Almost one in every three websites you visit is powered by WordPress. WordPress is generally a secure platform, but if anyone is able to exploit its weaknesses, a third of the internet might be in trouble. Not to mention those websites' users.
As the founder of a web design agency, I've built and managed many websites—including six of my own—using WordPress. And as a consumer, I understand the value of security when I provide personal information online.
In order to keep your WordPress site secure, you'll want to go the extra mile: Keep your site updated, use plugins to prevent attacks, and back up your site consistently. There are services that will do all this for you, but there are also ways to keep your site secure without spending a dime.
For more tips on building and maintaining a WordPress website, see our article "40+ Essential Tips, Tools and Resources to Start a WordPress Blog." There, we include some suggestions for premium options to have someone take care of the security for you.
Keep Your Site Updated
WordPress itself consistently releases new versions, as do most WordPress plugins and themes. While some updates are released to fix a bug or add a new feature, others address potential security risks. If your site isn't updated, it becomes more vulnerable to an attack.
WordPress releases updates sporadically—there were 22 total updates in 2017—and the frequency of plugin and theme updates will vary based on the developer. Regardless, it's best practice to check for updates regularly.
How to update your site, themes, and plugins
WordPress will automatically update your site for minor security releases, but unless you use a plugin, there's some code involved in making sure your whole site—themes and plugins included—is always up to date.
Easy Updates Manager is the top-rated automatic update plugin, and over 100,000 websites are actively using it as a set-it-and-forget-it way of ensuring that their site is updated. Here's how it works:
Once Easy Updates Manager is installed, click Update Options in the WordPress left-hand navigation menu.
There, you can enable updates on your website.
If you'd rather have control over which updates you receive, you can also do the process manually.
Log in to your site and click Updates in the left-hand navigation menu.
On the Updates page, select which themes and plugins to update. You can also update WordPress itself if there's an update available.
Note: If there's a bug in the latest release of one of your plugins, an update might cause something to break on your website. After each update, click through your site to be sure everything is in working order.
How to check the changelogs for your site, themes, and plugins
You'll also want to check the changelogs for each release to get information on what was included in the update—specifically, whether the update was released to address a security issue. Details on the latest WordPress releases can be found on the WordPress news site, but finding the changelogs for your plugins and themes is more difficult. Sometimes it's not available at all: It will depend on the specific plugins and themes your site uses and if the developers have decided to publish this information.
Here's how to check for details on your plugins' updates:
Go to the Plugins page and click View details next to the plugin you want to check.
From there, an information box will pop up with details about that plugin. Often, developers will include a Changelog tab that you can click to view details on the plugin's past releases.
If this box doesn't include a specific tab for the plugin's changelog, check the plugin description. Some developers will include a link to the changelog there.
A similar process can be used to check the changelogs for your themes. Go to the Themes page and hover over the theme you'd like to check. Click Theme Details.
In most cases, you'll need to navigate to the theme developer's website to find the changelog.
When it comes down to it, clicking update and then moving right along isn't the end of the world. But really understanding the updates you're installing will give you a better sense of how secure your site is.
Use Plugins to Prevent Attacks
Any website is vulnerable to an attack, but there are common types of attacks on WordPress sites that we'll run through before suggesting some plugins to help prevent these attacks.
For even more, you can read this guide to WordPress attacks. It can seem alarming, but if you follow best practices in terms of security, your risk decreases significantly.
Brute force attacks
Even when your site is up-to-date, there are still back doors for hackers. In fact, there are sometimes even front doors: your log in information. Brute force attacks—where someone logs in using your information—are more common than you'd think: Sometimes there are tens of thousands of attacks a day.
These types of attacks generally occur when a hacker uses an input field on your site to input harm-causing SQL (a database language). The hacker can then access your database, messing with your site and users' information and even making themselves administrators of your site.
File inclusion attacks occur due to vulnerabilities in your WordPress site's PHP code. File inclusions can be used to load remote files into your WordPress installation, allowing the hacker to control your site.
Malware is a malicious script installed to your website with the goal of stealing sensitive data—personal information, credit card numbers, etc.—from you or your visitors. The scariest part? Your site may be infected with malware without you realizing.
If your site is infected with malware, it not only puts you and your visitors at risk, but it will also hurt your rankings in Google for the long term.
