Powering nearly 74.6 million websites, WordPress can be an inviting target for hackers. Much like other services, the platform has been the subject of numerous attacks throughout its existence, but no major vulnerabilities have been discovered inside WordPress’ core since January 2013.
Security is (of course) a constant concern for many WordPress developers. Although no website is 100% secure, you can certainly make hacking difficult by maximizing your site’s security. There’s lots of good advice available to protect your website, but with WordPress constantly evolving, do the old methods of staying safe still apply in 2017?
In this post, we’ll kick the year off right by covering some traditional security measures you shouldn’t ignore, and introducing some new security-related developments to look forward to in 2017. But first, let’s take a look at why it’s important to secure your WordPress website.
Why Securing Your WordPress Website Is Important
A security breach on your WordPress website can be damaging for your brand’s reputation. Worse yet, your customer’s sensitive information could be at stake. More than 170,000 WordPress websites were hacked back in 2012 — a number which is likely much higher now. Here are a few reasons why securing your site is important:
- You can protect your business from losing money. In the time it takes to recover your site from a hacking attempt, you could potentially lose income. This is especially true for online stores and sites that display paid ads.
- You can safeguard customers’ sensitive data. When your customer’s sensitive information is breached, there’s no turning back. Letting personal details fall into the hands of undesirables could damage the business/client relationship.
- You prevent other sites from being infected. If your site is hosted on a shared server, the likelihood of malware spreading to other sites hosted on the same server is high. You’d essentially be putting other sites at risk.
- Your business’ reputation can be strengthened. Staying on top of your site’s security strengthens your brand. In addition, it has a positive impact on your reputation and builds trust among customers.
With the new year approaching, it’s high time to re-evaluate which security measures you should hold on to in 2017. By acting on these five steps, your WordPress website will be far more secure than others.
5 Security Measures That Will Be As Important As Ever in 2017
In this section, we’ll cover five security measures you should heed if you want to keep your WordPress website safe. Each of the following steps will be as important as ever in 2017.
1. Creating Regular Backups
Let’s kick things off with the single most important thing you should be doing to ensure your website stays secure: create regular backups. Ideally, you should set up automated backups at least every week. In addition to this, it’s also recommended to take a backup before you make any changes to your site’s core files.
Taking regular backups ensures you have a safe and secure version of your website in case something goes wrong. You could fall prey to a malicious hacking attempt, your site could crash due to a faulty plugin, or maybe your hosting platform’s security falls short. A clean, easy to restore backup gets you back online quickly.
We strongly recommend the UpdraftPlus plugin for creating backups. You can configure this free plugin to take scheduled backups of your entire WordPress website, and store it in a myriad of locations. There are, of course, other options for creating backups. In the case of a security breach, you’ll be thankful you created a backup ahead of time.
2. Keeping WordPress Updated
You should always update WordPress to the latest version. When a new version of WordPress is available you will receive an update message in your WordPress Admin Screens. – WordPress Codex
Whenever WordPress rolls out a new update, it prompts you to update your current version of WordPress. In addition, you also get notified each time an installed theme or plugin needs to be updated. Although the pesky notifications can get annoying over time, there’s a reason they keep showing up — and it’s not just to inform you of new functionality.
Each time you install a new theme or plugin, you’re potentially cracking open a window. Try as you might, risky theme and plugin interactions are unavoidable. In addition, they pave a clear path towards security vulnerabilities.
Updating WordPress (and the themes and plugins you have installed on it) is pretty straightforward. You have two basic options — automatic updates and manual updates. WordPress enables you to configure automatic updates, which takes the burden off of you but can leave any incompatibilities out of your hands initially. Therefore, manually updating your site is the way to go.
3. Optimizing File and Folder Permissions
WordPress’ default file permissions are worth exploring for any developer. Although you shouldn’t mess around with the default permissions generally, it’s important to develop a brief understanding of them. Essentially, they govern which users have access to read, open, and modify the content of the relevant files. Two of the most common settings you’re probably already familiar with are 644 and 755.
