As with everything in life, being secure comes down to being cautious, reasonable and thinking logically. Security is a serious business and security and WordPress is always a big issue.
Although WordPress.org development team is quick to release security patches and updates, the same cannot be said about WordPress themes and plugins made by independent developers.
WordPress best practices keep WordPress websites secure.
There are lots of WordPress security plugins, but it’s not enough to just leave it to some 3rd party plugin to take care of your business. It’s up to you to keep WordPress safe and get all angles covered.
1. Choose Wisely and Update Regularly
WordPress updates don’t always bring just cool new features and options, but patch security vulnerabilities and fix bugs.
When installing themes and plugins, make sure they’re being updated regularly and that the author is responding to support questions. Often a premium WordPress product gets you a premium service, as well. Whatever you choose, see whether it’s a product made with best practices in mind and this will ensure there are no compatibility or security issues.
Always use trusted sources and for free stuff this means the official WordPress theme or plugin repositories. If you want to use commercial themes or plugins, do your research and get informed on quality of the author.
2. Don’t Go With the Defaults
This one’s a tip from our developer Slobodan: codex.wordpress.org is a large knowledge base, so whenever you have doubts about anything WordPress, try to find your answers there first. There’s a whole section on security and I would like to point out security through obscurity part:
- Don’t ever use the default administrator username – “admin”
- Default WordPress database prefix is – “wp_” and by changing this prefix you’ll repel some SQL injection attacks
3. Backup Your WordPress
Backups keep you safe not only from server failures and incompatible software updates, but also from hackers. For WordPress backup I think you should try BackWPup, free WordPress plugin.
I’ve written a review of the backup plugin and I suggest you take a look at it. You’ll have it set and configured on your websites in no-time.
4. Reduce Credentials
People need only credentials that are enough for them to do their job. It basically means you should practice proper management and use of roles and capabilities. Nobody who’s only writing articles or editing posts needs administrative rights.
Your admin account should only be used when you’re performing administrative tasks, updating your WordPress installation, installing or deinstalling themes and plugins or for other major changes.
5. Use Strong Passwords
This one is simple. Use long pass-phrases, special characters and numbers for every single password. Don’t use same passwords for different accounts.
6. Security Plugins
There are several security plugins for WordPress, but only two worth mentioning. They are:
Most plugins give a false sense of security, but these two will get you covered for just about any eventuality. You should’t think twice when enabling “limit login attempts feature” and for everything else there’s an explanation in the documentation. You can also try hardening WordPress security through .htaccess configuration file.
WordPress is growing at an unimaginable rate and so is the number of malicious WordPress attacks. Use and install only those products which are absolutely necessary to run your website. This applies to both themes and plugins. The more stuff you add the more stuff you need to maintain. If you need
Themes that have lots of features have a lot more stuff that can break and are generally more susceptible to hacker attack. Free things are not always good. Take a look at this post about Why You Should Never Search For Free WordPress Themes.
If you’re maintaining and updating WordPress regularly, limiting credentials, using strong passwords and scheduled backups, you’re pretty much protected from anything malicious out there.
If you suspect you’ve been under attack or infected, try this free website malware scanner by Sucuri. These guys specialize in website security and offer professional service in maintaining and disinfecting websites.
If you have any more recommendations, share it with us in the comments section below. One can never be too secure.