Why is it important to improve security on WordPress websites you develop or maintain?
WordPress is the biggest platform online currently being used to serve websites to users with 54% of over 50 million CMS websites detected by Built With at the time of writing this and doing so like any popular platform, app or service it creates online communities whose main purpose is to find and exploit vulnerabilities within the WordPress ecosystem whether it’s WordPress itself or the plugins and themes built for it.
So hardening your WordPress security is something you should invest research and development into whether you’re an individual hosting your personal blog, a small/medium size business with an internal web team or a digital agency who provide web services to a vast client base, this blog will go through different methods free and/or paid where you can improve the security of the websites you manage to help protect your credibility and the trust of your customers.
Try to avoid unnecessary/vulnerable plugins and themes
Check the vulnerability of plugins before using them using a site like WPScan, even if the plugin has a lot of active installs, some of the most used plugins often get exploited such as GDPR plugins, check the latest reviews, if it’s up to date for the latest version of WordPress and also if it conflicts with any of the other plugins/themes on your development environment before you use the plugin on your live environment.
We would recommend creating a list of avoidable plugins and provide a safer alternative to use instead if there is one then share the list with your team additionally to this you could also set up Google news alerts on things like ‘Wordpress plugin vulnerability’ to keep up to date on latest news/blogs.
Try to avoid using slider plugins, instead try to build your own using a jQuery library such as Slick Slider combined with Advanced Custom Fields, some slider plugins have been known to be exploited through vulnerabilities in the past mainly because they’re code-heavy plugins that are built to be fully customisable by the end-user to fit any design possible and a quick Google search will indicate with ones to try to avoid.
Just like slider plugins, page builder plugins are also exploited through vulnerabilities.
Both slider plugins and page builder plugins can be avoided easily and we would recommend against using them and opt to designing and building a bespoke theme from scratch using a starter theme such as JointsWP based on Zurb Foundation or Understap based on Bootstrap, then create pages within the theme using Advanced Custom Fields this will not only be more secure than a paid-for theme but will also be lighter, easier to update in the future and will be better optimised for page load speeds.
WordPress and plugin maintenance
One area that may often get overlooked is keeping WordPress, plugins, and themes up to date and not forgetting to disable and/or delete unused plugins not doing this could cause issues in the future when they become outdated, insecure and in some cases abandoned.
WordPress security updates have been automatically updating since v3.7 but there’s yet to be an easy implementation to allow WordPress to automatically apply updates to plugins and themes, but there is an official plugin in development by WordPress that will make this a possibility in the future.
For now though you could install a WordPress management dashboard plugin as an alternative to manage your site’s updates for WordPress, plugins and themes these include InfiniteWP and ManageWP.
Another important part of updating sites is to treat every site the same if you miss any sites that are old or that are already vulnerable to an attack this could be the weakest link in the chain. If you do have any troubled sites you might want to think about moving them to a separate server altogether.
Types of issues you could come across include:
Utilise security plugins and services
Other ways of preventing attacks on your website including using security plugins such as Wordfence and also other website security tools such as Cloudflare, both of these offer basic features for free which combined will significantly improve your security.
The key Wordfence features include a firewall which has settings for brute force attacks, Rate limiting for crawlers and blocking traffic from suspicious users, it also allows you to perform scans on your site to find any malicious files then allows you to remove or repair files, it also allows you to audit password strengths so weak passwords can then be updated to make them more secure.
The key Cloudflare features include setting up a SSL, proxy through Cloudflare servers which helps protect your servers IP addrerss, creating firewall rules to reduce and/or restrict traffic to your website or pages on your website such as xmlrpc.php and login/register pages you can also create rules on criteria such as threat scores, bots and user agents. The great advantage of Cloudflare is that any suspicious users can be blocked before they connect to the web server which reduces unwanted traffic on the server helping both security and performance.
If you want to research further into Cloudflare and how you can best implement the firewall rules they offer on your website here’s a great blog by Cloudflare explaining how to use firewall rules.
What else is available?
Theres always ways to improve your sites security some ways more experimental than others and implementing them would be at your own risk, such as updating your .htaccess file to stop php running within your uploads folder, restrict access to specific folders within wordpress such as wp-includes or whitelist IP addresses that can access your wp-login page. There’s plenty of blogs available that can help you implement these if you wish to but you should test them first before deploying them to a live website.
You could also implement a Content Security Policy on your website, this will help protect against cross-site scripting (XSS), you would have to take great care to correctly implement this as it could be tricky if your website relies on a lot of plugins and/or external resources.
And lastly you could check that your server is running with open base directory configured, this is a security module within php that sets the folders which a website can write to, this is important if your website is running on a shared server as it would prevent one website being able to write to a folder within another website, an important scenario where this is useful is if a website on your server gets infected, open base directory would help to reduce the risk of further infection on the server.
To summarise we have gone through some areas where you may be able to improve the security on your WordPress/website without having to do anything too technical especially with site maintenance and security services/plugins, if you find other parts too technical such as development or if you need help implementing anything we’ve mentioned please feel free to get in touch.