Updated June 7, 2024
Reading Time: 3 minutesWordPress security is as strong as you make it. The tools and strategies are readily available, and many even automated. Yet, hackers still succeed mostly because so many site owners either aren’t aware of best practices or simply don’t comply.
Basic WordPress Security is Simple.
The most important principle, emphasized by all internet security experts, is limiting access. The first step is to change the locks. If you still have the default “admin” user, change it now. All the bad guys have this key, which means a simple hacker program can churn away on the password alone. Eventually, it will succeed.
Secondly, take advantage of simple upgrades. WordPress employs developers so you don’t have to, constantly reviewing its code and searching for vulnerabilities. This is why, in its suggested security “Hardening” strategy, the only sentence WordPress presents entirely in bold face is this one: “you should always keep up to date with the latest version of WordPress.”
WordPress makes it even easier with clear notifications. Look for the circling-arrows icon followed by a number. These appear on the navigation bar at the top of your dashboard screen. Click and you will be taken to a list of available updates. Your job is to integrate those updates.
Imagine incredulous faces gathered round the WordPress conference table – “We gave it away and they still didn’t take it…We told them they needed it.” Why do some still reject this advice?
Lastly, changing the admin login but not the table prefixes doesn’t make sense either. You want to change the locks; follow these six relatively simple steps to change your table prefix.
Fear of Unintended Consequences.
Aside from just not knowing how important updates are to security, another reason site owners may choose not to download them is fear of interference with customizations. When the core code has been altered to make a site look or function differently, these modifications will not be carried over to the updated code.
For this reason, we strongly recommend not touching the core code. Ever. There are alternatives. The simplest way is to restrict preferences to only those available within a theme’s or plugin’s options. Alternately, a child theme strategy can be employed. The same goes with creating a copy of the plugin before making modifications. But here’s where it gets more complicated.
As a technical aside, themes affect how the site looks and a bit about functionality. A plugin affects functionality. You don’t want to mess around with core code as it keeps you from implementing updates. Bottom line: if you don’t want to employ a website developer but you do want a secure site, choose themes and plugins that meet most of your needs. Let go of the rest. It cannot be worth compromising your WordPress security.
The Bad Guys are Real.
If you’re not convinced there are bad guys trying to get into your site, then let me provide a very real and recent example. We installed the Limit Login Attempts plugin on our site. Over the last several days it’s notified us of failed login attempts from Russia. This sneaky intruder is obviously using an automated program to break in. Once we blocked the IP properly the attempts stopped. In the context of the attacks from Russian hackers, a strong password stopped him in his tracks. So, the moral of the story… be sure to have security in place, including robust passwords, on your WordPress installation.