November 12, 2013
WordPress Security Best Practices
Did you choose the right WordPress developer? Do you know if they have left your website exposed to potential hacking threats? We take a look at some of the most common WordPress security vulnerabilities and the steps to secure your website.
Always run the latest version of WordPress. WordPress is considered one of the most popular content management systems on the web with over 60 million websites running the software. With it being so popular, it is has been a target for hacking attempts. So it is vitally important to always keep your WordPress software up to date with the latest security patches. This simple step can be overlooked, especially if you are not accessing the admin of your site often. Also note that there can be some technical hurdles when upgrading versions. If you are not tech savvy it may be best to contact a WordPress development company like Thrive to assist you.
Always run the latest version of WordPress plugins. Individual WordPress plugins also release updates. Sometimes the updates are new features and sometimes they are security improvements.
Be careful when updating plugins, as new versions can occasionally break the functionality of your site. It is a good idea to have your WordPress developer test the update in a testing environment prior to implementation on your live site.
LImit the number of login attempts. WordPress allows unlimited login attempts by default. This default functionality opens the door to brute-force password attacks that can crack your password and access your website. There are several WordPress plugins such as Limit Login Attempts that will add this security feature to your site. At Thrive we install the latest security plugins on our client sites to prevent such attacks.
Hide the default wp-admin page. There is a default page (/wp-admin/) that WordPress set ups for the site owner to access the admin portion of your site. By changing the default login page URL you will add another layer of security to your site. If the bad guys can’t find the front door you have a better chance that they move on to someone else’s website.
Using a strong password. Creating a strong password that is at least eight characters long, uses a combination of upper and lower case letters, and includes at least one number or special character can make it difficult for someone to guess or crack. Here are some additional tips from Google to help you create a strong password.
Use a dedicated WordPress hosting company. Using a hosting environment that is specifically optimized for WordPress will help close any loopholes and keep the bad guys out. Some WordPress developers will go for a cheap hosting solution that places your website onto a shared server with hundreds of other sites. If one of those sites gets hacked, this can potentially bring down the server and make your website inaccessible.
At Thrive we host our clients on a bay of dedicated servers that only contain our own clients. Our dedicated servers have been optimized to provide a secure and reliable hosting environment for all of our WordPress sites.
Using a web application firewall. A web application firewall intercepts traffic to the server and prevents hackers from exploiting the site. It is a protection layer between the outside world and your website. Again, a good hosting company will have this implemented.
Not using free WordPress templates. Some WordPress developers offer a low cost solution by using free WordPress templates or a knockoff of a pro template. These free WordPress templates can contain malicious code or links that could do serious harm to your site, server and even for your business. There are a couple of security plugins like Theme Authenticity Checker and Exploit Scanner or the Sucuri SiteCheck online tool that can check to see if there is any malicious code hiding in your template files.
As expert WordPress developers we strive to keep our client’s sites updated and secure so they can focus on running their business. Let Thrive take care of the bad guys. If you would like our team to perform a security audit for your WordPress website or are interested in learning more about our WordPress services call 817-642-9686 or contact us online.