WordPress security & hardening, the definitive guide

-

WordPress is massively popular. Around every one in five sites on the Internet uses WordPress in some form. Be that to run a humble blog, or a multi-site Content Management System (CMS) or e-commerce site. As a result, it is no surprise that WordPress websites are a very popular target for both experienced hackers and script-kiddies alike. Hardening wordpress

The last thing any webmaster wants is to find out that their website has been hacked; maybe taken hostage and is part of a botnet, spreading malware, or partaking in Denial of Service (DoS) attacks. In this article we’ll be sharing a number of tips and strategies to help you harden your WordPress website.

Is WordPress secure?

This is a question many system administrators ask, and rightfully so. While WordPress is overall well-built and secure, it has a reputation for being prone to security vulnerabilities and not being “enterprise-grade”. That reputation is not exactly fair. More often than not, issues lie in WordPress being an incredibly popular software package which is easy to set up while taking security shortcuts. Which brings us to our first topic — plugins and themes.

Plugins and themes

The number one issue which plagues WordPress security is also what makes it incredibly popular. WordPress plugins and themes vary far and wide in terms of quality and safety. While a lot of work has been done by the WordPress team to help developers build more secure plugins and themes, they still remain a security nightmare. This can be noticed when using poorly maintained plugins, or plugins obtained from a sketchy source.

Before we continue discussing WordPress plugins and themes, let’s first understand what a WordPress plugin actually is. Plugins are simply custom PHP code that WordPress runs in order to extend WordPress’s functionality. For a more detailed and technical explanation refer to What are WordPress plugins.

Similarly, WordPress themes allow for the customization of the visual aspects of your WordPress site. From an attacker’s perspective, there is very little difference between the two since both can be abused to run malicious co

Run less software

So how can you tell if a plugin is malicious or not? That’s a complicated question, but fortunately we have an answer for you. We have written about this in detail in how to choose the best WordPress plugin for your WordPress website.

Even though you make all the necessary research, there are also chances that the plugin might still be a security threat. So one of the ways to reduce your risk is to only run the software you absolutely need and trust. Before installing a new WordPress plugin ask yourself if you really need to install that plugin. Can a small code snippet in a site-specific plugin do the trick, or do you legitimately need a fully blown plugin?

Important — be very vigilant with code snippets you find on the Internet. Never use a piece of code unless you fully understand what it’s doing — just because it’s on StackOverflow, it doesn’t mean it’s safe to use.

If you have a genuine need to run a plugin, make sure it’s actively maintained and regularly updated as we explain in our guide. As a rule of thumb, the more downloads and recent updates the plugin or theme has indicates that it is in wide use and that it is being actively maintained by its authors. This does not mean that the plugin will never have a vulnerability. However, if a vulnerability is found, the developer will act quickly and issue a fix quickly.

Try to avoid plugins which don’t have many downloads and critically, do not have an active community and regular updates. If something hasn’t received an update within a year, it’s generally a red flag.

Update your WordPress plugins and themes

WordPress plugin and themes updates are important not just to benefit from new functionality and bug fixes, but also to patch security vulnerabilities. Both plugins and themes are easy to update within the WordPress interface.

Some commercial plugins will likely have their own mechanisms to keep plugins up to date, however, in most cases this is transparent to the users. Nonetheless, just make sure that whatever update system is being used, you keep your plugins and themes up to date.

Do not use ‘nulled’ WordPress plugins and themes


WordPress makes use of the GPL1. Without going into much detail, the GPL license allows for anyone to freely distribute GPL-licensed software. This includes commercial/premium GPL-licensed WordPress themes and plugins. As such it may not be illegal to download a modified, usually referred to as nulled, premium theme or plugin and use it for free.

However, as you may have already guessed, aside from not supporting the plugin developer, you are very unlikely to receive updates for nulled plugins. What’s more, you have no way of knowing if the source to this plugin has been modified to do something nefarious.

WordPress Hosting


Where and how you choose to host your WordPress site will highly depend on your requirements. While there is nothing wrong with hosting and managing WordPress yourself, if you are either not as technically savvy, or you want to make sure to meet most of the WordPress security basics without doing a lot of heavy lifting, you may want to opt for a managed WordPress hosting provider such as Kinsta or WP Engine.

Since we have had websites hosted with both hosts, we have written about them. In our customer stories we highlight our experience with them. To learn more about your experience read our WP Engine and Kinsta customer story. Managed WordPress hosting abstracts away a lot of security decisions and configuration you need to otherwise worry about yourself.

Naturally, managed WordPress hosting may also not be for you. You may opt to host WordPress yourself, especially if you’re budget constrained. Self hosting WordPress also gives you greater control over your WordPress installation. To learn more about all the different WordPress hosting options and what works best for you refer to the guide to choosing WordPress hosting. 


                   Call +1-857-342-2365 for help and support of Hardening WordPress.



Comments

Post a Comment

Popular posts from this blog

How to Use the WordPress Logo and Trademark Properly

-
  WordPress is one of the most popular content management systems on the Internet. It’s a free system that helps developers create a full and powerful website in mere moments. It’s only natural that some will want to use the WordPress logo in their developments.   Learning what WordPress is   and what you can do may serve to improve your own online business solutions.  WordPress Logo Unfortunately, not everyone uses the logo or trademark properly when creating content or graphics. In a world where a professional appearance is vital, especially because of intense online competition, it’s important to make sure you get everything correct. In this tutorial, you’ll learn how to use the trademark and logo and the reason behind why you should care. Why is it important to know how to use the logo and trademark of WordPress? The nature of WordPress allows many business owners and developers to use the logo and trademark without worry of copyright repercussions as part of the...
Read more

How to Install WordPress?

-
If you have ever been in a website development process, or has a website up and running, you probably have heard about   WordPress . It is also the most favored platform because of its flexibility and easy usage. It has seen incredible usage growth in website development. Over the years, it has grown from helping to develop blogs & websites to content management system(CMS), eCommerce websites, membership sites to name a few.  WordPress Installation WordPress comes in two variations;  WordPress.org  and  WordPress.com . While the former is a free, open-source downloadable software that works in a self-hosted environment, while being installed and administered on your computer, the latter is a blogging hosting platform that works as a wizard and does not need installation on your computer. In this article, I’ll explain how to install WordPress software on your computer. To use WordPress, we need a web host server. Basically, there are two ways you c...
Read more

How To Install WordPress: The Complete WordPress Installation Guide

-
Image
WordPress , WordPress, WordPress. Lately, you have heard this term thrown around a lot. You’ve been hearing great things about WordPress, the most popular of content management systems (CMSs). Now you’re curious. You want to dive in.  WordPress Installation You’re ready to take full advantage of the WordPress platform to power your website. But there’s a problem. You don’t know what to do or where to start as far as installing WordPress goes. Well, rest your worries. In today’s serving, you’ll learn everything you need to install WordPress on your web server or locally on your PC. We will show you how to install WordPress using one-click installers, and then do it manually just to have some fun. By the end of this tutorial, you’ll be a WordPress installation ninja, so you can concentrate on your work. In other words, you’ll learn: Which role do you get to play in all this? Of course, you just have to try out this tutorial or share your thoughts and experiences in the comments. Deal...
Read more