How to Improve WordPress Security

Attacks on websites are a daily occurrence. Small businesses are especially vulnerable to cyberattacks because they typically lack dedicated staff to maintain their website -- let alone to harden it through security measures or penetration tests.

Since WordPress sites hold a large market share, automated attacks against them are particularly lucrative. Recently, an automated attack on over 900,000 WordPress sites was partially successful, installing backdoors for further illegal activity.

Fortunately, there are a few straightforward steps you can take to significantly improve your website's security -- even without in-depth knowledge of penetration testing or IT security in general.

The Fundamentals of WordPress Security

Before we dive into specific security tips for your WordPress site, it is worth briefly reviewing some general security best practices. These apply to WordPress as well as other content management systems, even though the terminology may differ.

• Keep your software up to date. The WordPress community keeps a close eye on security threats and generally responds quickly to new vulnerabilities. However, this is of little use if you do not install the updates. Since version 3.7, WordPress performs automatic security updates. If you are still running an older version, you should update as soon as possible. Always create a backup beforehand.
• Disable unused plugins. Plugins can always introduce potential vulnerabilities. This should not deter you from using them -- but if you are not actively using a particular plugin, you should deactivate or remove it entirely.
• Create regular backups. If your website has been compromised and cannot be reliably cleaned, restoring from a backup may be your only option. BackWPup and BackupBuddy are two proven backup solutions for WordPress.

Built-In WordPress Security Tools

If your website has been online for an extended period, it has most likely already been indexed and potentially attacked by automated bots.

Often, the best defense against these automated attacks is to leverage automation yourself. Plugins such as iThemes Security and Wordfence obscure details of your WordPress installation, making attacks more difficult, while also providing tools to detect and respond to potential threats.

By configuring plugin options -- such as limiting login attempts, enforcing strong passwords, or encrypting the admin area -- you create additional barriers that may cause attackers to move on to easier targets.

None of these recommendations require significant effort, yet together they can substantially reduce the risk of a successful attack on your WordPress site. Protecting your website against the most common web attacks works much like the bear principle: your site does not need to be 100% secure -- it just needs to be more secure than the rest. Don't be the low hanging fruit!

Achieve Stronger Security Through a WordPress Pentest

It is therefore no surprise that experienced attackers and script kiddies alike prefer to target WordPress sites. Whether you are a webmaster or a security professional, if you are tasked with assessing the security posture of a WordPress site, you should be aware of the typical security pitfalls lurking in the vast array of available plugins. Most plugins are never subjected to a thorough penetration test -- neither by the WordPress community nor by their developers.