I recently contributed towards an article on WordPress security and thought I’d write up my advice in full over on my blog. This is particularly relevant in light of recent vulnerabilities in WordPress and a number of high-profile third party plugins.
The most important steps you can take to secure your WordPress site are not necessarily specific to WordPress. Good password practices and keeping your software up-to-date are often overlooked. In my experience, the root cause of security incidents tend to be a trusted administrator with a bad password or an exploit in an unpatched, third-party plugin.
The basics of security
A strong password doesn’t use dictionary words, it’s made up of a combination of mixed case letters, numbers and symbols. It’s important to use a unique password for every website. Not only because a security breach on another site could give up your password, it could also make it possible to access your email and therefore an attacker could request a password reset from your WordPress install.
I’d strongly suggest looking into using a password manager such as 1Password. You’ll be able to generate strong passwords and not have to worry about remembering them all. There are also tools around which limit the number of incorrect login attempts. Thwarting automated password attacks. If you already have Jetpack installed, check to see whether Jetpack Protect is enabled, otherwise look into something like Limit Login Attempts.
Keep all your software up-to-date
In terms of keeping software up-to-date, WordPress has a built-in update mechanism to keep itself, it’s themes and plugins updated. Running the latest version of each means you’ll benefit from new features, bug fixes and crucially, security patches.
You can access the Updates screen within the WordPress Dashboard to see and install available updates. The WP Updates Notifier plugin can email you when an update is made available for your WordPress site, saving you from having to manually check.
Managing multiple WordPress sites? Use the tools available
If you’re looking after a number of sites, there are some brilliant remote management tools available. Jetpack now includes a Site Management feature which has many of the useful features the more established services such as WP Remote and ManageWP offer. From one interface you can get an overall feel for the status of your websites and remotely install updates.
The threat from premium themes
WordPress itself has a strong security track record and as outlined in The WordPress Security White Paper, has a dedicated team of professionals responsible for ensuring vulnerabilities are dealt with in a structured and efficient way.
An issue I’ve seen causing pain recently is premium WordPress themes which come bundled with plugins. The idea is to provide additional functionality and value to the end user. However, as the theme author is the licence holder for the bundled plugin, it is their responsibility to update and distribute the patched files. As the site owner, you might not even be aware you’re running out-of-date, exploitable code.
Adding any third-party code to your WordPress installation increases the potential for introducing vulnerabilities. You should source your themes/plugins from the official repositories or from reputable developers who provide a clear update process.