In part 1 of our series on increasing your WordPress site security, we explored simple practices for improving the security of WordPress. In today’s post, we’re sharing more recommendations and identifying practices that should be avoided.
It seems like WordPress user has come across a plugin that seemed less than legitimate. As an open source platform, WordPress permits anyone can write software for it. This means anyone can write software for it.
It’s best to stick with the WordPress Repository when it comes to plugins. Every plugin on the Repository shows its last update, rating and latest compatible version of WordPress.
If you venture outside the plugin repository, things can get less reputable. There are well known, premium plugins like Gravity Forms and Event Espresso that have professional websites with include information about pricing, contacts, support and anything else you might need to know. These types of plugins tend to be updated frequently, making them generally secure. You should still, however, use your best judgement when evaluating plugins from sources other than the WordPress Repository.
You mileage can vary widely on third party plugin markets like CodeCanyon. On these types of markets, it’s even more important to check the ratings of plugins. If possible, Google the developer’s name and see what you find.
Most developers are trying to write good software. However, malicious developers will sometimes hide code in their plugins to introduce “back doors” to your site and your site’s data. Be vigilant. Only install plugins you trust and listen to your gut if something seems fishy.
Many users to look to plugins to help them with security. While the two methods we covered already are absolutely essential, a security can be helpful.
There are dozens of very simple plugins on the Repository that limit login attempts for example. These plugins can protect against brute force attacks on your login page. Nearly all of them work the same way: limiting the number of times a user can try to login (and fail) from a single IP address.
The plugin will typically allow you to set the number of times a login can fail and how long that IP will be blocked before allowing the user to try logging in again. Keep in mind that a plugin like this is no replacement for a strong password. Using a limit login attempts plugin in addition to strong passwords will help you secure your WordPress login page.
If you’re looking for a more robust security solution, WordFence is a popular choice. WordFence not only handles login issues like brute-force attacks, it goes much farther by crowdsourcing data from other users. For example, if a site running WordFence is taken down by a malicious network or IP address, all WordFence users will automatically be updated to protect against the attack.
Keep in mind that plugins with this many capabilities are “heavy,” so you’ll need to consider how they may affect the performance of your WordPress site. If the plugin slows your site to a crawl, you may not have enough visitors to make the added security worth your effort.
Questionable Security Practices
Finally, we’ll look at some of the bad ideas of WordPress security. There are a lot of “security measures” on the internet that might sound like great advice but, in actuality, are more harmful than good.
For example, many WordPress users and developers are under the impression that changing the database prefix on your WordPress database tables will make your site more secure. The default database prefix is “wp_”, and you’ll see this in your wp-config.php file. Some developers (most likely utilizing a plugin) will rename this prefix to something like “wp_ldskfj_”. The reasoning behind this practice is that it makes it more difficult for hackers to run commands against your database because they don’t know the prefix of your database tables.
However, this is false security. While you may not necessarily hurt your site, you won’t help it either. If a hacker has already gotten to the point of being able to run queries on your database, they’ll access database prefix in no time.
You may heard that security is only a concern for site that run on cheap WordPress hosts. This is also false security. Whether your WordPress site is hosted on a premium managed host like Pressable or a dirt-cheap host, your host can only do so much for your site’s security. Though our team of WordPress expert can make recommendations for securing you WordPress site, provide free offsite backups and remove malware when necessary, you are the last line of defense for you site. Don’t out your site at risk of being hacked by doing worst practices that are out of your host’s control, such as using very simple passwords.
We hope you enjoyed learning about our recommendations for securing your WordPress site. Let us know what you thought, and share any questions you have for us in the comments below. Press on!