By Nick Galov -Web hosting expert at HostingTribunal.com,
WordPress is the most popular site building and content management system in the world. It already powers over a third of all websites in existence and its adoption continues to grow. Such widespread usage also makes it a natural target for hackers and hijackers.
The core WordPress files received several revisions and massive security updates in the past few years, but the weakest security point remain the end users. Simple passwords, obvious usernames, lack of regular updates, and dodgy plugins are some of the most common security hazards.
Here is what you can do to keep your WordPress site safe.
Update WordPress regularly – New WordPress versions are released regularly. Some updates are aimed mainly at better performance, but almost all of them bring on improved security as well. Keeping the core WordPress installation up to date is a must. Nowadays, many website hosting companies, even some that don’t provide managed WordPress hosting, roll out automatic updates to reduce the security risks. If you plan to run a WordPress site, find a host that will keep your installation updated for you.
Create secure user names and passwords – Running a WordPress site with the default administrator user name “admin” is simply asking for trouble. Brute force attacks test various login combinations to gain access to the backend of a site. Guessing the username is half the game, so giving it away freely is irresponsible. The same goes for password combinations that are easy to guess.
Avoid new plugins – WordPress has well over 50,000 plugins. While awesome, such variety brings along massive risks, as a great many of these plugins are not up to scratch. Anyone can write a WordPress plugin but not everyone knows how to write lean and secure code. Whenever you consider a new plugin for your WordPress site, check reviews and feedback, and examine how good its history is. As a rule of thumb, you should avoid new plugins from unproven creators.
Don’t use unknown themes – In the same vein, avoid using untested themes for your WordPress website. Themes involve a decent amount of coding, which means a ample opportunities to mess things up. Generally, it is better to choose an industry-specific theme, preferably a premium one. Pick up a theme that does the thing you need and does it well because general-purpose themes come with a lot of unnecessary functions, bloated code, and more elements that can be exploited. Again, use themes from proven developers with good security record.
Use security plugins – WordPress has many top quality security plugins. Wordfence is probably the most popular among them. It can protect a WordPress site in several ways, including IP blocking (prevents access from certain IP addresses), limited login attempts (good against brute force attacks), and 2-factor authentication. The plugin is free and reduces the possibility for malware injections, hijacking, and defamation manifold.
If you follow these 5 simple advices, your site will stay out of harm’s way. All the same, it is a very good idea to create regular backups of your WordPress installation. Many web hosting providers do that for free, but creating a weekly off site (i.e., stored on your local computer and not on the host’s servers) backup is also an excellent habit. Digital data gets lost and corrupted even without human intervention; creating regular copies saves a lot of headaches.
WordPress is not the most secure content management system, but with some diligence and good security practices the risks could be all but eliminated.