Web security has grown into one of the most important issues we face – right up there with design and development. And those of us who use an open source content management system such as WordPress are under even more pressure to tighten up security. The unfortunate fact is that, as time goes on, the task is only going to become more difficult.
WordPress itself is the target of an array of automated attacks. Bots are attempting brute-force logins, script and database injections, along with a multitude of other malicious activities. But, while preventing bot attacks is vital, they’re far from the only threat that needs dealt with.
Indeed, there are other bases we need to cover. Beyond automated threats, changing human behavior may be an even more important step in securing a WordPress site. With that in mind, here are 5 things we can do right now to improve security.
1. Train Users in Best Practices
Part of a designer’s job description often includes training clients. But while we tend to focus on the basics of managing content, this is also a prime opportunity to talk about security. I know, it sounds like a potentially complicated discussion – but it doesn’t have to be.
What users really need to know are the basics of being secure online. This means:
- Using complex passwords that are hard to crack.
- Provide back-end access to only those who need it.
- Keep core software, plugins and themes up-to-date (if it’s their responsibility to do so).
- Don’t install plugins without weighing need against risk.
- Better yet, leave plugin decisions to the professionals.
These items apply to WordPress, but they can also apply more broadly as well. The idea is to make users think about what they’re doing in order to prevent any unnecessary risks.
2. Choose Plugins Carefully and Stay Vigilant
If you spend enough time building WordPress sites, you’ll find that not all plugins are created equally. Because anyone can (conceivably, at least) write a plugin, quality can vary greatly. So it’s important to do a bit of studying before you install a plugin. Take a look at how often it’s updated, look at support forums and, if available, usage numbers. This will give you at least some idea of how well it all works.
But once you’ve decided to use a plugin, that doesn’t guarantee smooth sailing from here on out. Rather, think of each plugin you install as its own ongoing maintenance issue. Plugins can become outdated or abandoned as authors no longer have the time or interest in maintaining them. We’ve also seen where plugins have been unwittingly sold to those with malicious intent.
To help combat these possibilities, it’s worthwhile to stay on top of things. That means knowing which plugins you’re using, staying informed on new versions and generally paying attention to WordPress-related news.
Finally, take some time to routinely audit the sites you maintain. One easy way to reduce risk is to simply delete any plugins that aren’t active or no longer needed. This in itself will help cut down on potential problems.
3. Utilize SSL
It used to be that SSL was only for ecommerce sites or those that handled sensitive information. These days, it’s become the standard. Recently, both browsers and search engines have thought it’s important enough to warn users about sites that still run over http.
The issue we run into as designers is that, while it’s easy enough to add SSL to a WordPress site, we aren’t always the decision-makers when it comes to acquiring a certificate. In those cases, we have to advocate for SSL and educate clients as to why it should no longer be considered optional.
If we’re lucky, our web host provides access to free certificates through a service like Let’s Encrypt. If not, then it’s up to us to campaign for, at the very least, a low-cost alternative.
4. Employ a Helping Hand
We humans can’t monitor our sites every minute of every day. But there are tools available that will keep a watchful eye, 24/7. Security plugins such as Wordfence or iThemes Security are great options, as they look for suspicious code and behavior.
For example, these types of plugins can limit failed login attempts, prevent malicious code from being executed and alert you when you have outdated software. Premium versions add goodies like country-blocking and two-factor authentication.
The value of these plugins is that they handle common threats by both bots and humans. They won’t make your site 100% bulletproof, but they offer an extra layer of protection. More important is that they can provide you with actionable information that can lead to a safer site.
5. Turn Off Unneeded Functionality
A fresh install of WordPress comes with a lot of built-in functionality. But there’s a good chance that you won’t be utilizing every single feature. Therefore, it makes no sense to leave them turned on.
Comments would have to be the biggest culprit here. Not all sites need to have them enabled and those that do should be using some heavy spam protection. If the site you’re building doesn’t need this feature, use the Discussion settings within WordPress to disable it.
A Threat to Our Own Security
Perhaps the biggest threat to a WordPress site’s security is not any particular automated assault, but our own behavior. So by changing our actions, we can make our sites that much more difficult to compromise.
The steps above all seem to have one common thread – being proactive. By sharing knowledge, researching the background of the software we use and implementing secure practices before a problem arises, we are employing a security-first mindset. While that won’t enable us to stop every conceivable threat, it puts us in the best possible position for the fight.