WordPress is a fantastic CMS that is used by about 75 million websites around the world. It has a huge ecosystem, which means that whatever you want to do with it you can probably find a pre-built plugin to make it happen.
This popularity does have a downside though. As with any platform that is used by a lot of people, it attracts attention from people that want to steal your data, or use your website for other nefarious purposes.
A breach of security on a WordPress website can be devastating for a business. It can cause you to lose data, customer confidence, and potentially money. Around 30 000 sites are hacked daily, and up to 73% of WordPress sites have some kind of vulnerability.
So, what steps can be taken to improve the security of your site?
Does your admin panel look like this? If so, then this section particularly applies to you!
The single most important step to better WordPress security is to keep it up to date. This applies to plugins, themes, and the WordPress core itself. Any one of these routes can introduce vulnerabilities into your site, so they are all equally essential to keep up to date.
The best way of keeping your site up to date is to schedule a specific day each week to run through updates, as there is a small chance that any given update may cause issues for your site through incompatibility. It's important to back your site up before any update, then properly test all functionality after the update. Patch notes from updates can also give an indication of any potential breaking changes.
Sometimes themes and plugins can be abandoned by their creators, or include coding mistakes that open up vulnerabilities. The more that you have installed on your site, the more exposed you are.
Any plugins that enable functionality that is no longer needed on your site should be deleted, not just disabled. You should also carefully consider when adding a plugin if it is really needed, or if you can get the functionality without adding something new.
An excess of plugins and themes can also have negative impacts on side speed, so having a plugin bonfire can pay dividends in many ways!
The most common WordPress attacks use stolen passwords and details. You can make this difficult by using strong and unique passwords, not just for your Admin area, but for any associated accounts such as hosting, associated emails etc.
It's also incredibly important to only give people access to what they need in the WordPress admin area. Someone who has full admin rights effectively has the 'keys to the kingdom', and you rely on them keeping their passwords, etc up to date as well. WordPress has a hugely powerful and customisable permissions and roles system, which allows you to keep a fine-grained control over who has access to what. Never give someone access to your website by handing out your account details.
Alongside these simple steps, there are many more steps that can be taken to lock down a WordPress site to make it even less likely to be compromised. Many of these require more in-depth changes but are definitely worth it for business sites where reputation is important.
If you have a WordPress site that is looking a bit worse for wear and don't know where to start, please get in touch. I'd be happy to talk through any issues which you have encountered.