WordPress is software. WordPress is also software that is exposed to the Internet.
That means that your website is vulnerable to malicious attacks which could utilize software based hacks.
That doesn’t mean WordPress is a bad choice for a site’s infrastructure. Quite the opposite.
WordPress is still the best website platform available as it makes your life easy as an end user.
There are things you can do, simple things, to protect your website against attacks.
We’ve talked about backups and security in the past, but we feel it’s important enough to bring up again.
First and foremost, you can keep your sites updated. There are multiple updatable items within WordPress that should definitely stay updated.
Let’s discuss those.
- WordPress – The core system behind your website. Up until 2014, WordPress was updated maybe once or twice a year with major updates, and a few minor updates in-between. As of 2014, WordPress is update much more often with both minor and major updates. Many of which include security fixes for things you would never expect to be vulnerable.
- Themes – Just like the WordPress core, most themes get updated with new features, bug fixes and security patches. You should see more updates with premium themes than free themes, however. Premium theme developers are typically more proactive when it comes to addressing security issues, and because you are paying, are more likely to add features.
- Plugins – Like themes, plugins are often updated with new features, bug fixes and security patches. So keeping up to date means you’re keeping your website as safe as you can.
There are, of course, additional layers of protection you can add to your site. Let’s go over some of those, starting with security plugins.
Security Plugins
There are many security plugins available for WordPress. Generally we do not recommend plugins that hard-code changes to your filesystem. While in theory it could add a higher level of security than the other options, it has a tendency to break themes and plugins.
So instead we recommend using lighter, but effective security plugins that will monitor your site for odd behavior. For example, Limit Login Attempts will monitor the login for hack attempts, and will block the IP based on the severity you designate.
WordFence is a very popular solution. It does not hard-code changes, but does have the ability to monitor your site in realtime or on a schedule. The plugin is free and also have premium features. But even the free version can serve you very well.
Sucuri is a WordPress security company who also provides a free plugin which can scan your site and log changes. They also have a premium service which adds automated scheduling and additional vulnerability scanning. Sucuri services also come with hack response, to fix your site just in case the worst case happens.
Services
I have already mentioned Sucuri’s premium service. But we thought we’d share another options as well.
VaultPress is a plugin and service made by Automattic, the company responsible for WordPress.com. They have plans which can backup your site to their system and also scan your site for hacks.
There are a variety of similar services, but not all come with security scanning like VaultPress.
Hosting
Last, but definitely not least, another layer of protection is a good hosting company. Many shared hosting providers offer security scanning, like SiteGround. But there are also WordPress Managed Hosts that work with 3rd party security companies to do regular scanning, like WP Engine and Synthesis.
The key to host security is to make sure you understand exactly what security is being done and how it’s handled. For example:
- Are they just scanning for hacks?
- Are they proactively protecting against hacks?
- Are they responding toe hacks by restoring to the latest backup?
- Are they using the latest MySQL and PHP versions?
Questions like that can help guide you in the right host direction. You can read more about hosting with WordPress here.
Conclusion
Even with keeping everything up to date, using security plugins and proper hosting, there is still no 100% guarantee against your site being hacked. It’s impossible to guarantee protection. However, by doing everything you can to protect yourself, you’re bringing the hack possibility down drastically.
As always, if you have questions please comment or send us an email. We are happy to help.
