When WordPress first launched in 2003 as a successor to b2/cafelog, it was a simple blogging system, but it has since evolved into a full-fledged content management system responsible for powering approximately 23% of all websites live on the web today. It is also by far the most popular CMS, miles ahead of competing CMS systems like Joomla and Drupal.
WordPress itself comes with numerous benefits and features which makes it well worth considering if you are considering either building a new website, or replacing your old one. Unfortunately its popularity comes at a price – given the large number of websites running on WordPress, the platform has become a natural target for hackers and online criminal elements. Also unfortunately, a lot of website owners make compromising these sites a lot easier than it really needs to be.
If you find yourself thinking of building – or taking possession of – a shiny new website, there is one very important thing you need to keep in mind:
WordPress has a maintenance overhead
Many of the vulnerabilities that detractors like to complain about tend to get patched quite quickly, which makes WordPress just as safe as any other CMS you’re likely to use, provided you make the effort to keep your installation up to date. And this applies to every one of the plugins you are using too.
This is one area where a great many WordPress website owners fail abysmally – leaving a great many vulnerabilities intact that can be used to compromise their websites. Exact numbers are hard to come by, but a development house based in the Czech Republic did a survey of about 65,000 WordPress sites based in the country. The results were rather shocking – less than 50% of the sites were up to date at the time the article was written.
The reasons for these lapses are numerous. People lose interest in running their personal sites, or websites are abandoned. Owners don’t know that their websites need to be kept up to date. Or they do know, but they lack either the skills or the confidence to do so themselves.
We can’t do much about the first reason, but we can work with the other two.
WordPress websites are, on their own, no less secure than websites run on any other platform, as long as you take some relatively basic steps to secure your website and, as mentioned above, take due care to keep all the bits and pieces up to date.
If you happen to be one of those owners with a lack of time and/or confidence to keep things up to date yourself, you should check with your developer if they offer some form of maintenance contract – which would usually include regularly checking the website to make sure everything stays up to date.
If paying a monthly fee doesn’t appeal to you, get someone to train you. Keeping your site and plugins up to date is a relatively simple exercise, although you might need to call in assistance if something breaks. In my personal experience, however, this is a very rare occurrence.
Here are a few other things you can do to keep your website safe:
- Install a security plugin (examples like Wordfence, Sucuri, iThemes Security)
- Don’t use the default admin account; create a new administrative account with a new username and delete the default account.
- Use a strong password. Silly and easy-to-guess passwords are still used extremely often, and combined with a default admin account represents one of the easiest ways to compromise a website.
- Perform regular backups. Many – if not most – hosting providers will do this, but check with them if you’re not certain. If not, plugins exist that will take care of this task for you (for example BackupBuddy).
- Finally – while it may not seem self-evident at first – make sure the machine you’re using when working on or updating your site is completely malware and virus free.
I’ll add some additional links at the bottom that will provide some more insight as well as steps you can take to secure your site – following those and the few tips above might not make your site completely invulnerable, but most hackers will be unlikely to put in the extra effort needed to get in – they tend to go for the quick wins.
Now, if only we could come up with a workable solution to referrer bot spam.
Additional resources:
WordPress Security: Tried and True Tips to Secure WordPress
Hardening WordPress
10 Tips for Keeping Your WordPress Site Secure