WordPress is rated as the most popular blogging platform available today. And for good reason. It’s free. It’s open source, which means you have access to the code and are able to customize or modify it however you want. It has a plugin for virtually anything you need or want it to do and has countless beautiful themes, many of the free.
What’s not to love?
Well, there are a few things, like security issues. Granted, as the platform has evolved over the years—and its developers are constantly updating and improving core WordPress—if you’re not staying on top of things, your site may be far too easy to hack.
Before we go any further, let’s be clear which WordPress we’re considering here.
There are two versions of WordPress. The self-hosted version—which you download and install to whatever host you use, and the version that is hosted online by WordPress themselves. We are talking about the first.
Note, there are some excellent security plugins available for your WordPress site, but installing one of them doesn’t mean your site is now 100% secure.
Let’s start off with a quick overview of some of the issues facing WordPress security and then delve into each of them a little further.
First, at its core, I would say WordPress is extremely secure. The issues start to arise as users begin to add their own themes and plugins, neglect to change their username from admin to something else or use weak passwords. That’s just to name a few. Want a few more? Not using a firewall or not keeping your plugins and themes up to date. If you fail to pay attention to even one of these things, WordPress could end up being a security nightmare for you.
What can you do to Secure Your WordPress Site?
If I were going to suggest one blanket layer of protection—I’m not—I would recommend using a VPN. But this isn’t a cure-all, and it won’t give you blanket protection. It will give you that first strong layer of protection you’re going to need to build upon and then consistently maintain.
There are several VPNs you can choose from, and you can do your own research when choosing one, but I will leave you with one recommendation. One of my favorites is the 9/10 rated NordVPN. They offer double encryption!
Use a Firewall
If you’re using WordPress, you’re likely using some sort of desktop or laptop as well. Any major operating system comes with a firewall, so you should know what they’re all about. You can set one up for your WordPress site, and this is another wall against anyone attempting to hack your site.
Themes and Plugins
WordPress is versatile, with literally thousands of plugins and themes to choose from.
Let’s say you want a new theme. Should you just hit Google and find a theme you like from any website you find? Maybe do the same if you need a plugin? The answer to that is an emphatic no! Only download themes and plugins from reputable sites, first from the WordPress repository itself and then from other reputable WordPress sites. I can’t list all those sites here, but with a bit of work and research, you should be able to figure that out yourself.
Why shouldn’t you download and install plugins and themes from a dodgy source? Because you are adding code to your site. And unless you can read that code you have no idea what its directives are. On the surface, it may be just what you want, but underneath it could be infringing on your privacy.
What about themes and plugins that do come directly from WordPress or a reputable site? Are they set and forget? No, because security holes might be found after they are released. And since the information about those holes is made public, hackers immediately start looking for sites that are still vulnerable.
Always update your themes and plugins immediately.
The Admin Username
When you install WordPress it comes with a default username, which is “admin”. For years, no one changed this, nor was it recommended. But remember how we said WordPress is the # 1 choice for a blogging platform? That means hackers know they have lots of opportunities to do their thing. And if you have a username that hasn’t changed from the default, a hacker is already halfway into your site and your data.
When you install WordPress, make sure you change the username from admin to something unique. Make it complex. Then, within your WordPress settings, set up a nickname. Visitors will see that and not your username.
Weak passwords are mentioned again and again when talking about online security issues because people just can’t seem to get how important a strong password is. Part of that is laziness. Part of it is the fear of forgetting an important password. There are solutions to that, but we aren’t going into them here.
Did you note above where it says that with a password which hasn’t changed from admin, a hacker is already halfway into your site? What if you have a weak password to go along with that admin username? You are pretty much waving your virtual hand in the air and saying, “Pick me! Pick me! I want to get hacked!”
The first line of defence? A VPN. This will help keep hackers who want to implant any kind of malware, worms, or trojans at bay. It will also protect all of your WordPress data and files. And if you run an e-commerce site, you have all kinds of sensitive information stored. Your own and your customer’s. And now, with the inception of GDPR, you need to be able to ensure you’re doing your best to keep your customer’s data private and secure.
Next, be sure to add a firewall. This may be an independent plugin, or part of a larger, full-featured security plugin.
Finally, change your username from default, and use strong passwords.