5 critical steps to staying on top of WordPress vulnerabilities

tweet share share pin email

As a freelancer, you need to be concerned about the security of your website, especially if you use WordPress.

I’ve met some designers for whom the word ‘security’ is met with either disdain or a long, painful cringe.

The idea, it seems, is that since security isn’t their area of expertise, that since their forte is creativity and site layouts, security can be an afterthought.

But it can’t.

Sidenote: Once you finish, read how 4 freelancers built recurring revenue models that changed their business. You'll love it.

As of 2015, 25% of the web runs on WordPress. WordPress is targeted more frequently targeted by criminals than any other platform on the web.

What that means is that if there’s a vulnerability in a plugin or the core WordPress installation, someone will find and exploit it. It’s your job to make sure that doesn’t happen.

Don’t worry. It’s not as hard as you might think, and you don’t even need a great deal of security expertise in order to do so.

You'll also enjoy this episode of our new podcast...

Here are five easy steps you can take to stay on top of WordPress vulnerabilities and ensure your site is safe and sound.

Version control

If you only take one step on this list, this one should be it.

Always update the software on your WordPress site – plugins, themes, and your core files – to the latest version.

New releases and security hotfixes exist for a reason, and you’re playing with fire if you fail to make proper use of them.

I’d also advise that you check the news every now and then; when a new WordPress vulnerability surfaces, it doesn’t take long for people to start talking about it, and it doesn’t take long for a hotfix to be released.

Careful plugin and theme selection

Be careful where you access your resources.

There are plenty of third-party sites out there that claim to offer free premium themes and plugins, but those are almost always laden with backdoors and security holes.

Even if you’re installing plugins and themes from reputable sources, be sparing – each plugin or theme could have its own vulnerabilities, meaning you could be putting yourself at risk if you’re installing stuff you don’t need.

Generally, you want to avoid:

  • Plugins/themes that have received excessive poor reviews, as this might be indicative of malware.
  • Abandoned plugins/themes, as the developer is no longer working on eliminating vulnerabilities.
  • Plugins/themes from third-party sites that aren’t professionally developed, for obvious reasons.

Strong passwords

Believe it or not, the majority of hacked WordPress sites weren’t compromised through some complex attack, but simply because their owners didn’t really bother making sure they used decent passwords.

Plugin vulnerabilities aside, brute force attacks remain one of the most common ways for hackers to gain unauthorized access to your installation.

A strong password is paramount – here’s some advice you can put towards creating one:

  • Include numbers, capitals, special characters (@, #, *, etc.).
  • Be long (10 characters – minimum; 50 characters – ideal). Can include spaces and be a passphrase (Just don’t use the same password in multiple places).
  • Change passwords every 120 days, or 4 months.

Defaults and virus scanners

This one’s pretty self-explanatory. Avoid obvious usernames (like administrator, admin, or anything similar to your display name).

It’s also imperative that you disable the default admin account. I can’t tell you how many sites I’ve seen where cracking them was as easy as typing ‘admin’ and ‘password.’

And if you’re going to install any plugin, make sure it’s a virus scanner/firewall utility of some kind.

That way, you can keep an eye out for any errant malware that might drift its way onto your site.

A high-quality host

Last but certainly not least – and this is especially true if you’ve managed WordPress installation – choose your host with care.

Do your due diligence when selecting them, and make sure there aren’t any nasty reviews floating around.

Ask them questions, as well – What do they do for security? How do they handle patches? What’s their policy on breaches?

Wrapping it up

Security doesn’t have to be difficult. As long as you keep a clear head and do your due diligence, you can make sure your installation is safe and get back to what you love to do: designing.
What advice do you have for keeping your WordPress site secure? Tell us in the comments!

tweet share share pin email

Say Goodbye to Roller Coaster Income

Your income doesn't have to be a guessing game every month. Let 4 thriving solopreneurs show you how in our free guide.

About AJ Morris

AJ Morris is the Managed WordPress Product Manager for Liquid Web, a fully managed hosting company. He has extensive experience both developing WordPress sites and speaking at WordPress events. AJ leads product and go to market strategy for Liquid Web’s Managed WordPress product line. Liquid Web’s Platform as a Service solution for WordPress hosting allows you to seamlessly host multiple sites and access top-quality 24/7 Heroic Support®.

Leave a Comment

*

Comments

  1. Well said! Keeping a WordPress website secure is really simple and these are the same tips I give to my clients all the time.

    Having a secure password is very important, I see that same mistake made with the default login all the time, I must have fixed dozens of hacked WP sites this year simply because their password was simple and they used the default ‘admin’ username.

  2. Do you have any recommendations for virus scanning plugins?

  3. Brian Anderson says:

    Good advice with one exception. The recommendation to change your passwords regularly is out of date for several good reasons. See for example: https://www.schneier.com/blog/archives/2016/08/frequent_passwo.html and http://www.speedypassword.com/articles/changing-your-password-on-a-regular-basis-pros-cons/

    • Hey Paul,

      Thanks for the comment. Interesting articles for sure. It’s not the first time I’ve heard or seen them, though.

      You’re right in that there’s a risk by changing your password every X days, but I still disagree with it.

      I might consider a better option would be to continue with a strong password and change it regularly, but to also look at some OTP type plugin. I’ve used the Google Authenticator (https://wordpress.org/plugins/google-authenticator/) plugin in the past.