WordPress is a very secure CMS. However WordPress site owners that don’t have a plan to keep their site secure will become vulnerable to hacking.
Keeping your WordPress site secure. It’s a case of balancing risk versus cost.
Building a site using a free theme, and lots of free plugins may save you money initially, but it opens you up to the risk of hacking that can have a serious impact on the financial health of your business. That problem is compounded even more if you don’t regularly update your site. So you need to ask yourself – is that initially cheap website really going to save me money? Or is going to end up costing me?
If, on the other hand, you carefully choose the theme, only use vetted and absolutely necessary plugins, ALWAYS keep everything up-to-date, enable two factor authentication, and add a firewall, then you can breathe easier knowing your site is secure.
But there is a cost to all that security.
Selecting a theme and plugins
Not all themes and plugins are created equal. There are thousands of WordPress themes out there. Some are cheap or free, while others come at a premium. Why such a variance in price? Well, some may have been built by a student in his bedroom, while another had a whole team of engineers from a reputable company working on it.
How do you spot the difference? A good place to start is to research who created the theme, look at reviews and supporting documentation, see how often the theme is updated, and how many installs it has. Check with your web developer too – have they used this theme before?
The same is true with plugins. They’re a cost-effective way to add functionality to a WordPress site. But each plugin increases the risk of hacking. So choose them wisely, with the aim of using as few as possible. Use only plugins that come from respected developers, who regularly support and update them. The moment they’re no longer needed for your site, remove them.
Keeping things up to date
Anyone who has a WordPress site and has merrily applied updates with no thought or care, will have experienced a broken site at some point. This usually happens because a feature their site uses has been deprecated, changes to the theme break their page layout, or even because of a conflict between two plugins.
In the ideal scenario a well-managed WordPress site will consist of a staging site, and a live site. A developer will then apply updates first to the staging site. Only after fixing any breaks on the staging site are those updates applied to the live site.
Even when there are no breaks, someone has to check the site very carefully to determine there’s nothing wrong. This process takes time. In web development, time is money – so the best solution isn’t the cheapest solution.
Somewhere between applying all updates immediately, and never applying any updates is a middle ground.
Depending on your budget and your appetite for risk, you can have a developer apply updates on a quarterly, bi-annual or annual basis.
Even if you don’t keep a staging site on the server, a competent developer will copy your site to a development server. That’s where they will update and test first and only apply the changes to your live site when they have found and fixed any bugs.
The time it takes to do this depends on several factors: the level of customisation in your site; the functionality and size of your site; and on the changes in WordPress, or your theme and plugins (if WordPress, or your theme have a major version change expect things to take a little longer than for minor updates).
For many small businesses an annual update will be the right balance between cost and security. For high profile sites, government sites, or websites with sensitive information, a more frequent update is prudent.
Adding a firewall to your WordPress site adds an additional layer of security. Ideally the firewall loads first before WordPress and blocks any known bad actors from even visiting your site, let alone hacking it.
The easiest way to do this is to use a reputable security plugin such as Wordfence. A good firewall will protect your site against malware, Denial of Service attacks and SQL Injections.
Have a secure password and limit login attempts, or Enable Two Factor authentication.
It seems basic, but so many site owners choose a simple easy to remember password over a secure one.
At the most basic level:
Limit the number of people who have access to your website admin area, and give them each a separate username and password;
Create secure passwords. (12 characters or more with a mix of upper and lower case plus a number and a special character);
Change passwords when staff leave.
Use Loginizer or Wordfence to limit login attempts and prevent brute force attacks.
Enable two factor Authentication. Yes, it is a pain, but it works.