Do’s and Don’ts of WordPress Security

Posted on by Josh Darby
Do's and Don'ts of WordPress Security

With a great WordPress site comes great responsibility. WordPress offers journalists a distinguished platform to publish and distribute their content, but keeping your site safe and secure can seem like an overwhelming and daunting task. Luckily, keeping your WordPress site in tip-top shape isn’t as difficult as it seems. We’ve put together a list of a few basic do’s and don’ts to follow in order to keep your site running smoothly and securely, along with the basics of WordPress vulnerabilities and how to understand why some WordPress websites end up getting exploited.

Common WordPress Vulnerabilities

Before we discuss what you should and should not do with your WordPress site, it will be helpful for you to understand the two main ways that WordPress sites can end up becoming vulnerable to attackers. 

  1. Outdated Plugins
    The most common way for attackers to exploit WordPress sites is through outdated plugins, which account for nearly 60% of all WordPress breaches. Outdated plugins can leave unintended doors open for unwelcome visitors with insecure code practices, improperly sanitized text fields, or a myriad of other bad practices. Keep your plugins updated.
  2. User Accounts
    Another common way WordPress sites are exploited is through user accounts. Keeping track of who has access to user accounts on your website, and what permission levels each account has, is a great way to prevent unwanted users from coming in and making unwelcome changes to your site. 

Basic Do’s and Don’ts of WordPress Security

Now that we’ve gone over what some of the most commonly exploited WordPress vulnerabilities look like, we can explore a basic list of some do’s and don’ts when it comes to keeping up with your WordPress site. 

Do:

You can find available plugin and WordPress updates by logging into your WordPress admin panel and navigating to plugins -> installed plugins -> updates available.
  • Keep WordPress, plugins and themes up to date
    • Keeping your plugins and themes up to date will not only allow you to use the newest features and tools added, but it will also ensure that any bugs and vulnerabilities in the previous versions won’t be running on your WordPress site.
  • Remove unused users and plugins
    • Removing unused user accounts and plugins from your site will not only help keep your website running smoothly, but it will also limit the number of things that need to be maintained on your WordPress site and prevent more ways for unauthorized users and vulnerabilities to gain access to your site.
  • Set up a backup solution
    • If the unthinkable happens and your site is the unfortunate target of a successful attack, having a backup solution in place will save you a lot of time and headaches. Having a backup solution in place can usually enable you to have your site back up and functioning with the click of a couple of buttons and in a matter of minutes. Taking a few hours to get a solid backup solution in place is a lot better than losing your entire site and having to rebuild it from the ground up if it is compromised.
  • Install an SSL certificate
    • Installing an SSL certificate on your website is a pretty painless process, and it can usually be done for free. Adding an SSL certificate adds an extra layer of security between your WordPress site and its visitors by securing the connection between the two. Adding an SSL certificate to your website is also a great way to instill trust in readers and let them know that you run a legitimate and safe website. Along with the added trust factor, your site will also see a boost in search engine ranking since Google’s algorithms prefer HTTPS-enabled websites.
  • Find a stable host who specializes in WordPress
    • Finding a stable and trustworthy web host that specializes in hosting WordPress sites, such as Flywheel or WPEngine, is one of the most important steps you can take to ensuring the security of your WordPress site. A good web host will work with you to help maintain your WordPress site and even help improve your site speed and performance. 

Don’t:

Changing the default WordPress admin username to something more complex is an easy and simple way to deter some would-be attackers.
  • Don't reuse the same password for multiple accounts
    • This is more of a basic internet security rule as opposed to being WordPress specific, but never use the same password for multiple internet accounts. Instead, find an easy to use password organizer to keep your passwords safe and secure. You should make sure that your WordPress password is a secure mix of capital letters, symbols, and numbers, as a secure password is a simple preventative step to stop an account from becoming compromised.
  • Don't use the default `admin` username
    • Unwanted visitors who try and gain access to WordPress accounts almost always try using the default admin username on the first try. Consider changing the admin username to something different as a simple preventative step.
  • Don't install questionable themes or plugins
    • The beauty of WordPress is that it gives you the freedom to install thousands of free themes and plugins, with mostly all of them being legitimate. However, it’s easy to get caught up in the endless amount of free plugins and themes that you can install. Unfortunately, there are some themes and plugins out there that are made with malevolent intent. Make sure to always read reviews and download plugins and themes from reliable sources, like the WordPress plugin and theme directories.
  • Don't give away admin access
    • Only give out admin access to users you fully trust. Admin accounts come with lots of responsibility. Instead of granting full admin privileges to users, try giving them specific privileges to only certain tools and areas they need access to. When the user no longer needs that access, revoke their permissions.

Security and Speed Go Hand-In-Hand

An additional benefit of following these steps is that most of them will help you speed up your WordPress site speed. For example, reducing the number of plugins you have will help control what we call “plugin bloat”. Having too many plugins may result in slow page load times due to all of their assets and functions having to load on the page at once.

Another area to keep an eye on if you’re looking to increase your site speed is your theme. Lots of themes are built with a lot of unnecessary tools and functions which may be useful sometimes, but most of the time just end up increasing page load times. Verify that the theme you’re installing has been thoroughly tested to see the effects it’ll have on your page speed.

What to Do if Your Site is Compromised

If your site is the unfortunate victim of a successful attack, knowing what to do will save you from a lot of headaches. First off, don’t panic! Panicking will only make the situation worse, and you will need a level head to successfully recover your website. The first step you’ll want to take is finding out what exactly happened and locating the vulnerability that was exploited. Ask yourself these questions:

  • Are you able to log in to your admin panel? 
  • Is your website being redirected to another website? 
  • Is your website not responding at all?

Once you figure out what exactly happened, you can continue to recover your website. At this point, you should contact your hosting provider. Your host has dealt with this before and will know how to help with these next steps:

Having an automated backup solution in place can come really come in handy in the unfortunate event of a successful attack. This image shows Flywheel's backups panel and several nightly backups.
  1. Restore a backup of your site
    • Hopefully, you backed up your site before this attack happened – you should be backing up your site every day! If you have, you will restore your website from the latest one. Unfortunately, you will lose any content updates you’ve made between the time of that backup and now, but that is a small price to pay to get your site back up and running. 
  2.  Fix the vulnerability to prevent future attacks
    • After you and/or your host has restored your site to a previous backup, it’s important to remember that it’s still vulnerable to attack. Now is the time to fix whatever vulnerability in your site, whether it be an outdated plugin or user account so that this can’t happen again. 
  3. Change your passwords
    • Once you have your site restored from a previous backup, make sure to change all of the passwords relating to your WordPress site, including your WordPress admin account, MySQL database, SFTP users, and all others that allow access to your website. WordPress.org has also put together a useful FAQ guide on what to do if your site has been hacked and how to get it back up and running.

In Conclusion

WordPress is a great tool for publishers when used properly and maintained often. However, if you ignore maintaining your WordPress themes and plugins, you could potentially welcome unwanted threats to your site. Keeping your WordPress site secure seems daunting at first, but it’s not that big of a hurdle to overcome. Now that we’ve explored the basics of how the majority of WordPress sites are exploited, you can keep an eye out and know what to look for and what best practices to use on your website.

Questions? Get in touch.

Have a question for our team or need help with WordPress design and/or development? Check out INN Labs' full services here, join us for one of our weekly Office Hours, or get in touch!