WordPress is everywhere. So it's not surprising it grabs so much attention from hackers.
According to the latest estimates, 25 percent of all websites around the globe are run on the content management system. It's also one of the most hacked platforms.
It's in part a numbers game ... and it's in part the fact that WordPress sites can be attacked through many kinds of vulnerabilities. We pinged a number of security experts on the topic of how to close up these vulnerabilities, or in the very least minimize a site's exposure to a hack.
What follows are tasks around which our experts had consensus. Surprisingly, it seems in our informal survey, the simpler, common sense risk management approaches are the ones that we can all most agree on.
Get the Latest Versions for Everything
Always run the latest version of WordPress, plug-ins and themes, and be sure that sites and their underlying systems/applications are fully patched.
"This one step is your best hedge against attacks—not doing so just makes you more of a target since these vulnerabilities that haven’t been patched are basically invitations to attackers," said Vann Abernethy, field CTO at NSFOCUS IB, a leading global provider of network security and advanced analytics.
(There are no guarantees of course. Last month, a cross-site scripting was detected in version 4.4.1, as pointed out by Emily Winand, senior web developer from WebTek.) And there' always the fear that a new update will crash all that custom work done on a WP site.
WordPress can generate a mean unique password if you let it. The way to protect your site is to change that password frequently, whether you're creating it yourself or allowing WordPress to do it.
"I realize this is really obvious, and just good practice in general, but often there are multiple developers, a webmaster, marketing personnel, IT security engineers and others supporting a WordPress installation. It’s easy to overlook this basic rule and permit passwords to become stale in this environment," said Dave Martin, NSFOCUS IB’s security expert and director.
Password security can be taken to the next step by requiring multifactor authentication, as suggested by Brett Dunst, VP of brand and community at web hosting service DreamHost. Plugins exist that allow you to enable Google Authenticator, which requires a password and mobile device verification.
Somewhat related is the frequent recommendation around the username "admin." Don't do it, said the experts. The first usernames a bot will guess will be "admin" or "administrator."
Third-Party or Plug-in Security?
Services like Akismet, Securi and Vaultpress can provide security checks, offer firewall protections and deliver malware removal services. And they can be there for you with backup services and other help when you get hit with a DDOS attack or other hacks.
Don't want to spend for a third-party service? Turn to plugins like Wordfence Security, which Winand recommends for its ability to provide "a deep server-side scan of the source code." Another to look for is All in One WP Security & Firewall, which shuts down brute force attacks and other harmful user actions, as well as automatically backs up your database. Jane Dizon, digital developer and marketer at AvantiHomes.ca, recommended WP Limit Login Attempts. "Simple yet very useful," she said.
In no way are we claiming this are the be-all, end-all methods to harden a WordPress site. But from the dozens of respondents to our inquiry about WP security, they certainly represent a consensus and a great first step forward (or refresher).