WordPress Security

WordPress is the most popular and extensively used content management system (CMS) globally, according to recent market share analyses done by the likes of Web Wide Web Technology Surveys. WordPress apparently holds 62.5% market share currently, which far exceeds its closest rival, Joomla at only 4.5%.

As content management systems go, WordPress’ popularity can be chalked up to three simple benefits; its open-source licencing model; ease of use; installable plugins. Unfortunately, it’s also the most plagued by spam, cross-site scripting (xss) and request forgery (CSRF), SQL injection, DDos & brute-force attacks, to name but a few. Couple this with software vulnerabilities caused by outdated installations of the WordPress core, PHP versions and plugins and it presents numerous cyber security challenges.

The following are our own tried-and-tested methods for successfully managing to protect WordPress websites:

1. Have strong passwords for admin logins
   The definition of a secure/strong password has changed over the years. It is no longer practical to use a simple 6-character password and/or a pet’s name. the password should also be unique for the site so that if something else that the password is used for is compromised, it won’t affect the security of other sites such as the WordPress website. Passwords also weaken over time and should be changed regularly.Passwords like ‘security1’ took three years to crack in the year 2000 and only required five months to crack in 2015 using a mid-ranged, intel core i5-6600k desktop processor. A strong/secure password with today’s standards is defined as having 13 or more characters with mixed content (letters, numbers, symbols and using both upper & lower case). We advise using a trusted password manager to generate and keep track of secure passwords.
2. Always update
   WordPress, like any other software platform, releases software updates and patches regularly. The same can be said for its plugins. Keeping everything up to date helps prevent the exploitation of vulnerabilities that may exist in the software code. The CVE database shows what different vulnerabilities existed over the last decade or more for a variety of different software solutions which helps to identify where a particular product is most vulnerable and needs the most attention.
3. Remove the unnecessary
   If you don’t need it, remove it. Although this sounds simple enough there are still numerous compromised websites out there with disabled plugins and components. A disabled feature can be re-enabled with the right coding and then misused. Another way of looking at this is that a disabled feature will not be updated, leaving the site with a potentially massive security vulnerability. Rather create a backup of the site concerned and completely remove the unused features.
4. Avoid plugins
   Plugins are useful. Instead of learning web design basics and how to write code you can simply install a plugin and get sorted. In most people’s minds it’s a perfect solution for improving security and other mundane website management tasks. In reality though, using plugins from a security point of view has the potential to be very risky. It’s best to keep plugins to a minimum and make sure that they don’t get outdated to avoid security vulnerabilities.
5. Backup regularly
   Backing up regularly is one of the golden rules of effective cybersecurity. Regular backups ensure that your site can always be restored to its former glory should it get corrupted or be compromised.
6. Store backups in multiple locations
   Never have only one backup. Make sure that you store backup copies in at least three different locations: on a local device (webserver, laptop or PC); detached external storage; cloud storage. If one is compromised, another is still viable. Also ensure that the backup device is disconnected from the source as soon as the backup is completed to prevent any backups being compromised together with the source.