As I set out in my previous article The Security Illusion, security can never be absolute.
Make sure your site is kept updated
Most attacks on WordPress are drive-bys, they are carried out by automated bots looking for WordPress installations which are out of date, or unpatched, outdated plugins or themes.
WordPress is very widely used, and the core application is actively, even intensively managed by a large team. So long as you ensure it is up to date, WordPress itself will prove very secure. Plugins and themes are also attack vectors and security issues get reported widely both on and offline. For example:
Here is the thing though. The article was published on the 1st March, the effected plugin had been patched 8 days earlier. Sucuri, who discovered the plugin, published their own report on the 27th February saying
This is quite a critical issue. If you’re using a vulnerable version of this plugin, update as soon as possible!. Again, four days after the patch had been released.
So, by the time hackers had armed their bots with the necessary kit to exploit vulnerable versions of this plugin, site owners had had more than enough time to update their sites. Anyone whose site got hacked as a result of this vulnerability had only themselves to blame.
If you have your site hosted on WordPress.com, then they will handle updates for you, otherwise, if your site is self-hosted, then it is up to you.
I recommend that you check and update your site every 24 hours.
Choose Plugins And Themes Carefully
As I said above, WordPress itself is actively managed by its large team and quickly updated if a problem is discovered.
This is not necessarily the case with plugins and themes. Of the thousands available only a very few are provided by the WordPress team. The rest are provided by a wide range of third parties.
One of my favourites is Contact Form 7. The interface is simplistic but functional. The dashboards of other form plugins may be more attractive, but in practice CF7 is very easy to use. It has been around since 2007, has been carefully maintained and updated by its author during that whole period. It is reliable.I always use it.
When you are choosing plugins check the Last Updated date, have a look at the star rating – look for 4+ stars (with large numbers of reviews) and check out the support forum.
There are significant number of plugins which have not been updated for a very long time. Unmaintained plugins may not be a) not compatible with the latest WordPress release and b) secure.
As a rule of thumb, I look for plugins which have been recently updated – in the last couple of months. Something which hasn’t seen any activity for years is probably best avoided. However there are quite a number of plugins which have not been updated for a long time for the simple reason that they have not needed to be updated, for example, one I use frequently is Genesis Simple Edits, at the time of writing, this has not been updated for a year.
Check out the support forums for plugins and themes, if you find a lot of unanswered cries for help there, or just tumbleweed, don’t add yourself to the list of sufferers, chose something else.
Get A Firewall And More
This is a report from a relatively low traffic site which I manage:
As you can see the scale of the threat is massive, the “Attacks” include a wide range of miscreance, for example, from the same site, these are attempts to login to the site’s dashboard.
There are several very good firewall applications for WordPress. Popular ones include:
- All In One WP Security & Firewall
- BulletProof Security
- iThemes Security (formerly Better WP Security)
- Wordfence Security
Use one. My preference is Wordfence but the others are good too.
I also like:
- Activity Log
The #1 Activity Log plugin helps you monitor & log all changes and activities on your site, so you can run a safer, more organized WordPress site.This is not just useful if your site is hacked, it can give you useful pointers when you have other problems as well.
- Sucuri Security
The Sucuri WordPress Security plugin is a toolset for security integrity monitoring, malware detection, audit logging and security hardening.
- Update your site (WordPress, themes and plugins) every 24 hours.
- Choose plugins and themes with care.
- Get A Firewall
Finally, remember that whatever you do, you cannot guarantee that something won’t go wrong – your site or your server could be hacked, or you could suffer a catastrophic hardware failure, a plane could crash on your datacentre, there could be a fire. Whatever, make sure that you have backups, lots of them and in locations remote enough that they will not fail at the same time as your site. I back up the sites I manage onto a server leased from a different supplier to my web hosting servers, in a different datacentre, I download copies of those backups periodically to my local machine. There is no point taking backups if you do not know how to restore them.