This post was originally published on April 22, 2016, and while much of the information is still relevant, it has been updated with new information to reflect the ever-changing security landscape.
I often get asked, “How secure is WordPress?”
I hear statements like ‘Our IT department advised us that WordPress isn’t secure. Should we be using it?’ or ‘I read an article about WordPress sites getting hacked. Will my site be secure?’ are common. Online security is more important than ever, and therefore these are very valid questions. Let’s take a look and discuss these concerns.
Think of your new WordPress site like a new house. Your builders will put a front door on your house with a strong lock. That adds some basic security, but we know that this house could be broken into by using a crowbar on the door, smashing a window, etc. WordPress is similar in that the basic install provides some essential security, but if you hope to keep out the bad guys, you need to do a little extra work.
What does Visceral do to keep my WordPress site secure?
We take significant steps to make sure that the websites we build are secure. We view these steps as best practices for creating websites, so they’re just part of our overall process, not something we charge extra for.
Note that we’re about to enter the tech realm here, so if nerd jargon isn’t your thing, feel free to skim this next section or forward it to your IT staff if they have concerns.
Every website Viscearl builds includes:
Malware scans: Sites that we manage are routinely scanned for malware and viruses and reported to us if anything comes up. Generally, these scans occur 2-3 times a month but the frequency can be customized based on your site’s needs or during periods of increased threats.
Brute force protection: Users (most likely “bots”, automated scripts run by hackers) that fail to log in several times in a row with false credentials are locked out.
404 detection: If a user (or bot) is hitting a large number of non-existent pages, they are usually scanning for something, presumably a vulnerability, and they get locked out.
Blocklists: We automatically block traffic from IP addresses and user agents known to be used by hackers and spambots.
Disabled directory browsing: Prevents users from seeing a list of files in a directory when no index file is present.
Unique database prefixes: We change the default WordPress database prefix to something other than “wp_”. This helps guard against bots looking for the default setup.
Unique administrator login: WordPress’ default administrator account is named “admin” which will be the first thing hackers will try. We rename this to something specific to your site.
Site backups: We do daily site database backups, weekly full site backups, and continuous backups of the server itself for sites that we manage. All backups are stored off-site for maximum protection. For most of our projects, we also like to use two different services to create backups to have some redundancy as well since you can never be too safe.
SSL certificates: SSL is the technology used to encrypt data that’s sent over the web. You’ve mostly seen this in action whenever you’ve purchased something online. This used to be primarily for e-commerce sites but it’s now essential for any website. Google will show insecure warnings for all non-SSL sites in Chrome and since late 2014 it has used it as a ranking signal in your search rankings.
Uptime monitoring: If a website goes offline for any reason (or if specific content changes), our team gets an alert to investigate which can help mitigate both server issues as well as malicious attacks.
What can I do to help keep my site secure?
Glad you asked! Security isn’t just a one-time thing during development. It’s an ongoing process that we need your help with. Here are a couple of things that you can do while managing your site.
Set strong passwords: Many Internet users still choose passwords that are extremely simple and easy to guess. For five years running the web’s most popular passwords have been ‘123456’ and, wait for it… ‘password’. This is the digital equivalent of just leaving the front door wide open. Using strong passwords ensures that hackers will have a much harder time getting into your site. They can however be difficult to remember so we recommend a password manager application such as 1Password or LastPass, especially if you have several passwords to keep track of.
Don’t share passwords via email: We recommend that each site user has their own account and password, but if you absolutely must share a password with someone, avoid doing it via email as it’s likely insecure and could be intercepted. If you need to send someone a password consider using an encrypted message service like NoteShred.
Site updates: Any piece of software occasionally needs updates to keep it secure. You’ve likely experienced this yourself if you’ve used a Windows PC anytime in the last decade. WordPress is maintained by a massive community of developers so if security issues are found they’re generally patched very quickly. Keeping everything up-to-date ensures that the site stays secure long after it’s built. Visceral often handles this for our clients as part of our ongoing success plans but it’s likely something your IT staff could take over if they like.
And if I want to go above and beyond?
All of the above items will definitely help but we can go further still depending on how important security is to your organization. Additionally, some of the options below have additional costs as they involve 3rd-party services and/or purchasing hardware.
Firewalls: Firewalls are security devices that live in front of your website to block malicious traffic. You can think of them as a giant brick wall around your house. They can be actual physical hardware or they can be software-based, often called web application firewalls.
Content Delivery Networks (CDNs): Services like CloudFlare offer both optimizations for optimal load times and security features like protection against distributed denial-of-service (DDoS) attacks.
Two-factor Authentication (2FA): Logging into the administrative side of your site to make updates requires a username and password. Two-factor authentication takes this further by requiring an additional step, such as a temporary passcode emailed to the email address on file or integration with a third-party service like Authy or Google Authenticator. You’ve likely used 2FA on your online banking website.
Additional Restrictions: There are several other “behind-the-scenes” changes we can make such as restricting the WordPress administration backend to only a limited set of IP addresses, making the WordPress administration backend available only during specific times of the day, or enforcing password expiration guidelines so that users have to change their passwords every few weeks.
Let’s wrap up
What it all boils down to is that WordPress is just a tool like any other. With the right setup, it can be powerful, flexible, and secure. It’s the most popular CMS on the planet and secure enough to be used by the world’s leading brands, from The Walt Disney Company to Bloomberg and Variety. The Biden Administration is even using WordPress to power The White House website.
Security is a multi-faceted topic, the scope of which far exceeds this short blog post. We’ve tried to highlight just a few of the things we can do and illustrate the seriousness of the topic itself, but of course, each website will have its own individual security requirements. Contact us to discuss the unique security needs of your site.