WordPress Security 101
Probably one of the biggest misconceptions about Wordpress is that it is more vulnerable to hack attempts than other content management systems. I believe this isn’t the case, and it can in fact be even more secure than the competition in the right hands.
If you have read through the main pages on this website you’ll have a pretty good idea that I like WordPress and highly recommend it as a CMS choice. It has many strengths and is the perfect choice for 90% of the projects taken on, but it is also a victim of its own success in some ways. The main one is probably the issue of security, which is a common topic brought up by potential clients when discussing their project needs.
The issue here is that, via online research, an article or group of comments giving statistics on hack attempts made on the CMS pop up. Assumptions are quickly made which is a tad unfair on our little friend! WordPress is by far and away the most popular CMS out there. It has many more active installations than any other, and as a result, will give a higher number of hack reports. It makes complete sense, I’d expect nothing else.
Should this worry you?
If you do things properly then no, not at all. Any web-based system will be vulnerable if there is little effort made towards its security. There are several key factors that apply to all content management systems. The below is a list of these, along with more WordPress-specific ones:
- Username and password choice
A large portion of those hack stats can be scrubbed straight off of the list when we discount the ones resulting from ill-thought out and weak username/password combinations. A combination of ‘admin’ and ‘password’ isn’t as uncommon as you might think, as hard to believe as that may be! A username that is a little more cryptic would be a good idea, and using a password consisting of a combination of upper/lower case alphanumeric characters is essential. There are several tools available online to generate these for you.
- Secure hosting
This is another key culprit. Having your website hosted on a server that has tens, hundreds and even thousands of other low-security websites on it is really opening the door for hackers. If any of the other websites get hacked then yours will likely be compromised by default. The world of web hosting can be a minefield, and choosing a good solid host might seem daunting. Fortunately most experienced developers will know who the good ones are and will be able to get you set up.
- Database table prefix
Many content management systems prefix their database tables with something unique to them. This makes identifying them easier for developers. It also makes them easy for hackers to identify and target. Using a different prefix for each project is something I always do.
- Admin user ID
The admin user account is the first you will probably create, and it will typically have an ID number of 1. Makes sense right? It’s also a logical assumption for a hacker to make. One way they can go after admin access is to target the record with ID no.1 in the default user table.
- Mask the admin URL
Rather than go with /admin/ (or whatever the CMS default is) for you administration area, use something more abstract. Or at least, something less blatantly obvious if possible! Most hacks are done by automated scripts (known as bots). These scripts are designed to perform quite specific tasks. They will be programmed to look for certain things in certain places, so we can send them off route by changing the signposts.
- Change the default system folder names
Most content management systems have default names for their system/application folders. These folders are where the core files and theme files are stored. It stands to reason that they are the first place a hacker will target, and taking measures to rename the folders will help deflect the automated attacks that affect so may websites. Be warned though, that if using a large amount of 3rd party plugins then this may cause issues with functionality.
- Boost security via plugins and extensions
In the case of WordPress there are some excellent security plugins available which will add a whole suite of functions to fend off potential attacks. My own recommendation is iThemes Security. On its own it covers a few of the above point’s right out of the box. With some further custom configuration you can really lock down the back-end, limiting usage to specific IPs at certain times only. Things like file-change detection is taken care of too.
Choosing a developer with adequate experience, attention to detail and an appreciation for the security of your data goes a very long way. That is the most important factor, and the actual system chosen to power your website is secondary.
WordPress is as secure and stable as any other CMS, all of which are only as strong as their weakest link. 9 times out of 10 that is the person responsible for their initial set up, deployment and management.
And what about something bespoke? That’ll be bulletproof right?
Aside from CMS solutions such as wordpress, a fully bespoke system brings its own challenges. You have the versatility to create a structure that hackers can’t predict making automated attacks harder. You will have complete control over all aspects of the system, cutting out 3rd party code, and limiting potential leaks from other developer’s negligence.
A completely bespoke solution may, however, be one that hasn’t been deployed, tried and tested. There can be a lengthy period of time where bug fixing is a regular on-going phase and there won’t be a community out there sounding the horn if an aspect of your system becomes vulnerable in some way.
I believe that an open-source CMS that is well supported by its community and regularly maintained is as secure as any other. Getting the security setup right and keeping on top of updates the key, to staying hack free.