July 13, 2012
Security issues in WordPress
WordPress is a great tool that enables people to edit their own websites. Unfortunately WordPress sites have a major drawback: security. The complexity of WordPress’s underlying structure, which allows site owners to modify their sites and add features, translates into more responsibility for you to prevent security problems.
In evaluating what to build into your WordPress site and how to maintain it, it is good to keep some security thoughts and best practices in mind.
Themes and custom development
If you use a pre-packaged theme, be aware that there could be a risk of installing malware. Some themes have been developed with not the best intent in mind.
Even large theme developers have had issues with security. I think it must be due to the complexity of these themes and the fact that they are popular–most likely hackers look for ways to exploit those popular themes specifically.
Some of the themes that come with WordPress have been problematic, too. It is recommended that if your WordPress installation script creates a bunch of themes for you to choose from, after you choose a theme, a good practice is to delete the unused ones.
If, on the other hand, your WordPress theme is custom built from the ground up by a developer and is specifically for your site, you are less likely to have this problem because hackers are not going to invest any time learning the specifics of your particular site’s custom code.
When you select plugins, it is better to rely on ones that are specifically listed in the WordPress.org plugin directory, which have been vetted by WordPress.
Even so, do not go wild selecting bunches and bunches of plugins. Some plugins–even ones listed in the directory–have been unfortunately a means for hacking exploits. As website developers, we are careful to stick to a small list of plugins that we have had good experiences with.
It is also good to avoid using plugins that allow insertion of custom php and script code right into posts and pages.
Backing up and WordPress safety monitoring
It is always good to make sure you back up your website periodically (we do backups monthly) so that if you do have an issue, the site can be restored from an earlier backup. Your web host provider probably has a means of automating your backup–make sure it covers backing up the WordPress database as well. Again, if you are not sure how to do this, have a developer help set this up.
Also, you can monitor your site using a convenient tool, Sucuri.net. Although it doesn’t always catch everything, it is pretty good. For only $90 a year, you can have your site scanned every four hours. If it finds an issue, it will email you. The service is like insurance–it also cleans up your website in case an issue has been found. Even if you purchase this service, it is always advisable to do regular, thorough backups.
Maintaining WordPress and plugins
Log in to your WordPress site at least weekly to make sure your version of WordPress is up-to-date and all plugins are updated.
Also, keep in mind that just because a plugin says that it is for security doesn’t mean that it is secure. So it is good to always back up your website (and WordPress database) periodically as the ultimate security method.
High budget projects can benefit from investing time in “hardening” WordPress.
Kathy Smith has developed more than 250 websites – everything from n-tier enabled applications to ecommerce to your friendly brochure-style website. She is senior developer at Lakenetwork.net, a website development company in Eastlake, Ohio.
Lakenetwork is a family-owned business providing website design and development for companies, professionals and organizations in the Cleveland, Ohio area and beyond. We specialize in providing the most cost-effective and appropriate solutions for clients’ online needs. We are located in Eastlake, Ohio.