Let’s address the rumors about WordPress security. There are rumors that WordPress is insecure, then there are guesses as to whose fault that is. There are proposed solutions that range anywhere from free to several hundred dollars a month. But I’m not sure where this is coming from!
This information I’m sharing today is from my own 10 years experience, Sucuri.net, ProBlogger.net, Copyblogger and numerous hosting companies (WPEngine, SiteGround, OrangeGeek, HostGator, GoDaddy and more).
WordPress Security Explained
(this video is several years old, but the explanation of what is happening with security is the same today)
Video Captions for “WordPress Security for Bloggers & How to Secure Your Site in 3 steps”
I get this question a lot: how on earth am I hacked?
You can tell you’re hacked because there’s links to other websites or there’s spammy links, or there’s just a bunch of odd looking code, or sometimes it brings the whole site down and you can’t see anything, or you get redirected to a different page.
We just call it all malware. Cause it’s just very… mall, bad. And I have a few tips for your WordPress security.
Now, contrary to common belief, you do not need, need a plugin. So let me say that again. You do not need a plugin for WordPress security.
Now people say WordPress is insecure. That’s not true. Let’s just take a step back and look at it. Is WordPress secure? Well, there are people trying to hack it.
And they’re trying to hack it just because it’s WordPress and WordPress is the most widely used software online. So if you get to be the hacker that managed to hack the most widely used software online, it’s some prestigious hacker thing. So those guys are trying to hack.
But the other side of that same coin is that there are thousands of developers that are always fixing problems and making WordPress better.
So because it’s so popular, there are people trying to hack it. That’s true, but because it’s so popular, there are more developers as well. There, there are more developers than any other software out there and it’s open source. So there’ll be thousands more added all of the time of people who are developing that software.
Open source means that we can see the code. I can look in WordPress and I can see how it’s written and I can change it if I want to, if it’s to proprietary piece of software, then like, um, Microsoft programs or a lot of programs online.
If it’s not open source, I can’t see it. I’ll never be a developer for it unless I am an employee of the company that made it make sense.
The best explanation for most of us is just that people are trying to hack, but there’s more people trying to make it better and safer and more secure.
So, if you follow these best practices, we’re gonna talk about today. You will not be hacked. I have not had anybody in six years, uh, who has been on my V I P service that has been hacked if they followed these roles.
If they’re adding plugins and doing all kinds of things that I have no control over, well, of course that’s a completely different story, but most of the clients on the retainer service, I do the plugin uploads for them and I do all of their backups. And so they’re secure.
So let’s go through the three best practices that are super important.
And if you do these, you do not need a security plugin. Okay?
Number one, you have to update all of your software.
So now by update, I mean, there’s the WordPress that’s on your site. There is, all the plugins that you’ve added. There is a theme.
Now there’s all the plugins that are on your site that you’re not using anymore. There’s themes on your site that you’re not using anymore. There might even be code in a widget that you’re not using anymore. We create a widget. We put in some ad code, we are done with that ad. And so we move that widget to the unused widget area. If your code is in there, then it’s not used and you might have forgotten about it, but it’s not update date up to date.
So it’s really important that you remove all the plugins you’re not using. Remove all the themes you’re not using. Remove all the widgets you’re not using and make sure that every single piece of code, every single little piece that goes into that fabric of your website is all sealed tight. There’s no room for malware to get in.
The only way to do that is to make sure that it’s up to date because we find out all the time about issues and security, um, or the writing of the code gets a little bit tighter. We figure out, oh, okay. We could actually make that bit of code even that much better and more safe than it already is. And so a new version is put out, you get a little red circle on top of the plug-in tab or the theme tab that lets you know, there’s something there to be updated.
So update it: very important.
Now, of course there’s update procedures. You can find those on my blog.
Number two, don’t use plugins that are insecure.
That sounds obvious, but any plugin by its very nature creates a tiny bit of insecurity because you have this fabric of your web site. And every time you add a plugin, it’s like adding a patch. So you’ve cut a little hole and you’ve glued something in there. But now that fabric isn’t quite as strong as it was before. And so the more you add, the less strong that fabric becomes does that make sense?
It’s really important you use as few plugins as possible. Make sure they are by reputable sources, that they are well maintained. That they’re downloaded least a thousand times; that they are maintained. I mean they’re updated couple times a year, at least. And you know the plugin author and trust their coding is up to par.
Number three. So update is number one use good plugins is number two. Oh, and we recommend no more than 14 plugins.
And number three, use tough passwords.
So here’s the thing. People think that it’s more sophisticated than this, but it isn’t. There is a lot of malware that get into your site simply by guessing your password and they don’t do it because they’ve got your wallet and they’re going through looking for your kids’ names.
They have a dictionary that has millions of words in it. Let’s, there’s probably not a million words. Thousands and thousands of words in this dictionary. And all they have to do is use a robot, a spider, a little program that goes around to all the different WordPress websites and tries ’em all. That’s it. They just try different variations of, uh, letters.
That’s why you have to use letters, numbers, and a special character for a really strong password.
Okay. So it’s very important that you use a strong password. Do not use a word like a word from the dictionary. Don’t use a word name, date, use a random one. If at all possible and LastPass as a password keeper.
So best practices for securing your WordPress site:
- update your site.
- Be careful with your plugins and
- use a strong password.
If you do those three things, you will not need a plugin.
Now there’s one thing that I didn’t mention at the very beginning. All of this, all of it depends on your host. So you need to be on a reputable and a strong web host. Your host puts a whole bunch of different websites, website accounts like your accountant, somebody else’s account somebody else’s account onto one server and they separate those accounts. But if they’re not, if they’re a reseller, sometimes those separations aren’t strong enough.
So if someone else on that reseller group gets hacked, you are very likely to get hacked. So if you’re a small site, it’s really important to be on a strong, reputable host.
If you are a big site, you probably don’t have to worry about this because you’re likely on your own server or VPs.
That is how to keep your site secure and you shouldn’t have any problems. You really shouldn’t.
Malware shows up as:
- odd code/characters all over your site, especially in the footer or header
- links that you didn’t put in the text
- links to spammy places
- redirections to other pages
- automatic downloads to your computer