Is WordPress secure or not? This is a debate that always seems to go on however I do not think WordPress is any more or less secure than any other system out there. One of the reasons it can be less secure is because people have the perception that WordPress is free. Yes WordPress core is free and there are plenty of free themes and plugins available that one can download and install and have a free site up and running. If you go that route then in all honestly your WordPress installation will be less secure. Downloading free templates and plugins is risky as you do not know the level of skill of the developer. If you are going to create a website for your family pics by all means go ahead and download a free theme and free plugins. However if you are going to use the site to generate business for your photography business then I would suggest you should spend some money on buying themes and plugins that have been developed by experts in the business. This small amount you invest will save you a lot in the long run. There are plenty of great themes from the folks at Studiopress and iThemes that will not necessarily break the bank. The added bonus of paying for a theme is that you will have support if anything goes wrong. There may come a time when the paid theme or plugin does have a security issue but that will be fixed by the developers of your theme or plugin. So you are not only paying for a theme or plugin but also for peace of mind if something goes wrong.
Something people also forget is that it takes time and effort to keep your WordPress site secure. If you install your WordPress site and do not follow any of the best practises that have been suggested then your system will be vulnerable to attack. There are plenty of security plugins that you can install to secure your WordPress site. Below are a list of plugins I have used at one time or another to secure my website.
iThemes Security Pro
The iThemes Security Pro plugin is a great plugin that secures a long list of security vulnerabilities in your WordPress site. Below are some of the features that the iThemes Security plugin offers:
- Brute Force Protection
- File Change Detection
- 404 Detection
- String Password Enforcement
- Lock Out Bad users
- Away Mode
- Hide Login and Admin
- Email Notifications
- 2-Factor Authentication
- iThemes Sync Integration
The iThemes Security Pro plugin will also change your default database table name and default WordPress admin username if you did not change them when you first installed WordPress.
Sucuri is another great security plugin for any website. Below is a list of some of the features the Sucuri plugin offers.
- Malware Detection
- Malware Cleanup
- Malware Prevention
- Blacklist Repair
- Security Monitoring
- Exploitation Prevention
One of the great services Sucuri offer is if your site is infected by malware they will go in and clean the website for you.
The login lockdown plugin is a must for any workers site. Read my blog post on securing your login page with the login lockdown plugin.
The google authenticator plugin allows you to setup 2-Step authentication on your WordPress login page. Read my blog post on installing and configuring the Google Authenticator plugin.
Although this is obviously not a security plugin it is good practise to ensure you have regular backups of your website in case your site is compromised and you need to restore it. Backup Buddy is a great plugin to ensure you have regular scheduled backups of your WordPress site. You can schedule daily, weekly and monthly backups and you can choose to do a full backup of your site or just the database. You also have the ability to backup the site to the server your hosting your website on or to a remote location such as an Amazon S3 bucket, Dropbox, Rackspace, FTP or email.
I cannot stress how important it is to select a strong password for your website and especially for your admin account. Once a hacker has access to your admin account they will be able to do a huge amount of damage to your website. I strongly recommend investing in a program such as 1Password (Mac version) or the iOS version for your password management. The small amount of money you would invest in software like this will save you many hours of hardship and frustration should your site be compromised.
Another reason a site is comprised is because your WordPress site is not maintained on a regular basis. Like all software the WordPress core and the plugins need to be updated to make sure they are running the most secure version of the code. If you run one or two websites this is pretty straightforward as you can just login and run the updates manually. However if you run a lot of sites you can always use services such as Managewp or iThemes Sync Pro to keep the WordPress core and plugins up to date.
WordPress do a phenomenal job at keeping the WordPress core secure. If there are any vulnerabilities they are very quickly patched. So I believe that the core of WordPress is very secure but it is once you start adding themes and plugins that a WordPress site becomes vulnerable. Just like any system out there the more you expose it to dangers the more susceptible it becomes to being attacked.
Please note that some of the links above are affiliate links.