plugin.
Install a WordPress security plugin
WordPress security plugins, though optional, are a great way to patch a number of common security holes that are not being covered by other advice in this article. They’ll do a lot of helpful things: block known bad actors, limit login attempts, and send you notifications when your WordPress version, plugins or themes are out-of-date. Which one you should use is entirely up-to-you, but a couple of popular ones are Sucuri and WordFence.
This is all just the tip-of-the-iceberg of a fast-evolving and enormous subject. If you’re interested in learning more about WordPress Security, our very own David Hayes—who is pretty much as knowledgeable about this subject as a human-being could be—has written several great articles on our sister-site, WPShout. WPShout is written with developers in mind, but still in a approachable way that should be understandable even if you’ve never written a bit of code.
Here’s the links:
- David’s Complete Guide to WordPress Security, which heavily influenced this article
- How to Compare the Features of WordPress Security Plugins (and Services)
- WP Security Compared, a nifty little resource to sort out the difference between security plugins
- Principles of Secure WordPress code
- Limit Login Attempts to Prevent Brute Force Attacks
And for those who want to go the deepest, David has created WordPress Security with Confidence, an online which contains 17 modules and 90+ video tutorials that goes into WordPress Security on a level of detail that is pretty much unrivaled. If you or your developer want to become an expert on this subject, this course is the way to go.
Web Security can be one a topic where you might have wished you had just remained ignorant, as it can be pretty scary to know the risks that are out there. But if you follow good practices, you’ll be happy you learned the risks, because in my experience, it allows you relax with confidence that you are in the clear.
If you liked this post, you might like our email series “The Six Things You Absolutely Must Know Before Starting a Web Project.” This free series is full of great advice on how to get any website started, including creating goals for your project, what you’ll need to invest, and what to look for in a web developer. This will come straight to your inbox after signing up to our email list, where we’ll send you updates when new content is posted and occasional extra bits of wisdom.