I attended the WordPress User Group Philippines meetup last January hosted by our friends at pantheon.io. I was one of the speakers discussing Basic WordPress Security, so I decided to post it here on my blog.
The need for Security
- 90% of all Hacked Sites are in WordPress
- 97% came from plugins
- 2.4% came from themes
- .05% came from WordPress Core
Several Basic things you can do to secure a WordPress Site
- Use a strong and unique password for your WordPress administrator account, and use two-factor authentication if possible. Here are the top WordPress plugins that implement and manage 2FA that can be used on your site:
- Keep your WordPress core, all plugins, and themes up to date, as new versions often include security fixes. Some hosts/platforms offer managed update services:
- Use a security plugin to scan your site for malware and vulnerabilities, and to block malicious traffic. Some popular security plugins include:
- Use SSL/TLS to encrypt traffic to and from your site. You can get an SSL certificate for free through Let’s Encrypt or some web hosts included in their service.
- Use a security service or CDN to block malicious traffic and protect against DDoS attack example are Cloudflare and Fastly. Some web hosts like WP Engine include Cloudflare while Pantheon.io includes Fastly.
- Restrict file permissions so only necessary users and processes can read, write, and execute files on your server. The standard would be to make all writable permissions on the
wp-content/uploadsfolder and deny PHP execution.
- Regularly make a backup of the site, so that you can restore it in the event that it is hacked or otherwise becomes unavailable.