Best WordPress security practices for the rest of 2019

(Image credit: Image Credit: David M G / Shutterstock)

New content sharing applications pop up everyday, yet WordPress remains the most-used platform on the planet. What makes it so special? The answer comes down to a powerful combination of reliability and flexibility. Individuals and teams that build websites with WordPress can trust that the results will be professional-looking and easy to use.

One common misconception is that WordPress is only for blogs. But in fact, many small and medium-sized businesses use WordPress to run their entire public-facing web presence, as well as intranets and internal tools. At its core, WordPress is a content management system (CMS) that can be used to distribute information of any kind.

But like every web-based platform, WordPress is vulnerable to security concerns. And because of its global popularity, many hackers target WordPress installations specifically. This article will dive into the best practices when it comes to ensuring WordPress security.

Control account security

WordPress installations are typically set up with two types of accounts: administrators and standard users. Administrators have full access to the back-end services and can adjust a site's configuration through a tool known as the Admin Console. On the other hand, standard users can only log in through the external front-end to create or edit content.

As a general rule, you should limit administrator accounts to only those individuals who require the ability to customise a WordPress theme or make other site-wide changes. The more people that have administrator accounts, the higher the chance is that a hacker will be able to steal credentials and launch an attack on your site.

Within the WordPress admin console, you have the ability to enable two-factor authentication for all standard user accounts. This means that when a user goes to log in to the WordPress front-end, they will receive a text message or email with a unique code to help verify their identity.

Like with any website credentials, you should require WordPress users to maintain a complex password. The Admin Console lets you set up a script to force users to change to a new password after a given number of months.

Invest in secure web hosting

In the early days of WordPress, many blog and website owners would run the CMS code from a local server that they hosted themselves. Nowadays, everything has moved to the cloud computing approach, where virtualised servers are maintained in large data centers so that individual customers can rent computing power and memory.

Using a cloud-based hosting provider for a new site or an existing migration is typically the easiest and most cost-efficient solution. However, it's important to keep in mind that not all cloud companies are created equally. You need to balance cost, reliability, and performance when choosing your host.

Which brings up the eternally popular question of whether free web hosting is safe? In general, if you’re concerned with security, and you should be, stay away from purportedly “free” web hosts that don’t charge anything. There are exceptions but most present problems that fall into two categories.

One, they won’t spend the money to upgrade their infrastructure (including critical security software intended to keep the latest version of ransomware away), thus increasing the chances a hacker walks right through the front door and messes with your site. Second, they plaster advertisements all over your website, perhaps putting the privilege up for bids to advertisers. It’s a shady way to operate. For anything other than a hobby site, invest the five bucks a month it costs to secure more credible hosting.

Enable an SSL certificate

As you browse the internet on your computer or mobile device, you'll often notice a small padlock icon that appears next to the URL in the address bar. The symbol means that the webpage you are currently viewing is protected with a valid secure sockets layer (SSL) certificate (recent hacker shenanigans regarding TLS certificates notwithstanding).

SSL is a critical form of defense against intruders and cyberattacks. When your browser is connected with an SSL-enabled site, it means that all of the data being sent back and forth is fully encrypted. Even if a hacker is able to infiltrate your router and local network, they will not be able to decode any of the traffic being intercepted.

If you plan to support credit card transactions or other transfers of private information, then an SSL certificate is a must for your website. You'll find that some cloud hosting providers offer an SSL certificate free as part of a hosting plan. For third-party options, prices tend to be all over the place. 

Use the safest security plugins

The best part about WordPress is the amount of customisation that the platform allows. After choosing a basic theme for a website and setting the visual display options, you can search a wide marketplace of plugins and extensions, including ones focused on security.

For example, you'll come across WordPress plugins that function as a firewall, monitoring the incoming traffic to your website and blocking any suspicious threats. You will also find scanning plugins that will search your WordPress codebase for potential malware or vulnerabilities.

But before you install and enable any security-based plugin on your WordPress Admin Console, make sure you thoroughly research its history and developer. Hackers have been known to distribute dangerous viruses under the guise of safe plugins.

Keep regular backups

As a website owner, you always need to have a plan for the worst-case scenario. Imagine that your cloud provider goes down or your back-end servers are infected with a ransomware virus. In that type of situation, you need to have a disaster recovery team ready to act.

And if you don’t have that, a reliable backup is the next best thing. Even a short amount of site downtime can hurt your company's reputation and frustrate visitors. But with a backup, you can quickly restore to a recent point in time and get things running smoothly again.

Some cloud hosting providers will offer a backup service at an additional monthly cost, as you will need to pay for the amount of storage that extra data requires. It is advisable to invest in a WordPress-based solution that protects your codebase in the event you ever need to re-host.

The bottom line

Hackers and cybercriminals are always looking to stay one step ahead of their targets. For that reason, you can't assume that because your WordPress environment is safe today that it will also be safe tomorrow. WordPress security requires active maintenance and monitoring.

Make sure you check your Admin Console on a regular basis for security updates and patches. These need to be installed as soon as possible, along with any updates linked to your site's theme or plugins. Otherwise your site becomes an easy target for hackers.

Sam Bocetta, freelance journalist