WordPress Security Best Practices
April 2022
WordPress Websites & Security
We know that WordPress is a convenient platform for new websites, but unfortunately WordPress has a well-known problem with security.
WordPress security is a problem that developers often face, due mainly to the fact that plugins – the core building block of WordPress sites – are easy targets for predators. WordPress has a bad reputation when it comes to this subject and for good reason since plugins allow opportunities for security holes and attacks that put websites at risk. When talking about WordPress security, we like to say that your website is only as secure as your least secure plugin.
How to Secure Your WordPress Website
When we’re working on WordPress websites, we rely on several security features and industry standard best practices to improve website security. Some of the ways you can improve your site security are:
- Reduce the number of plugins
- Choose reputable plugins
- Make updates a regular part of website maintenance
- Stay informed of compromised plugins
Reduce the Number of Plugins for Your Website
In our experience, sites with 20+ plugins installed tend to have the most issues. Not only do plugin-heavy websites pose security risks, but they can also cause conflicts as plugin code competes for attention.
When setting up a new site, our goal is to use fewer than 10 plugins.
We recommend picking plugins that have a good reputation, are installed on a substantial number of websites, and have have consistent updates. Most of this information can be found in the Plugin store page.
Choose Reputable Plugins with a Strong Deliverable
We recommend a few standard plugins for every WordPress site we manage. These plugins must have a good reputation for security and functionality.
They also allow us to manage plugin security across the board:
WordFence Security
We start off our secure WordPress installs with the WordFence Security Plugin and run daily scans.
We recommend using the Brute Force Protection feature which blocks infiltration attempts and flags potential issues. When issues are flagged, our team reviews them the same day they arise. We consider these alerts a top priority since they offer a main line of defense for WordPress sites.
Many of our clients upgrade to the WordFence Premium version ($99 for a yearly license) which offers access to additional security features and includes a built-in firewall.
Easy Updates Manager
Our second recommended plugin is Easy Updates Manager. We set up some basic settings to keep plugin and theme updates running smoothly and without complication:
- WordPress Core automatically updates the minor version automatically
- Plugins are automatically updated once they are available
- If an installed theme is used, automatic updates will be automatically installed
This plugin is great for businesses with small budgets – it’s easy to setup and run with little to no maintenance required.
Make Updates a Regularly Scheduled Part of Maintenance
We stay on top of core WordPress updates and manually adjust and update plugins as needed.
When a new version of WordPress is released, we update sites within the business day with security updates. Recent occurrences of core security updates include the June 10th, 2020 and October 29, 2020 installs. Usually, we rely on the Easy Updates Manager settings to handle this type of update automatically but we always double-check.
Additionally, we check in with websites on a regular basis to confirm that there are no plugin conflicts or issues. Typically, we check websites once a month and once a quarter – depending on the site.
Stay Informed on Compromised Plugins and Issues
To make sure we stay informed, we check a variety of sources each week for lists of compromised plugins and common WordPress issues.
On September 1, 2020 the WP File Manager Pro plugin experienced a major flaw. The plugin had a zero-day exploit which caused a large number of WordPress websites to break. Because we were aware of the issue early on, we were able to patch the plugin for clients quickly.
When clients host their WordPress site on the server we maintain, we routinely apply Operating System, Web Server, PHP, and MySQL patches on either a 3 or 6-month basis so the servers, as well as the site, remain secure.
How much does it cost to secure a WordPress Website?
Coretechs does not charge a monthly maintenance fee. Instead, we only charge for time worked.
The costs of WordPress Security depend on the frequency of patching requested. Clients with a quarterly site check typically have 1 hour a month or less of maintenance and security.
Each month we keep clients informed on how much time was spent working on the site. If we estimate there will be more than 3 hours of service within a month, we get approval ahead of time.
With standard security practices and regular maintenance of plugins and malware detectors, you can rest assured that your WordPress website is safe. Our clients trust Coretechs to maintain their websites so that personal information and business data remains secure at all times.
If you need help securing your WordPress website, talk to us today.
Photo by WebFactory Ltd