04 Jun Is WordPress Secure?
You may come across some horror stories online about how this WordPress site or that one was brought down by an attack, virus, or some other form of nastiness. And it’s true, these things can happen. They can happen to any site, any platform, any server.
It’s All in the Numbers
You may hear about it more with WordPress than you with other platforms, but there’s a reason for that.
- Of all the sites using a CMS, WordPress accounts for about 23%
- More than 70 million websites use WordPress
- Large, multi-million dollar businesses use WordPress
- There are tens of thousands of attacks each day on WordPress sites
Number of WordPress ATTACKS PER DAY
Understanding these numbers only represents the tip of the iceberg when it comes to WordPress usage. When you consider these numbers, you should also realize that if any site is attacked, there’s a good chance, statistically speaking, it will be a WordPress site.
So it’s not that WordPress isn’t secure, it’s just that it has far more users, therefore, far more people willing to try to exploit the platform. The greatest chunk of users are layman, not security experts. In an almost embarrassing number of cases, these attacks are possible because people use outdated versions of WordPress, plugins and themes .
The Most Common Forms of WordPress Attacks
Since WordPress is a sprawling platform, different attackers find different means of compromising the system. All platforms have vulnerabilities, and there’s always somebody out there willing to exploit them.
In the case of WordPress, the most common attacks have to do with gaining access to the backend or database. In many cases, the attacker wants access to the server hosting WordPress, not really the WordPress installation itself.
With access to the database or the platform, an attacker can do a lot of things that can ruin your site, business, and even the integrity of your server. With cross-site contamination, they can even gain control of servers beyond the one you’re hosted on.
But don’t let that scare you. WordPress is a very secure platform. The WP team is very open about any vulnerabilities found, and works diligently to patch them up as soon as possible. That’s why it’s important you keep your WP installation up to date.
Secure Your WordPress Installation
There is no way to fully secure anything online. If someone is dedicated to breaching your security, that person will probably succeed. Even Fortune 500 companies, with the best security specialists money can buy, still suffer from occasional, catastrophic breaches.
The aim here is to prevent those hundreds of other would-be attackers. Most of the time, if they can’t break a password or exploit a vulnerability quickly, they’ll move on. Here’s how you can help them on their way.
For the host, server, and database
- Start with a secure host
- Make sure the host doesn’t use outdated versions of PHP or SQL
- Change your table prefix
- Use a strong password on your database
- Add rules to your .htaccess file
- Set strict database permissions
For the WP installation
- Update to the newest version
- Use a strong password
- Do not use the “admin” username
- Manage your users, or turn off user accounts completely
- Add security keys to your wp-config file
For themes and plugins
- Keep your plugins and themes updated
- Discard plugins and themes with known security flaws
- Keep your plugins to a minimum
- Experiment with some of the more popular security plugins
- Experiment with plugins that limit login attempts
Of all the things you can do to help keep WordPress secure, there’s one thing you should do above all others…
Backup your site and database religiously
You can secure your installation until it’s a virtual Fort Knox, but if anything happens and you lose your data or your database, then that’s it, game over. It’s imperative you backup both your site and your database, frequently.
This is something that even old WordPress professionals sometimes skip, and they always lament it later. There are many, many plugins available for backing up your data, just about all of them allow you to do it on a schedule as well. The WordPress system itself has options for backups and restoring from backups.
So yes, WordPress is secure, and the WordPress core team is constantly working to keep it that way. However, you have to do your part as well. Of all the things listed, the three easiest to do are also arguably the most important.
- ALWAYS keep your core WordPress files
- ALWAYS keep your plugins and Themes updated regularly
- ALWAYS backup your installation and database frequently
- ALWAYS make your passwords strong ones, as well as your user’s passwords
Don’t make it easy for attackers, and don’t ignore your installations security. Make sure you take some time out to learn more about WordPress security. A little knowledge goes a long way towards securing your site.