WordPress Best Security Practices: a Guide to Harden and Secure WordPress
WordPress releases updates to their software regularly to address new security issues and vulnerabilities in the WordPress core files. To ensure that you are getting the latest security updates and fixes you should always keep up to date with the latest version of WordPress!
Older versions of WordPress have known vulnerabilities and “holes” which exist in a public database that hackers are aware of because WordPress is Open Source.
GlowFrog Hosting, LLC maintains the Security of the Server Infrastructure for you and ensures that your WordPress sites are safe. If you aren’t a current GlowFrog customer, it’s important to know that a secure server alone doesn’t fully ensure that your WordPress site is safe from hackers.
In reality, no one website is truly 100% safe, but there are preventive measures you can take and things you can do to “harden” your WordPress site against hackers and malicious activity.
In this guide, we will discuss general steps to strengthen the Security of Your WordPress website and how to Harden your WordPress Website.
Keep WordPress Core Up-to-Date
One of the most important steps to hardening your WordPress site is keeping all of your Software up-to-date with the latest versions. Create backups of your site(s) first, then be sure to install important updates from WordPress. At GlowFrog, you can take advantage of our Smart Update Feature, ensuring that updates never break your sites.
Keep Themes & Plugins Up-to-Date
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your WordPress website! Most Third Party plugin and theme developers issue important security updates and patches for their software so it is important to install these updates as they become available. As always, create a backup first, then apply updates to all of your Themes and Plugins! At GlowFrog, you can take advantage of our Smart Update Feature, ensuring that updates never break your sites.
Auditing Plugins and Themes
There are many third party Plugins and Themes available for WordPress which are not created by the Makers of WordPress and thus the security of these Themes and Plugins cannot be guaranteed. It is important to regularly Audit your WordPress Themes and Plugins to ensure they are stable and secure. You can use the following checklist as a guideline for choosing better plugins and themes for your WordPress Site.
- Does the plugin or theme have a large install and support base?
- Are there a huge amount of positive user reviews?
- Are the developers actively supporting their plugin and pushing frequent updates or security patches?
- Does the vendor include a physical contact address in the ToS or from a contact page?
If the plugin or theme fails any of the above checks, we recommend searching for a more secure and trusted solution.
Remove Unused Plugins & Themes
Not using a WordPress plugin? Delete it! It is a common misconception that if a Plugin is deactivated or a Theme is not in use that it cannot have an affect on your WordPress website. But deactivated themes and plugins CAN and DO effect your WordPress site.
When a plugin or theme is not in use, it is usually not being updated regularly. Although the Theme or Plugin may be deactivated, the files for that theme or plugin STILL exist on the Webserver, presenting as a potential door for hackers to take advantage.
Storing these unused plugins and theme files in your WordPress installation increases the chance of a compromise, especially when they are disabled and not actively being used.
Removing unused plugins and themes helps improve security and protects WordPress from hacking.
Install the WordPress Firewall and Security Plugin: WP Cerber
If you haven’t already, you will want to Install WP Cerber the WordPress Security plugin and Firewall. You can download the plugin here or install it from your WordPress Admin Dashboard.