For example, files and folders categorized with the 644 file permission mode enable the owner to read and write to them, with the rest of the users only having read-only access. It’s an ideal permissions setting for WordPress files and folders from a security perspective.
Some settings, such as 755, are designated for WordPress folders alone. This is because they let owners change files within that folder. Others (such as 777) should be avoided at all costs since they enable all users to read, write, and delete folders.
4. Securing Your Login and Admin Screens
Sometimes, a strong username and password combination just doesn’t cut it. Anyone who wants to break into your site can potentially gain access to your WordPress dashboard, given enough time. One way to avoid this is to secure your site against brute force attacks.
Thankfully, WordPress enables you to limit the number of login attempts from a single source over a specified period of time. If a particular IP address continues trying to login to your site with different username and password combinations unsuccessfully, their access will be limited for a given amount of time.
Another aspect to consider is that of informing the user which field they made a mistake in. By keeping this enabled, you’re essentially helping them hack your site. You can improve your login page’s security even further by making sure this isn’t an option.
If you’re looking for a straightforward solution, plugins such as iThemes Security offer a multitude of options – including securing your login screen – from the dashboard, and it’s well worth the time spent tweaking settings.
5. Hiding Your Back End URLs
At the time of installation, WordPress assigns you two default URLs — wp-admin.php and wp-login.php. Since they’re the same for every WordPress site, it’s easy for hackers to gain access to your site’s entry point. By hiding your back end URLs, you can effectively protect your site further against brute force attacks.
Simply put, hiding your login page prevents widespread access, and it minimizes malicious login attempts. A hacker who can’t find your site’s entry point can’t break in!
There are a number of reliable plugins available to help you add an extra layer of security to your WordPress site, including the previously mentioned iThemes Security. For a manual approach, the WordPress Codex has a number of tips to help, and there are a myriad of resources available on the web.
2 Security-Related Developments to Make Note of For 2017
Now we’ve outlined the perennial techniques to keep your site safe, let’s take a look at two security-related developments you can look forward to in 2017.
1. The Implementation of PHP 7
WordPress’ recommended PHP version will change from 5.6 to 7 sometime in 2017. PHP 7 is the latest version of the scripting language, and the technology itself centers around better performance and memory utilization.
PHP 7 promises huge performance gains for WordPress in terms of catering to more requests per second. For example, one WordPress request on PHP 5.6 executes just under 100 million CPU instructions, while PHP 7 only executes 25 million to do the same job. In simple English, this means that less servers are needed to serve the same amount of users.
That being said, PHP 7 does have some lingering security concerns to iron out, but PHP.net has published an in-depth resource for users who wish to migrate from PHP 5.6 to PHP 7 with as little hassle as possible.
2. The Increasing Importance of SSL Certificates
In the past, the widespread deployment of Secure Socket Layer (SSL) certificates was largely hindered by its high costs and implementation concerns. However, Let’s Encrypt’s recent open-source initiative promises free and easy implementation of SSL certificates for everyone. If you don’t know what we’re talking about, SSL encrypts the connection between your browser and server, and is represented by the ‘lock’ symbol in your address bar:
What’s more, in 2017, WordPress is only going to recommend hosting companies that offer SSL in their plans from the get-go. In addition, we can expect to see new features roll out that require websites to have an HTTPS connection – meaning getting onboard is going to be a crucial step going forward.
No website is 100% secure, and WordPress websites are no exception. By holding on to some traditional security measures (and adopting some new ones), you can effectively mitigate the risk of potential security attacks.
Let’s quickly recap the security measures that will be as important as ever in 2017:
- Create regular backups of your WordPress website to ensure security.
- Keep your WordPress core files, themes, and plugins up to date.
- Optimize file and folder permissions.
- Secure your site’s login and admin screens.
- Hide your back end URLs.
Do you have any concerns relating to WordPress security in 2017? Let us know in the comments section below!
Image credit: WikiImages.