WordPress Problems & Solutions, Part 1: Site Hacks & Security

The concern:

I’ve heard that WordPress has numerous hacks and security issues – I’m not sure that I can trust it. I’ve seen news about several major plugins getting hacked last year, and I know someone whose WordPress site got hacked and they lost all of their data. Why should I trust a platform that has so many security issues?

The solutions:

Security is definitely a concern with WordPress—and news about hackings can definitely get people worried—but there are ways to prevent almost any potential security threat without too much extra effort. Here are 5 tips.

1. Use a reliable host.

I recommend WP Engine, but there are several managed WordPress hosts now that have similar capabilities. A good host will provide support in case anything happens to your site. And most managed hosts now will have automatic backups of your site, to make it easy to go back in time to reverse any incident.

2. Require secure passwords.

Attackers will have much more trouble getting into a site if all of the users have unique passwords that can’t easily be guessed. (Don’t reuse your Yahoo account info!) Since WordPress 4.3, WordPress even rates your password and tries to keep you from choosing a weak password:

WordPress Password Strenth indicator, a recent improvement to site security

3. Update WordPress and any plugins regularly.

Again, a managed host such as WP Engine can take care of updating WordPress itself automatically for you. This is important—it’s easy to forget to update WordPress if there’s an update available when you’re logging in just to make a quick edit to a post. When plugin updates are available, make sure to update them. Many of the well-publicized hacks were done on older versions of plugins that users had not kept up to date.

4. Use high-quality themes and plugins.

Many of the attacks on WP sites aren’t attacks on WordPress core itself, as long as it’s kept up to date. The developers who contribute to WordPress itself take security very seriously.

Instead, many of the hacks are on insecure plugin or theme code. If you keep everything up to date, this will go a long way towards keeping everything secure. I also recommend that people choose plugins carefully. Here are a few indicators of quality to decide if a plugin is worth trusting:

  1. How many active users does it have?
  2. When was it last updated?
  3. Does the developer respond to support requests?

5. Hire a Developer

If you don’t want to piece a site together with questionable off-the-shelf components, or want a secure custom site built, consider hiring a developer who understands security. Writing secure code should be one of the primary concerns of any good developer.