When it comes to WordPress security everyone has an opinion – either it’s great or it’s awful. I’ll be honest – I’m on the ‘it’s great’ camp. But that comes with some caveats! WordPress itself is not inherently insecure but it is very popular which opens up a few risks:
- desire for the notoriety of having hacked WordPress
- many ‘cooks’ in that ‘kitchen’
Plus there are security risks inherent with any software:
- poorly secured hosting account
- outdated versions create higher risk
- poor or shared passwords
- custom (but insecure) code
How to deal with WordPress Security Risks (inherent or otherwise)
- Use a reliable host.
- If on shared hosting, use a reputable host and use one website per account. Remove old or test installations and keep your account ‘clean’.
- Upgrade all software to its recent version
This includes WordPress, Themes and Plugins
- Remove all unused themes and plugins.
- Remove duplicate or unnecessary plugins.
Never have more than 15(ish) More here.
- Use a secure and random password for all administrators.
Remove unnecessary admins. Reduce permissions on everyone else to minimums.
- Use customized admin usernames.
If you follow these best practices you do not need a security plugin. I’ve never had a client hacked in over 10 years who has followed this advice.