Best Practices for Securing Your WordPress Site Against Cyberattacks Mark Davoli Senior Web Developer Published: February 22, 2021 3 min read Categories: Performance Creative As the most popular content management system on the planet, WordPress has also become the largest targeted CMS platform for hackers. Sucuri reports that 94% of the infected sites that they cleaned up were running WordPress, while 2.5% ran Joomla and 1.28% ran Drupal. This leads many to falsely believe that WordPress is an insecure platform in comparison to its competitors. In truth, WordPress core is comparable, if not more secure, than competing platforms. As of October 8, 2020, since they were first released, Drupal has reported 333 CVEs (Common Vulnerabilities and Exposures), Joomla reports 382 CVEs and WordPress only has 294 CVEs. Arguably, of the three WordPress core is the most secure. Table of contentsWhy is WordPress Considered Vulnerable?Steps to Keeping Your WordPress Page SecurePrioritize Development Planning to Minimize Plugin RiskUpdate WordPress Core and Plugins FrequentlyUse WordPress Security Plugins and 2-Factor AuthenticationExplore Managed WordPress HostsThe Bottom Line Why is WordPress Considered Vulnerable? The beauty of WordPress that makes it so popular is that it is easily extensible by over 45 thousand plugins. These plugins are not routinely checked by the WordPress core team for vulnerabilities. This, coupled with the fact that WordPress is the most popular CMS, means it comes under constant attack from bots probing for known vulnerabilities. The other most common cause of issues with WordPress is little-to-no maintenance of the platform once a website is launched. All too often, WordPress is selected by end-users for its ease-of-use with minimal knowledge on how to properly maintain a website long term. WordPress can be very secure if maintained properly. In fact, it’s used to power mainstream sites including: Microsoft News, Whitehouse Gov, Tech Crunch and Variety, proving that variety of large organizations trust the platform to keep their information secure. They do it by following a set of development and maintenance principals that, when adhered to, minimize risk. Steps to Keeping Your WordPress Page Secure By following the steps below, you can keep a WordPress site as safe and secure as any competing platform. Prioritize Development Planning to Minimize Plugin Risk Too often developers will solve development problems with WordPress by immediately searching for and installing an off-the-shelf plugin to solve common development issues. This results in a bloated WordPress install with many less reputable plugins that can lead to vulnerability risks. Instead, when developing your site, the most important thing you can do to prevent your WordPress site from being infected is using only the most reputable plugins. And, in fact, if something can be easily solved without installing a plugin, do that rather than trusting a third party. Update WordPress Core and Plugins Frequently Since the most common cause of infections is due to an improperly maintained website, this one can be easily solved by keeping both your WordPress Core and WordPress third-party plugins up to date. If you are only using reputable plugins, there is minimal risk to a plugin becoming no longer maintained. However, if a plugin does become abandoned, replace its functionality or remove it as soon as possible. Unmaintained plugins are a recipe for disaster. Use WordPress Security Plugins and 2-Factor Authentication Several reputable plugin developers have released plugins, such as WordFence, that will monitor and protect your WordPress installation from zero-day vulnerability exploits. If possible, use one of these plugins to keep your site secure as they monitor your site for file changes and known vulnerabilities, and provide Web Application Firewalls for commonly seen issues. In addition, ensure your site is using two-factor authentication for all users capable of editing the content of your site. This will minimize the risk that credentials obtained via nefarious means could lead to an infected website. Explore Managed WordPress Hosts Managed WordPress hosts have become very popular recently by making proper WP hosting and maintenance significantly easier. Using a Managed WordPress host like Flywheel or WP Engine can help you keep your site secure by locking down core website files to prevent infected websites from altering default behavior at the host level. Managed hosts frequently provide regular backups, web application firewalls, DDOS protection and CDNs — great tools for improving performance and minimizing risk to vulnerable sites. The Bottom Line WordPress is both a powerful and a secure platform to run any type of website on IF you commit to best practices in software development and long-term maintenance. As an added benefit, using the WordPress platform nets you the most intuitive, easy to use back-end interface, powerful SEO support, and extreme customizability. If you’re interested in building your site in WordPress or shifting to WordPress from another platform but don’t know where to start, we’d love to chat. Our web development team has extensive expertise in helping companies achieve secure, beautiful builds that drive business goals.