WordPress security is an important part of running a WordPress site. While WordPress is currently the most popular CMS (content management solution) in the world, running a WordPress site means regular maintenance and proper website security, as a compromised site can affect your site’s SEO, the personal data of your customers and more. But how do you secure your WordPress site and is it even possible to keep your WordPress website secure?
In short, securing your WordPress site is attainable, very often with affordable tools and methods. While these tools might cost a bit every month, it is much more affordable compared to fixing up a malware infected site. And the downtime that comes with a compromised site. Not only will you lose business, you might even lose some clients for good.
But as this article will take some time to read, let us sum up what you need for your WordPress security.
As a web developer who runs a WordPress Website Maintenance business, these are some of the things that we do for our clients in order to keep the sites running smoothly.
We will work through the bullet points above as actionable steps to get you a secure WordPress site.
WordPress Security: Steps to Secure Your Website
WordPress is a powerful self-hosted content management system (CMS) that gives you the flexibility to purchase or develop features that you need. Unlike hosted CMS solutions like Squarespace or Wix, WordPress open-ended nature also means that security can be an issue. And very often, security is an issue overlooked by first time bloggers and website owners.
But WordPress security isn’t rocket science. All you need to do is to secure every component that could be a entry point for hackers and malicious software. Your WordPress website security is only as strong as its weakest link.
Here are some simple and practical steps to secure your website:
1) Move to a managed VPS Hosting Solution
Yes, a managed Virtual Private Server (VPS) hosting costs more than a shared server. Especially if you consider popular shared hosting such as Bluehost, SiteGround & A2 Hosting. There is no way a VPS server can be cheaper than a shared hosting plan. Plus, shared hosting gives you everything, including emails, so why move to a VPS hosting solution?
The truth is, your choice of hosting provider matters a lot to your security. If you are on a shared server, your site can be compromised even though you have the most advanced cloud firewall. All it takes is an outdated plugin or theme on your neighbour’s site (meaning another site on the same server as you), whereupon the hacker can gain access to the root directory and target all sites on the server.
In comparison, you are on your own in a VPS server. No bad neighbours can affect you. But can you still be hacked? Yes, but not via the managed VPS hosting that your are on.
Oh yes, please don’t go for IAAS (infrastructure-as-a-service) platforms such as Linode, Digital Ocean, AWS & Google Cloud, unless you have an experienced sysadmin on your team. While it is relatively cheap to provision a VPS server on these IAAS platforms, someone needs to manage the security patches, updates and server-level firewall.
2) Automate Your Backups with Incremental Cloud Backups to Amazon S3 or equivalent
We recommend that you get your site unto some cloud backup solution. Better still if you can put your site on an incremental cloud backup solution, as the risk of your backup failing from timing out is far lower.
If you’re not under some WordPress website maintenance service nor some managed WordPress hosting (e.g: WP Engine, Kinsta, Synthesis & Pressable), check with your hosting provider on where your automatic backups go to. And if you have both server and site backups.
We’ve encountered SOS messages from people whose websites have been compromised, but they’re unable to restore as the local backups were either corrupted or infected as well. Some hosting companies send backups to the cloud, but as they compress the sites before backup, it might fail if the site is too big or if they are on a shared hosting with limited resources.
3) Subscribe to a Cloud Web Application Firewall with Virtual Patching
A Cloud Web Application Firewall (Cloud WAF for short) with virtual patching ensures that your site is patched virtually when a vulnerability is found. Statistics has shown that plugin vulnerabilities represent 55.9% of the known entry points for hackers, whereupon a survey from Wordfence showed that 60% of website owners who knew how the malware came in, attributed it to an outdated plugin or theme.
Virtual patching is a set of rules to mitigate vulnerabilities that the site might have from outdated software, namely an outdated core, themes or plugins. While it is best to update them, virtual patching helps keep the site safe while developers of vulnerable plugins and themes issue security updates.
Furthermore, if you somehow neglected updating your site after the patches are issued, virtual patching will keep your site safe from malicious attacks.
On our end, we recommend PatchStack (formerly known as WebARX) for their Cloud WAF that comes with virtual patching. When compared to Sucuri Security and other well known WordPress security software, PatchStack’s focus on plugin vulnerabilities and their community of ethical hackers, the PatchStack Red Team, gives them the edge over competition.
4) Regularly update your WordPress Core files, Themes and Plugins
Updating your WordPress core files, themes and plugins regularly will ensure that your site stays safe from vulnerabilities. However, we sometimes get clients coming to us with sites that have not been updated for years, probably because updating the site could break some layout or feature on the site, or worse, the site itself.
But not updating your site due to a fear of things breaking, isn’t correct. Portions of the site will eventually stop working when your server updates to the latest PHP version, and believe me, you’ll want to keep your server on a supported PHP version.
A better alternative would be to engage the services of a company specializing in WordPress Care Plans, or better known as WordPress website maintenance service. Just like a car, you”ll need your site maintained in order to perform well and avoid costly repairs.
A word of caution if you are considering automatic updates, as that will most probably break your site. We run a backup before every update, in order to ensure that we are able to roll back if the site breaks.
Read: MalCare Review
5) Subscribe to a WordPress Security Plugin with Malware Scans and Removal
A WordPress Security plugin will go a long way in ensuring your site stays safe. Together with a cloud WAF, cloud backups and regularly updated WordPress core files, plugins and themes, the WordPress security plugin plays an important role in keeping your site safe.
However, not all security plugins are the same. Many times, we’ve seen people trying to save some money and subscribe to a security plugin that doesn’t really do much, like the iThemes Security plugin. The iThemes Security Pro is affordable, with the Gold tier costing you only $199/year for unlimited sites. This makes iThemes Security a choice for many WordPress website webmasters and maintenance agencies, as the cost becomes negligible when you have more sites.
It also comes with some interesting features, such as file integrity monitoring, brute force attack protection, reCaptcha to protect against bad bots, enforcement of strong passwords and lockouts due to failed login attempts. Honestly, it seems like a great deal.
But choosing a plugin like iThemes Security (or something similar) can quickly be a costly affair and is a security risk. While iThemes Security does malware scans, it only does so via Sucuri’s surface level scanner. This means, it will not detect if your files or your WordPress database has been compromised. Malicious files will be left in your server. You will want a Wo