The resources you have available to spend on WordPress security for your website usually vary vastly whether you’re an international corporation or just a hobbyist blogger. But since most attacks are automated by bots looking for vulnerabilities, a lot of the threats are the same. Here are some WordPress security measures that bloggers and small business with limited resources easily can take.
1: Managed WordPress hosting
A larger company will a sane setup will avoid shared hosting and use dedicated server resources for their hosting, with pretty tight lockdown to take care of WordPress security. This is a hosting situation very far from what most people can get. But if you care about your website, you shouldn’t go for the cheapest webhosts, e.g. those offering hosting for 2$/month.
The sysadmins at the cheap web hosting companies have one priority: Keep the servers running. This isn’t as swell as it first sounds. This means they have no second thought about shutting down or albeit removing your web site if it causes them some issues – like a lot of traffic. Imagine your site goes viral or mentioned on Oprah, a thundering herd of potential customers comes running to your website … and the hosting company shuts it down.
Sysadmins of general web hosts are rarely WordPress experts. They don’t know what is regular usage, what folders need to be writable, and they will absolutely not find the cause of some error on your web site.
There is some middle ground between these options: Managed WordPress hosting. It costs a little more than the general, cheap, oversold hosting, but their product isn’t just to provide a space for you to dump your website. Their product is often to make sure your WordPress website runs smoothly without any issues. Some hosts will even sell you WordPress as a SaaS – meaning they sell you a working WordPress web site. If there is an issue with your web site, they consider it as an issue with their product and will fix it accordingly.
Managed hosting will usually have a lot WordPress security measures in place. They know how WordPress works inside out, and have setup and tuned their systems especially for WordPress. Most serious hosting companies will give you an “SSL” certificate for free, so your site runs on HTTP. Do not even consider running a website without.
2: Get a Web Application Firewall
A WAF (Web Application Firewall) sits between the outside world where all the nasty people are and your hosting server. It will filter out all bad traffic, remove traffic from aggressive bots and stop denial of service attacks against your website. WAFs have traditionally come with a pretty high price tag, but there are some affordable options available to help you with your WordPress security.
The cheapest option at Sucuri is $9.99/month, and CloudFlare is $20/month. CloudFlare also has a free plan, which doesn’t give you a WAF, but still some limited protection.
Also, some webhosts comes with a WAF included in the hosting price. Often this is just ModSecurity rules that filter out the top 10 OWASP threats. Even if this isn’t very tight rules, it will still be helpful. Some will also offer you DDoS protection.
If you’re on a really tight budget, I recommend you get CloudFlare free, and use NinjaFirewall WP+ ($29.90/year) which is a PHP based WAF that will be autoincluded in all requests to your website. Its protection is limited, since all requests will hit PHP on your server, but it can still be very useful and will filter out a lot of unwanted traffic. I tried it out for a year on a website with ~40k legit visitors/month and it looked OK. You might also want to explore the security features Jetpack by Automattic has to offer. I have limited experience with them myself, but Automattic does know a bit about both WordPress and hosting.
3: Keep everything updated at all times
And by everything, I mean WordPress, plugins, themes, translations, everything. Do not lag behind on a single update. Sometimes authors will not immediately disclose if an update contains a security patch. Keeping everything updated at all times is really important for your WordPress security.
A managed hosting service might take care of updates for you, but not necessarily so. It depends on your contract/service. Sometimes updates to themes or plugins can break things, and they will not be responsible for them, so they leave it up to you. However, since a plugin or theme with an unpatched, published security issue is far worse than your site breaking, you should have autoupdates enabled. In fact, I would prefer that my site becomes unavailable rather than staying open and inviting hackers in. Cleanups are tedious to do, and it can be is easy to miss a backdoor installed by hackers.
Here is also a generalization worth thinking about, when you consider whether you should get a premium theme or plugin or a no-cost alternative: Commercial authors are living off a good reputation and need to fix errors quickly. Subscriptions are what keeps them alive and quite importantly: motivated to keep updating their product. You might not want to get a plugin or theme from an author who have basically abandoned it and has lost motivation to keep it updated.
4: Use two factor authentication
This is a no-brainer. Everybody should absolutely 2FA (two factor authentication). It’s free and helps WordPress security tremendously. Just use it.
Two factor authentication is made up of the factors “something you know” (your password) and “something you have” e.g. your phone, an OTP device, a smartcard, or a dongle connected to your computer.
It’s not a 100% replacement for strong passwords, but almost. If an attacker has your username and password, they will still not be able to log into your website without e.g. your phone.
There’s a lot of options available for free for bloggers and small companies. Taking a look at Two-Factor, which is a “feature project” with the ambition of being part of the WordPress core might be a good idea. I also like Duo Two-Factor Authentication by Duo Security a lot. It is free to use if your organization (i.e. web site) has less than 10 users.
Whatever 2FA solution you get, make sure you store your recovery codes somewhere safe. Like on a piece of paper you keep wherever you keep your other important papers. This will make life easier for you if you lose your hardware security device, or change your phone if you use a phone app.
5: Regular backups
Do regular backups. How often? As seldom as the longest time span you are OK with losing everything that happened on your website. For some, this is every hour. For others, it may be once every fortnight.
Store the backups somewhere off-site. If you need to restore your backup, it is usually because something bad happened. Like your webhost lost your entire site, or you got hacked. If you got hacked, you can not trust the integrity of anything that was on the site anymore, including backup files.
All good backup plugins let you set a schedule for your backups and a remote destination like Amazon S3 or Dropbox. I really like BackupBuddy, but it costs some money. I know there are good, free alternatives, but I don’t have much experience with them. If you have recommendations, please do so in the comments.
Jetpack from Automattic can take real-time backups of your site, backing up all changes to your website as they happen.
Now that you are taking backups regularly, you should recover them from time to time. You can do this on a different site than your live site if you don’t want the downtime. But make sure you do it. This is necessary to:
- Make sure the backups actually work. There are way too many cases where someone tried to restore a corrupted backup or the backup didn’t contain everything it was supposed to. Make sure you don’t end up in that situation.
- Practice how to do a restore after a disaster. A backup doesn’t do any good if you don’t know what to do with it. Restoring a backup can be a little technical, so practice to make sure you know you can do it. I’ll help you sleep better.
6: Don’t use a security plugin
There is nothing a WordPress security plugin does, that is not done better and more proper in other ways. Security plugins touch areas that should not be touched by a plugin, and they try to do way too much. When a security plugin has an error in a function that touches an otherwise harmless area, it causes horrible consequences.
See this chart over WordPress plugins with most vulnerabilities? Two of the plugins are two very popular WordPress security plugins.
If you have covered the 5 points above, there is not much additional value an “all in one” security plugin will do for you. There might be certain features you want, but dedicated plugins usually do that much better. Instead, learn what a security plugin tries to achieve and research how it is properly done.
Other WordPress security tips?
If you have other WordPress security tips that doesn’t require much resources, as in money, time, technical expertise etc, please share them in the comment section below.