Using these attacks, there are countless things a hacker could do to your website: make changes that reflect poorly on you, steal user information, delete your site—you name it. Hackers can even hold a site ransom, forcing you to pay to regain access to your website.
The best WordPress security plugins
Developers can increase security on their websites via code. But for the rest of us, the simplest way to implement additional security protocols is via a WordPress plugin. Security plugins will include the following features:
Firewall protection. This feature will help identify and block malicious web traffic.
Brute force attack protection. This feature will allow you to change the default login page of your website so that hackers won't be able to easily find it. You'll also be able to limit the number of login attempts on your site and enforce strong passwords.
Malware scanning. This feature will help you identify if there's malware on your site. Some plugins may even be able to delete this malware by replacing your site's files with a previous version.
File change detection. This feature will identify any unexpected changes to files on your website; i.e., ones you didn't make yourself.
We'll take a look at the two most popular security plugins to show you how they work.
Wordfence Security - Firewall & Malware Scan
Wordfence is the most popular security plugin (with over a million websites using it) likely because of its simple dashboard. At a glance, you can see how well protected your site is.
The Firewall and Scan percentages are calculated based on how many of Wordfence's security features you have set up. By hovering over these icons, Wordfence will display a pop-up that indicates additional steps you can take to improve your site security. And that little Notifications box lets you know how many potential security issues Wordfence has found on your website.
The scan itself can be set to run automatically to check file changes and to search your site for malware.
Further down, you'll find information on the number of potential attacks that Wordfence has blocked.
To make things even simpler, Wordfence offers email notifications regarding potential issues. For example, an email notification is sent to your inbox immediately after someone logs in to your WordPress backend. If it wasn't you, then you know you may have been hacked. Other email alerts can be enabled to tell you when someone is locked out from logging into your site, when a visitor from a bad IP address has been blocked, or when files have been changed.
Wordfence pricing: Free; premium version available, which includes added security measures such as two-factor authentication
All in One WP Security & Firewall
All in One WP Security is transparent in its user experience: All of its settings appear in the WordPress left-hand navigation menu.
Above each security setting, it displays a text box to describe what that setting does and how it works to secure your site, making is easy even for the security amateurs.
On top of the standard security features, All in One WP Security also features a Maintenance mode that allows you to display a custom message when you're working on the site. That way you can keep your site secure without upsetting or confusing potential visitors during the outage.
All in One WP Security & Firewall pricing: Free
Back Up Your Site
One of the major concerns of an attack is that your entire website could be deleted. Just like that, your site—along with all its data—would be gone. But if you run regular backups, you can bring it back to life with just a few clicks.
It's possible to back up your site manually using the Export tool. In the WordPress navigation menu, hover over tools and click Export.
Then, on the Export page, choose the option for All Content and click Download Export File.
Once you've downloaded the file, you can later import it back into a new WordPress installation.
Some people prefer to have more control over their security—in which case, exporting is the way to go—but if you feel comfortable relying on a third party, WordPress offers a plugin that'll do the dirty work for you.
With UpdraftPlus, you can back up your site at any time by going to the plugin dashboard page and clicking Backup Now, or you can set automatic routine backups.
Automatic backups can be set to run every 4 hours, 8 hours, or 12 hours or daily, weekly, bi-weekly, or monthly. If your site is mostly for marketing and isn't updated much, the monthly option should do the trick. But if you're adding or changing data regularly—e.g., receiving orders from customers—you'll want to choose the daily option, if not one of the hourly options.
The backups are stored either on your server or in your preferred cloud storage account like Dropbox or Google Drive. It's all automated, and you can choose how many backups you want to keep stored at any given time. Once you reach that number, it will automatically delete the previous versions.
So if something happens to your website that can't be fixed—due to an attack or otherwise—you won't lose your site or its data. Instead, you'll just delete your entire WordPress site and install a new one. Then install UpdraftPlus, upload the backup files, and the website will be restored to whatever it was at the last backup (all by clicking Restore in the UpdraftPlus dashboard).
UpDraft Plus pricing: Free with feature add-ons available to purchase
Whether you're hosting a portfolio for your freelancing business or you're collecting the personal information of thousands of visitors to an e-commerce site, you need to keep your site secure. It's better to take precaution now than risk catastrophe down the road.