More than 60 million sites depend on WordPress. Unfortunately, WordPress is also popular with hackers. To attack WordPress sites, hackers often exploit vulnerabilities found in the plugins that extend WordPress functionality.
These attacks are becoming ever more common, and frequently end up affecting hundreds of thousands of sites. However, there are ways to minimize the risks involved in running a WordPress site.
Here are six ways to protect your company’s WordPress site:
1. Carefully Choose Plugins
The WordPress plugin directory contains over 37,000 entries. Searching for a specific type of plugin will likely yield a long and confusing list of options. How do you know which one to choose?
To start, you’ll want to do a bit of research on each plugin. Check the plugin’s support forum for any issues that users have been encountering. Also make sure the plugin is frequently updated by it’s developers. Finally, you’ll want to find out if the plugin has had any security issues in the past.
Once you’ve done your technical due diligence, you should make sure that the plugin has a large and active community. The larger the plugin community, the more likely issues will be found and fixed.
2. Uninstall Plugins That Aren’t Actively Used
Given the sheer number of WordPress plugins, the ease of installing them, and the fact that they are mostly free, you may be tempted to add plugins without much discretion. However, every single plugin you install presents an additional security risk. In addition, most plugins impact site performance and some may even interfere with updates.
For these reasons, any plugins that aren’t actively in use, whether deactivated or not, should be uninstalled.
3. Keep Your Site Up-To-Date
If you have a WordPress site, keeping it up-to-date means updating both the core software and plugins. These updates often include patches for the latest known vulnerabilities, along with usability improvements and new features. Updates are available on a near-constant basis and should be regularly addressed in order to fix known security flaws.
If one of your plugins hasn’t received an update in a while, it might be time to look for an alternative, more well-maintained plugin.
4. Install Security Plugins
There are many plugins available to help keep your WordPress site safe. For example, there are plugins that limit the number of times a logon may be attempted, plugins that search the installation for vulnerabilities, and even plugins that enforce a password policy.
Several of these plugins even monitor your WordPress configuration, checking in real-time for vulnerabilities and other problems. If a critical issue is found, you’ll receive an email notification letting you know that you need to take action.
5. Implement a Password Policy
Strong passwords are your first line of defense in protecting your site from a potential intruder. Creating strong passwords is relatively easy and the benefits far outweigh any inconveniences.
The effective use of strong passwords should be laid out in a formal password policy. These policies make sure that all passwords meet a set of criteria to guarantee a minimum level of security. Password policies will usually recommend that all passwords:
- Are at least eight characters long (the longer, the better)
- Include both uppercase and lowercase letters
- Include numbers and symbols
- Don’t include obvious words, names, or phrases
- Are regularly rotated on a schedule
There are plugins that specifically handle the implementation of password policies. Once configured, these plugins automate all enforcement.
6. Back Up Your WordPress Website or Blog
Despite your best efforts, your WordPress website or blog might still be compromised. Having backup copies of your WordPress files and database can help you quickly recover.
WordPress provides information about performing backups on its website. There are also plugins that will automatically create backup copies without manual intervention.