I resisted using WordPress for a long time. WordPress sites were used for blogs more than full websites and everyone talked about WordPress being vulnerable to attacks. And I had seen firsthand how hackers can destroy a WordPress site – it wasn’t pretty and it wasn’t easy to fix.
But WordPress has grown into a great content management system, flexible enough to handle a lot of customization and a perfect solution for nonprofits that want to update their own sites. So, what about security?
First, we need to understand that in today’s world, nothing is really 100% safe. Not our phones, not our emails, not our personal information stored anywhere. Unless we want to separate ourselves from our technology and decide not to live in the modern world, we need to take extra steps to ensure security and have backup plans in place.
Yes – WordPress is often a big target for attacks. Not because of some inherent ongoing vulnerability in the core WordPress software but because a) it’s the most popular content management system with a 26% share of the market worldwide and b) individuals and organizations using WordPress often leave their websites vulnerable.
The Three Big Things
Be selective about what Plug-ins are used.
WordPress comes with some great built-in functionality but the best part of WordPress is the ability to add functionality with plug-ins designed by other people outside of WordPress. Stick with the plugins that are most popular and have higher ratings (the plugin author has more motivation to keep the plugin updated) and check to see if the plugin actually is updated often by the author. The more often a plugin is updated the better. See: How to Choose Trustworthy WordPress Themes and Plugins
Update the WordPress software and plugins when updates are available.
You will get notices in the wp-admin backend when these updates are available. These updates will sometimes be security patches because a vulnerability was found so it’s crucial to stay on top of them. Check with your webmaster to determine the best day/time to do these updates (at least once per month) – they may need to be on standby in case there is an issue with an update.
NOTE: If you are doing a website makeover, make sure whomever is creating your new site does NOT archive the old site on the server unless you plan to keep tabs on it and regularly update the software and plugins for it. Most people don’t keep tabs on it and your site can be attached through these old files.
Set up secure user ids and passwords.
Never use Admin or Administrator as your user name. It’s the first thing attackers try when they are trying to log into your account. Don’t use your organization name all spelled out or your name if it’s prominently associated with the website. For your password, don’t use any word that is in the dictionary – even when combined with numbers or capital letters or other words found in the dictionary.
Programmers will always give you these hideous passwords with completely random letters and characters; these are ideal but you don’t have to go that route to be secure. You can use a made-up word or an amalgam of words combined or abbreviations with numbers / characters that have meaning to you (but preferably not something you use for all your passwords) and capitalizations.
Other Security Factors
Choose a web host that provides extra security
All web hosts are not created equal – and I definitely have my favorites. So will your programmers – but programmers tend to look for different things in a host; i.e. lots of power for a low cost (often with no bells and whistles unless the programmer creates them) – they don’t need control panels or easy to access security and backups because they can do it in the code. But trust me, you will want those things so you can do stuff if needed.
My top 4 requirements are:
1) 24/7 customer service by PHONE (not chat or email only) and
2) big enough brand name that I know they are not likely to disappear and
3) easy to use control panel and
4) the host provides some kind of malware detector on their end.
For extra security, obtain a dedicated IP address (so you don’t need to share an IP address with other people) and set up an SSL certificate (this is a must for all nonprofits collecting personal information in donation forms etc.)
My 2 favorite hosts:
InMotion – I love their security features (and have had direct experiences with those features catching problems before they became real problems) and Go Daddy – they have the best customer service and I completely trust that any problem will get fixed quickly. Keep in mind that no host is 100% perfect or 100% up all the time.
Here is a great write-up on the top 10 web hosts for 2016 from PC Magazine.
Add WordPress Security plugins
I personally love WordFence – and recommend getting the premium version. Wordfence provides real time prevention and you get immediate notices when someone is trying to log into your account. You can block specific countries and you can set up two-factor authentication which requires your login info AND code sent to your cell phone.
Backup your site at least weekly.
I use UpDraft Plus – which is a WordPress plugin that lets you easily backup your entire WordPress site including the database. What I really like about it is that you can set it to backup to your DropBox account. I prefer having backups stored completely offsite and easily accessible if you need them. Just as an extra precaution, it’s good to set up backups from your web host account in the control panel as well. Make sure key staff members are getting copies of backups, not just your IT person / webmaster.
Check out this great article from WordFence: How to Harden Your WordPress Site From Attacks