Getting Started with WordPress Security
WordPress Security Tips for a Safer Website
As a new WordPress user, how can I make sure my WordPress Site is safe?
In general, security issues for most WordPress users can be broadly divided into two categories: user-related vulnerabilities and external threats. The bad news is that there is no such thing as being completely secure, but the good news is that even following the basic WordPress security steps will prevent the vast majority of security risks that most users face.
Today, we’re going to focus on user-related vulnerabilities:
- Operating Systems and Browsers
- Configuring WordPress
As we can see, the easiest and most common user vulnerability is a poorly created password. This may seem obvious, but even according to the official WordPress website, poor password use represents one of the biggest vulnerabilities for many users. You might think of yourself as savvy to best practice when it comes to passwords, but even if you aren’t, here’s a simple list of things you should avoid:
- Reusing passwords from other places – this will create a cascading effect and will make it much harder for you to protect valuable information.
- Using personal information as part of your password, such as a name or place with a personal connection – this has the double weakness of being potentially easier to figure out as well as revealing personal information should it be compromised (Note: this applies to usernames as well!)
- A generic password of insufficient strength – anything you pick up as a pre-existing password from somewhere else will be first on the list for a hostile actor to check.
- Storing passwords in an insecure browser keychain – storing passwords in Internet Explorer (which you shouldn’t be using as a browser anyway) opens up yet another area of vulnerability.
Operating Systems and Browsers
Both operating systems and browsers share a familiar weakness that we will see repeated many times: being out of date. If you don’t keep your software up to date, you run the very real risk of being vulnerable to older vulnerabilities that no longer exist in updated patches. The easiest fix for this is to enable automatic updates for both your browser and your operating system, and not to neglect the option to update when you can.
As a secondary weakness, it goes without saying that a system compromised by malware, spyware, or any other virus naturally makes your WordPress data vulnerable as well. Fortunately, there are many accessible anti-virus options out there even if you aren’t safekeeping thousands of dollars’ worth of information – we recommend Malwarebytes; it’s proven, effective, and has a quite passable free version if you want a demo (or simply don’t want to buy the upgrade, though you should strongly consider it.)
WordPress App Vulnerabilities
At last, we arrive at the main event. Fortunately, the fact that WordPress makes up approximately one-third of the biggest websites online (https://w3techs.com/technologies/overview/content_management) is good news for WordPress security; that kind of traffic results in quite literally billions of dollars that go into keeping WordPress safe to use. Most of the time, this means that WordPress’s biggest vulnerability is, once again, the users. Let’s review the biggest threats to the WordPress app itself, according to WordPress documentation (https://wordpress.org/about/security/):
- WordPress out of date
- User Permissions
- No/poorly configured Security Themes
Sound familiar? Here we have yet another reminder of the value in automatically updating our software. As for User Permissions this is more straightforward than you might think. The worst thing you can do is to simply handover administrative privileges to other users, since this is just asking for abuse, but you also don’t necessarily need a complex hierarchy of who can do what. The rule of thumb is to give each role the minimum amount of power possible: if they don’t need it to do their job, don’t give it to them.
A note on Monitors and Logs
As an additional protection against bad actors or privilege abusing users, it’s worth talking about monitoring logs as its own topic. Many security add-ons such as the Sucuri Auditing Tool keep logs of what users do, even enabling you to require signing off on certain actions that other users may want to do, such as deleting a post. These kinds of permissions can be extremely useful for hostile actors in the bud, and keeping logs of user activities is an excellent way to pinpoint the source of a problem.
And there you have it! It might be counter intuitive to think that simply updating your password puts you out of the majority of harm’s way, but it’s worth remembering that cybersecurity threats come from the lowest common denominator. Once you’ve followed through with these beginner steps, you can move on to securing your site from more sophisticated threats such as cross-site scripting, bad code injection, and brute force attacks.