Are WordPress Websites Secure?

WordPress and PHP often get a bed reputation for not being secure. The truth is that WordPress and PHP security is based entirely on how well they are being used. Because WordPress hosts so many sites it is a large attack surface, meaning there is always someone trying to hack their servers. But there are many measures you can take to limit the number of attack vectors, or vulnerabilities, to your website. 

Website security expert Cal Evans in a recent webinar with SiteGround, provided a range of security tips to help protect your website. These tips range from things you can do yourself, with the help of your hosting partner, to more advanced things that may require a programmer. However, it is always important to remember you can never 100% guarantee your websites security. What you can do is deter attackers by adding layers of security that make your site difficult to hack. 

Security Layers: 

The following are things you can do to make your WordPress website more secure.  

DIY Security: 

1. Keep things up to date. Be sure to keep your WordPress core and all plugins on your site updated. A good hosting partner can enable you to automate updates, to make this process as straightforward as possible.  
2. Use strong passwords. Makes sure that as many people with access to your site as possible have strong passwords; for this you may need a password management program. But it is especially important that all site administrators have strong passwords. The strongest passwords are usually those that are random, because they are hard to guess.  
3. Only download plugins and themes from official sources. Often files downloaded from unofficial sources include additional code that opens backdoors for attackers to access your website. 

Medium Level Security: 

1. Perform regular backups for your website. Some hosting partners can provide an automatic backup service. Otherwise you can install a plugin for this. It’s best to keep a minimum of 5 days of backup, but most experts recommend 30.  
2. Change Your Admin User. This helps keep people from hacking in by guessing who the main website admins are. This can be done three different ways:  
   1. Use a plugin. This is a One-off task, meaning once you use the plugin for this, you need to remove it in order to avoid other security risks.  
   2. Manually edit the database. This may require help from a programmer, as you need to manually change the username in the database.  
   3. Manually change your admin user. To do this add a new admin user, then log out and log in with the new account. Once you’ve done this delete the old account. This is one of the best methods for those without a lot of technical knowledge.  
3. Implement two factor authentication (2FA). This means requiring two things before accessing the site: something you know like a password, and something you have like a code. Text based systems for receiving codes are not the most secure. Instead use something like the WP 2FA plugin.  

High Level Security that Requires a Programmer:  

1. Disable XML-RPC. This is an antiquated plugin, that requires a programer to change a line of code in order to disable it.  
2. Disable file editing. File editing is great for designing websites, but it is terrible for maintaining website security.  
3. Enable a web application firewall. This blocks malicious traffic before it reaches your website. There are two levels of application firewalls.  
   1. A DNS level website firewall will route your site traffic through their cloud proxy servers, so that only genuine traffic can reach your site.  
   2. An application level firewall is a plugin that examines traffic after it reaches your site, but before loading everything. While not as secure as the DNS level firewall, the application firewall reduces the server load.  

Website security is so important, for companies that do business online. And as more and more companies are looking to move business online, great security will be vital to maintaining relationships of trust with your client base. Because it’s not just about protecting your website, it’s about protecting your website users. For help evaluating the security of your website contact the experts at MIBS, Inc. today.