The most popular Content Management System in the world is WordPress. As of this year (2020), 37% of websites on the world wide web are using WordPress! As far as content management systems go, WordPress is the CMS choice of 65% of the web community which is far greater than any competitors in the CMS space which would include Drupal, Joomla, Wix, and Squarespace.
With all of the WordPress popularity comes some pitfalls and the number one criticism of WordPress is that it is not secure and the sites often get hacked. This is true but it doesn't have to be this way. There are some steps you can take to make your WordPress website secure. In this article, I will cover some of the ways I have learned to secure a WordPress website.
There are some plugins that can assist you in securing your WordPress website. One of my go-to's is Wordfence. Wordfence offers a web application firewall that blocks malicious traffic at the server level. Wordfence can also check core files, plugins, and theme files for malware, code injections, and can also repair and/or delete files that have been damaged.
Another plugin I use and recommend for WordPress security is Login Lockdown. What this plugin does is reduce the number of attempts someone can log in to WordPress from a defined IP address, so you can choose to make it 3 times, 5 times, or whatever you want. This will prevent bots from repeated attempts to log in to your website.
The default login page in WordPress is typically going to be www.yourwebsiteurl.com/login or www.yourwebsiteurl.com/admin. This is good in the fact that it is easy to remember the login page, but not good for security, as the bad guys can easily know your login page also. There is a plugin that allows you to customize the login page address from the default and that plugin is: change wp-admin login. You will just have to remember what you change the login page to or bookmark it.
It should be common sense, but when it comes to passwords, a lot of people don't use common sense or implement best practices. Please don't use a default username/password combination. It is ok to use an email address or part of your name as the username. For the password, it is best practice to use a strong password consisting of a combination of uppercase and lower case letters, numbers, and at least one special character such as $, &, ), #, @. I personally use a password storage app (Dashlane) which will create a store your password for you.
In WordPress, you will find a file called wp-config.php located at the top level of your install (usually in public). Inside this file you will see a line of code that looks like this:
$table_prefix = 'wp_';
the 'wp' is default but can actually be changed to something unique. If you haven't installed WordPress on a server yet you can go ahead and change the $table_prefix line to something like wp_bfg124hxp (you can use any combination of letters and numbers). If you have already installed WordPress you will need to go to your database interface using a tool like PHP MyAdmin and do a little SQL. It's not too hard. The SQL would look like this.
RENAME table 'wp_posts' TO wp_bfg124hxp
(You will need to do this to all 12 tables that WordPress uses.)
SSL stands for secure sockets layer and what it does is establishes an encrypted link between a browser and a server. You can tell a website is using SSL via the lock icon in the URL window. Chrome and Firefox will also let you know if your site is not secure with a 'Not Secure' label in the URL window. Additionally, if you are using SSL on your website your site will rank better with Google.
If you are requesting money on your website such as donations or selling goods on WordPress using Woo Commerce than it is imperative that your site is using SSL. Many web hosts will offer an SSL certificate free of charge but some will charge you extra depending on your hosting plan.
Once you have WordPress installed and you have installed the recommended WordPress plugins for security, created a secure login, added an SSL certificate, and customized your database another key ingredient to a secure site is website maintenance. Maintenance involves updating plugins which are constantly being updated and made more secure by their developers, updating the WordPress version (currently 5.5 as of writing this article.)
You will also need to utilize the latest stable versions of PHP (7.4.10 as of writing this article). PHP has long been criticized for its security flaws since it is an open-source language and in the past SQL injections and Cross-Site Scripting (XSS) were fairly common. The latest versions of PHP have proven to be more secure than previous versions.
There are hosting companies that are much better for WordPress hosting than others. Some hosting companies are considered lower-end and are cheaper such as GoDaddy and Site Ground but they are shared hosting meaning your hosting company is housing many websites on one server. Other hosting companies cost more, but they have dedicated WordPress hosting (or managed hosting) and will maintain back-ups of your site, update your plugins, WordPress versions, and stable PHP versions. Some examples of these hosting companies are Media Temple, Flywheel, Siteground, WP Engine, and Blue Host.
WordPress is crazy popular and while there are some big-name companies using WordPress most sites are created for small-to-medium-sized businesses and once the sites are developed they aren't properly maintained, weren't set up to be secure, and/or aren't using a good WordPress hosting company. It makes good business sense to consult with a knowledgeable WordPress consultant (like me!) to develop, set-up, and maintain your WordPress website.