By default the answer is no. WordPress is not secure. In fact no CMS platform for websites is secure by default. All websites are under constant attack by spammers, hackers, malware injection, bot programs. It is pretty sad. When you inspect server log files and network traffic you will find that most of the Internet is garbage. The bad guys have taken over the WWW (Wild Wild West). All websites no matter what they run on are under constant attack 24 hours a day. Malicious programs and bots run all day long trying to access files and penetrate websites. It is really important to setup your website to be more secure. If you setup your WordPress site properly you will be safe from hackers and malicious code injection.
Top 10 WordPress Security Tips
- WordPress Updates – Start with the obvious. Everyone knows by now you must update your WordPress software and plugins constantly. Always keep your software up to date. The greatest thing about WordPress software is how easy the updates are to install. If your WordPress site is built correctly then updates should not break your website. It is quick and easy to keep your software up to date.
- Plugin Usage – Stop using so many plugins! You don’t need 25 plugins installed. Each plugin could be an entry point or security vulnerability. We use the same 5-10 WordPress plugins on every site we build. That way we are consistent and know what is running on every site. Only install supported plugins that are actively being updated. Old plugins that are not supported are security vulnerabilities.
- Good Web Hosting – You get what you pay for. Choose a web host that is experienced at hosting WordPress. Choose a web host that will help you secure your WordPress site. We offer full service WordPress hosting. We take care of the updates and security for you.
- Firewall Protection – If you have a good web host you may already be behind a firewall. You need some kind of protection behind a firewall to stop some of the obvious Internet garbage out there. Another option is to purchase a firewall service for your website. Sucuri offers a paid firewall protection solution that is pretty good.
- WordPress Hardening – By default the files and folders on your website could be open for hacking. A lot of times developers open up file permissions with 777 in order to install and setup WordPress themes and plugins. Sometimes these permissions are left open when the site goes live. Make sure you harden your file permissions on your site. At the command line you can run these two commands – Files 640 and Folders 750. When you are done you will have to open up permissions on the uploads folder.
find . -type f -print0 | xargs -0 chmod 640
find . -type d -print0 | xargs -0 chmod 750
- Security Plugin – Every WordPress site has to have a security plugin installed to help protect the site. There are a lot of good ones out there. We prefer the Sucuri WordPress security program. It is free and it offers a lot of protection and a scanner. There is a paid version of Sucuri security protection that we also recommend.
- Security Plugin Configuration – Installing the plugin doesn’t make your website secure! You need to set it up and go thru all of the configuration. You may need some help from an expert. Or you may need to read some documentation on the plugin website. The security plugins are not generally just a click of a button setup.
- wp-admin – Everyone knows the login page for WordPress is /wp-admin/. Change the WordPress admin URL to a different URL to help hide the login page from bad people. The plugin we use for this is WPS Hide Login
- User Accounts and Passwords – Make sure your admin user accounts are using very secure passwords. Bad guys are trying to use automated programs to guess your admin password 24 hours a day. Also delete any user accounts you don’t need. Do not create a user account called admin. Never use admin as your username.
- Add Google ReCaptcha – Protect all of your submit forms with Google reCaptcha or invisible reCaptcha. You can also protect your admin login page from malicious bot scripts by installing Google reCaptcha on your admin login page. We like to use the invisible one for WordPress.
Is WordPress Secure?
YES! Absolutely WordPress is as secure as any CMS software solution. If you configure it properly and setup security it is definitely a very secure website platform.