If you stand above the crowd, you run the risk of getting your head chopped off. WordPress, in my opinion, stands far and above the crowd of free content management systems available. To that end (no pun intended), when you are dealing with the most popular software for building websites you are also going to be the most hacked.
Microsoft Windows is targeted by hackers more often because there are more Windows users than any other operating system. Over many years of using and developing within the WordPress platform, I have seen a myriad of different ways that hackers use to crash a site.
An attack can come from any source but most center on the following reasons:
- Hosting vulnerabilities
- Failure to update your WordPress install regularly
- Failure to update themes and plugins
- Poorly developed plugins and themes
- Weak administrative usernames and passwords
When you are researching for a reliable hosting provider, don’t necessarily opt for the cheapest. Do your due diligence and read the reviews. They are not all created the same. Some specialize in hosting WordPress for performance reasons and some offer one click installs. Never the less, make sure they have a great track record when it comes to secure servers.
Failure to update
I hear it over and over again, “My site just got hacked, what do I do?”, only to find out that they haven’t updated their site in ages, or ever! Failure to update your WordPress core application, themes or plugins is a sure fire way of getting your site hacked. DO NOT ignore that link at the top of your dashboard “WordPress x.x is available! Please update now.” You will save yourself hours and sometimes days of heartache over a catastrophe that could have been avoided.
Free and poorly developed plugins/themes
There are many reputable theme and plugin developers out there. Many put a tremendous amount of time into making sure that their product is secure and up-to-date. That being said, there are also many plugins and themes that have been abandoned by their developer and are no longer secure. If you notice that a plugin or theme hasn’t been updated in over a year or so, I would avoid it at all costs. It isn’t worth jeopardizing all the hard work you have put into your site.
Further security measures
There are several free and paid security plugins available and I would recommend a security plugin such as Better WP Security. I have been using it on many of my sites and it is rock solid. To that end, the plugin is now being maintained and developed by iThemes, a very reputable developer in the industry.
- Change username (don’t use “admin”) and use a complicated password
- Limit login attempts
- Disable file editing via the dashboard
And most importantly.. backup, backup, backup!
These are just a few of the things that can be done to make your website more secure.
For more in-depth information on WordPress security visit http://codex.wordpress.org/Hardening_WordPress
Flickr Creative Commons image by Jessica Paterson