WordPress Security

Last updated on: Jan 20th, 2020

WordPress is renowned for its usability and ease of access, however it’s popularity also makes it an attractive target for bad actors. This WordPress security guide is an introduction into how to protect visitors, mitigate threats, and create a more secure WordPress site.

Recent statistics show that over 28% of website administrators across the web use WordPress. Its popularity comes at a price; often targeted by malicious hackers and spammers who seek to leverage insecure websites to their advantage.

WordPress security is about risk reduction, not risk elimination. Because there will always be risk, securing your WordPress site will remain a continuous process, requiring frequent assessment of these attack vectors.

Protect your Site

Is WordPress Secure?

The question of whether WordPress is secure or not depends entirely on you, the website owner. Website security is about risk reduction. Follow our WordPress security best practices to harden and protect your website from threats.

How to Secure a WordPress Site

This guide is intended to educate WordPress administrators on basic security techniques and actionable steps that will help to secure your WordPress site and reduce the risk of a compromise.

1

WordPress Software Vulnerabilities

Keep WordPress, Themes & Plugins Updated

The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats.

By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches and your WordPress site is more secure.

1.1 – Regularly Audit WordPress Plugins & Themes

Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your WordPress website.

To secure your WordPress installation and improve security, we recommend that you audit your plugins and themes on a regular basis.

Assess Your Plugin Security

You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:

  • Does the plugin or theme have a large install base?: Check the number of installs before adding a new plugin to your WordPress site.
  • Are there a lot of user reviews, and is the average rating high?: Check WordPress plugin reviews and ratings before adding a new plugin.
  • Are the developers actively supporting their plugin and pushing frequent updates or security patches?: If a plugin has not been updated in a long time it can have vulnerabilities used by malicious users to compromise WordPress websites.
  • Does the vendor list terms of service or a privacy policy?: It is important to check if the plugin has a privacy policy or TOS.
  • Does the vendor include a physical contact address in the ToS or from a contact page?: Having a physical contact address adds credibility to a WordPress plugin.

Carefully read the Terms of Service – it may include unwanted extras that the authors didn’t advertise on their homepage. If the plugin or theme doesn’t meet any of these requirements or has recently changed owners before the latest update, you may want to look for a more secure solution for your WordPress site.

Note

Sometimes bad actors will purchase a plugin to add malicious or unwanted functionality. Exercise caution when installing plugins that have recently changed owners before the latest update.

Remove Unused WordPress Plugins & Themes

When it comes to unused plugins, less is more. Storing unwanted plugins in your WordPress installation increases the chance of a compromise, even if they are disabled and not actively being used in your installation. Removing unused plugins and themes helps improve security and protects WordPress from hacking.

Not using that WordPress plugin? Remove it from your installation.