Keeping your WordPress site secure

wordpress security

Keeping your WordPress site secure and in good health can be challenging.

Here at Lunaria, the great majority of web sites that we build and host are based on the WordPress content management system (CMS). Other CMSs are available (Drupal, Joomla etc) but WordPress is the most popular globally, accounting for some 38% of all web sites whose CMS is known. It isn’t difficult to see why. It’s easy to install, easy for clients to create their own content, and it manages tasks such as search engine optimisation (SEO) in a simple way through the use of plugins. Perhaps its greatest strength is the huge library of plugins  (many of them free) that you can use to enhance the functionality of your site with just a few clicks.

Unfortunately, the richness of the WordPress ecosystem is also a weakness. Plugins tend to have a life cycle – the most popular ones can survive for years but many plugins are ultimately abandoned by their authors. When a plugin is abandoned, it’s generally removed from the library, unless new authors can be found to support it. More often than not, the plugin is orphaned and can become a security risk. When a plugin is known to have a vulnerability, it’s removed from the library usually with a note to say why. The library will show the number of active installations for the plugin, along with a summary of user reviews.

There are many tools available to help keep your WordPress site secure but our favourite is the excellent Wordfence firewall plugin. The free version includes a scanning utility that will identify and alert you to abandoned plugins on your site. You can set Wordfence up to alert you by email when it finds problems. Bear in mind that the popularity of a plugin is not a guarantee of safety. The Wordfence Blog is littered with posts about well-known plugins that have been attacked. Security researchers are continually finding new flaws in old plugins that are exploited in the wild.

Security should be an active process, rather than reacting to an intrusion caused by a vulnerable abandoned plugin. If you’d like us to check the health of your WordPress site, please give us a call or email [email protected]