How to Maintain a Secure WordPress Website for Your Clients
Web design and development is dominated by many platforms but the most popular is WordPress. If you are here, you presumably know this already as you use WordPress for your clients. You are also presumably aware that the popularity of WordPress comes with a reputation of hackers looking to exploit its vulnerabilities. Their goals are to steal valuable information from websites or shut them down entirely. How can you prepare your WordPress website to be as protected as possible from these threats? Here are some easy steps you can take to keep a secure WordPress website.
Research Themes and Plugins Before Installing
WordPress enjoys the flexibility of having many themes and plugins. Unfortunately, those themes and plugins can also have vulnerabilities that can be exploited by hackers. This is why it is important to review your theme and plugins in advance. Check for any potential threats associated with them. A simple search for any theme or plugin name should reveal past or ongoing issues to be aware of.
It is also essential for plugins to have a reliable support team for help if there are problems. Try to avoid using a plugin that is either old or not compatible with recent WordPress versions. It may not have an active support system. When something goes wrong and you can’t fix it yourself you might be in trouble. Being unable to reach out to the theme or plugin developer for assistance could leave you scrambling to find alternate solutions.
Handle Regular WordPress Updates
WordPress is open-source software that is always changing and evolving. You can just install WordPress, add a few plugins, and send your clients on their way but that is a recipe for disaster. It’s important not to neglect updates to WordPress core and third-party plugins. Plugins, in particular, are very common vectors for security threats to infect a site. Keeping plugins updated is an easy way to make sure your client’s website stays safe. Updates also frequently introduce general bug fixes and new features that can improve the website and experience.
WordPress has a feature that lets you turn on automatic plugin updates. You can do this on a case-by-case basis if you don’t want to be constantly checking your clients’ sites for changes. We recommend you use this feature sparingly though. Plugin updates should be reviewed and not just done blindly most of the time. Unless you really trust the plugin developer, we suggest treading carefully with automatic plugin updates. WordPress core can be automatically updated by most hosting providers. This is common for important security fixes and, in general, can be trusted to go forward without your intervention. Either way, keeping things updated is by far the easiest way to maintain a secure WordPress site.
Create Durable and Secure WordPress Passwords
A common way hackers try to break into WordPress sites is by figuring out the password to an admin account. Traditionally, hackers try to access WordPress sites via brute-force attacks. In these situations, an individual repeatedly tries different username and password combinations until they hit on one that works. These combinations are usually pulled from large databases of known accounts that have been comprised around the web.
What many people don’t realize is that there is more than one way for hackers to try and access WordPress via logins. Non-technical folks assume a person is manually entering in usernames and passwords. Unfortunately, hackers and exploiters are too smart for that. Often times they will use bots to do the login attempts for them. To make things worse, they don’t even need to use the actual WordPress admin’s login form. There are ways, with scripting, that you can try and access a WordPress site repeatedly without having to access the login page at all.
Remember, a weak password has a higher chance of being compromised. It is important to use random characters when creating a WordPress password. WordPress’ user creation tool has a password suggestion feature we recommend using. These auto-generated passwords are more secure than what most people come up with off the top of their heads. Creating obscure passwords is a very simple step to maintaining a secure WordPress installation.
Eliminate Automated Bot Traffic
Since we mentioned hackers earlier, one of their main weapons is bots. When you see bot traffic in your analytics it can be a bad omen. It is important to track the original source of this traffic and block it from reaching your site. This can include the IP address of the traffic as well as the region it is coming from. Your malware detector software can be used to identify the sources of bot traffic and how to manage it, including blocking them from coming from certain IP addresses and regions. We recommend a plugin like WordFence to handle this effectively.
Monitor Additional Users and their Access Roles
It is very common for a WordPress website to be run and managed by multiple people. This is why many clients want user accounts across multiple access levels within their business. This is simple enough to do in WordPress but you must be careful which role each user is assigned. Not everyone should be an administrator, for example. Giving the wrong person admin-level control of a WordPress site can lead to many issues. If they are non-technical, they might accidentally delete or install something they shouldn’t. If they are malicious, they can create all sorts of havoc with administrator privileges.
Review user access levels constantly as not every team member may have reliable security software set up on their systems. If a team member has their computer compromised by a virus, then disable or limit their user role within your website until their device is cleaned. In addition, if an employee is departing from the company, then remove their user role from the system as well.
Finally, try using a plugin like White Label to limit what admins can and can’t do to a WordPress site. The plugin, which we develop and update regularly, lets you modify menus, dashboards, and more to fit your client’s needs.
Use Security Scanners and ModSecurity WordPress Settings
The most popular WordPress security scanner is WPScan. You can find details about the inner workings of WPScan online at the official website. In short, it’s a command-line interface tool that checks against a large database of known WordPress vulnerabilities. After the WPScan tool runs it shows you its findings in a simple reporting interface. WPScan checks for the current versions of WordPress, your theme, and any plugins that are installed. From there it will find problems recorded in its database. In addition, WPScan can find and alert you to other problems. Weak user passwords. Publicly accessible database dumps. Exposed error logs. Vulnerable files and a lot more. It’s an incredible, yet pretty technical tool, to keep a secure WordPress installation.
ModSecurity is an open-source web-based firewall application most commonly referred to as a WAF. It can run on all of the popular web servers such as Apache and Nginx. Installing and configuring ModSecurity is beyond the scope of this article but tutorials are available online. Once you have ModSecurity running you can make it work with WordPress by installing a rule set. Luckily, there is a WordPress ModSecurity rule set available provided for free by a member of the WordPress community.
Want to Learn More About Handling Your Clients’ WordPress Sites?
The key to having a secure WordPress site is having a consistent system of security practices. Being proactive in your management of WordPress can go a long way. Adding the aforementioned strategies into your security plan can protect against malicious threats.
We appreciate you taking the time to read this article on keeping a secure WordPress site. Check out our blog for more tutorials and articles about using WordPress in your business. We often write posts on how to get the best out of WordPress for your clients. We also have a very popular plugin called White Label that lets you change the WordPress admin experience to better suit your clients.