WordPress (WP) is an actively supported software product, both by its developers and users. The software is written to a high standard. If a security flaw is detected by the developers or reported by users then effort will be put into fixing it. This activity results in several upgrades being released each year to fix security issues.
But that’s not the end of it. WordPress users (ie, you) have to do their part too to keep their WP installations secure. For example, when a new security release is available it’s up to users to make sure they update the WP version on their sites. Why? Because as soon as a new version is available hackers will target sites which don’t update.
You can make your life easier by making sure your WP auto-updates. This includes Plugins and Themes. You can set each of these to self-update. But make sure your hosting account has enough space to perform the updates. Typically you need around 80MB of quota to allow an update to take place.
WordPress comes with a rich variety of Plugins and Themes that you can choose from, giving you a wide choice of look, feel and functionality for your site. But be cautious. Check to see if what you are installing is actively supported. When was it last updated? Is it compatible with the latest WP version. Are there any reported problems with the software?
The first Plugins you should consider are security plugins. We recommend the WordFence and iThemes Security plugins. These give a combination of active (ie looking for malicious activity) and passive (recommend changes to your settings) ways of increasing the security of your WordPress installation.
Our ‘Top Tips’ of setting changes you can employ are:
- Disable directory browsing – don’t allow hackers to see what you’ve installed
- Disable XML-RPC – this is a way into WordPress used by some tools, but should be blocked if you don’t need it (which is the case with most users)
- Don’t use ‘admin’ as your administrator username
- Use unique and strong passwords – don’t use the same password everyone, as once it’s compromised all your logins are vulnerable
- Limit failed login attempts – block users after, say, three failed login attempts
- Hide important files, eg wp-config.php and .htaccess by adding code into your .htaccess file
So far we’ve considered someone trying to break into your site. But what about someone trying to use your site maliciously?
For example, a badly written contact or comments form will allow users to enter a comment in the form, fill in their email address, and send them a copy of the form contents when Submit is pressed. But this could also be used by spammers to enter forged email addresses into the form and send spam to these addresses. So use some sort of ‘human verification’ code, eg Captcha, when allowing users to submit information to your site.
Similarly, you should moderate all content that is destined to be displayed on your site to stop spammers taking over your site content.
Of course, your partner in trying to keep your site secure is your hosting company. Choose one that takes the security of its platforms seriously, and provides several layers of security software to detect and prevent any malicious access attempts. We would also recommend a hosting company that provides regular (daily) site backups as standard, to save you having to look after this yourself. (Obviously we would suggest our own Supercali Linux services for this).
Finally, provide a secure browsing experience for your visitors by making sure you have an SSL certificate installed – this allows https browsing instead of the plain http, which means a secure connection is formed between your site and your customer, preventing hijacking and eavesdropping, which are essential in cases where secure information needs to move between the two of you.
Do you want to try WordPress?
Calico UK offers WordPress support on our Supercali Linux hosting services. You can dive right in with a new website, or if you’d like try before you buy, we can offer free developmental hosting. With the trial WordPress hosting we can set you up with a test address so that you can work on the site without it being live to the public.