Project Management August 12, 2020 by Laura Elizabeth
How secure is Client Portal (and WordPress)?
When you consider WordPress for your website, a few things probably go through your mind:
- The ease of managing content and features the site will have.
- How WordPress can help deliver that using the design they have in mind.
- Where the site will be hosted.
- How security of the site will be implemented and managed.
Security is often pretty far down that list. But given that improperly managed security of a WordPress site can undo all the hard work of site design and content publishing in a matter of seconds, giving the proper attention to security of your WordPress site is just as important. This may seem daunting, but it is not.
In this article, we're going to go through what you need to know about WordPress (and thus, Client Portal) security. We'll be addressing what you can do to improve security for both yourself and your clients.
But first, let's address the elephant in the room:
Is WordPress actually secure?
Yes, WordPress is secure.
But... (and you knew there would be a but 😉)
...that security is a result of shared responsibility and effort across many roles within the WordPress ecosystem and community. This includes you, the site owner.
WordPress is used in over 35% of all websites on the internet, and with all the theme and plugin combinations out there, it’s not surprising that vulnerabilities exist and are constantly being discovered. With such popularity, it’s also not surprising WordPress is a target for hackers.
The community around the WordPress platform, however, works diligently to ensure these security vulnerabilities are addressed ASAP. As of 2020, the WordPress security team is made up of approximately 50 (up from 25 in 2017) experts including lead developers and security researchers.
Security is not about perfectly secure systems. Security is about risk reduction, not risk elimination. Here are a number of actions you can take, as the site owner, to contribute to improving the security of your WordPress website.
So how do you keep WordPress secure
As you probably already know WordPress is made out of 3 major components:
- The WordPress core
From a security perspective. You need to pay attention to all of these.
Keep your WordPress core up to date
WordPress comes out with new versions on a regular basis. While these new versions are full of new content publishing features that you may or may not need, they also come with software security improvements. For this reason alone, keeping WordPress core up to date is critical. Over 50% of all WordPress site security incidents can be traced back out of date WordPress core software.
One of the simplest ways to keep WordPress core up to date is with a managed host specializing in operating WordPress that will update WordPress core for you automatically as part of their services. One of the additional benefits of this approach is that the managed host also keeps the underlying supporting software up to date, including PHP. The configuration of the operating system and the underlying web server hosting the software is equally important to keep the WordPress applications secure. WPEngine, Pantheon, and Kinsta are three managed WordPress hosts that provide this type of service as part of their offering.
If you are operating WordPress on a web server in your own environment, you can choose to enable the WordPress software feature that updates the core application automatically, or you can develop a standard operating procedure that tests, stages, and deploys WordPress core updates on a monthly basis.
Regardless of your approach with keeping WordPress core up to date, make sure that your backup and restore procedures are also kept up to date and tested regularly. You should be backing up WordPress data on a daily basis. This can and should be automated.
Keeping Plugins and Themes secure
Plugins and themes are one of the major draws of using WordPress. There are over 50,000 plugins to choose from to extend your site’s capabilities and 10,000 themes to help your site look great. The key to keeping WordPress plugins and themes up to date is to choose wisely.
Look for plugins and themes that are active and kept up to date. WordPress plugin and theme repositories have indicators of when the last time the plugin was updated and if it has been tested with the current version of WordPress. If any plugin or theme you’re interested in hasn’t been tested with the current version of WordPress, it’s best to choose a different plugin than risk security.
Other things to look for are the install base, number of reviews, and ratings. You should also regularly audit the plugins and themes you are already using, and make plans to move away from those that are not regularly maintained by the original developer on a regular basis.
(Psst: Client Portal is always kept up to date. Check out our change log to see the frequency of our updates).
Within your regular site operating procedures, WordPress makes it easier for you by enabling one-click updates of plugins and themes from the WordPress dashboard. Many of the managed WordPress hosting services can make this additionally easier by automating this practice of plugin and theme updates for you. Ensuring your backup and restore procedures are effective is just as important in this practice as it is for updating WordPress core.
Five simple acts you can do this week to keep WordPress secure
Beyond the WordPress core and supporting software, there are many things you can do within the software configuration. Here are five simple acts you can do right away. You can do all five of these in a couple hours.
1) Make sure you change the default Admin username and password
When installed with default settings, WordPress will create a user account called “admin” with a password of your choosing. This user / password combination is the key to everything about your site. You are not beholden to utilize that admin user account. We’d suggest creating another user, making that the admin account, and deleting the admin account created by WordPress. It makes sense because if a hacker only has to crack the password of the “admin” user account, the task is 50% easier than having to crack both the username and password.
2) Use and enforce complex passwords for user accounts
A complex password of 12 characters with a mixture of uppercase letters, lowercase letters, numbers, and symbols is obviously harder for password cracking algorithms to solve than a common dictionary word. Your site is only as secure as everyone’s passwords.
There are multiple plugins that can help you with forcing your users to choose stronger passwords (please see our note on using security plugins below before proceeding). Every user having a non-dictionary password along with the next step in this post is one easy key thing you can do that protects your site.
Additionally we’d recommend the use of a password manager, such as LastPass or 1Password, to help you manage your password, keep secure passwords for all of your websites and help you easily change passwords that are compromised or if you find your information on the dark web.
3) Add two-factor authentication
While there are plugins that force users to strength their passwords, a few of those same plugins have the added benefit of forcing users to use an authentication code to log in by attaching an authentication method to their account such as Google Authenticator.
Adding this physical two-factor authentication component to your security setup forces hackers to need your actual device in addition to hacking your username and password.
Using both? Gets your site closer to bulletproofing.
4) Disable file editing from within WordPress
File editing is an easy code injection point that hackers sometimes use to redirect your site files to display malicious code to website visitors. If accessed, this capability of WordPress could be used to change the look of your site or send site data someplace it shouldn’t be, putting your site and its users at risk.
This change is super easy and involves adding a single line to your wp-config.php file to remove that risk completely.
To be clear, this change will not affect your ability to add or edit content on your WordPress site, just the ability to login to your site and edit PHP and CSS files that are part of your WordPress theme.
(You can still edit the way your site looks and make changes to the PHP and CSS, if needed, but rarely is that the case for an end user.)
5) Delete inactive plugins and themes
Software code that exists on your server represents opportunities for exploitation. Any software code will increase the risk. One of the common errors we see in hacking successes is infrequent updates to plugins. Good plugin authors are constantly watching out for security risks and updating their plugins to combat those risks and the opportunities for exploitation that leads to access to your website.
When updating plugins also check to see if there are any that can be outright deleted from the site. Frequently cleaning up these sections by deleting them from your site decreases your risk.
Best practice for themes is to have only two on the site at any given time, one that you’re using and the latest version of WordPress Core theme such as Twenty Twenty. You should keep both of these up to date on a regular basis. Out of date themes can lead to hacking attempts and successes that are easy to avoid by frequently doing software updates.
What about WordPress security plugins?
There is a large market of WordPress plugins addressing WordPress security. These plugins help you address many of the actions mentioned in this article and in some cases, do them for you. While you should consider and experiment using a WordPress security plugin, do so using the guidance suggested in this article. Choose wisely and understand the impacts of using them before activating.
The bottom line...
WordPress is your partner in creating your home online, protecting that home is a part of that partnership that is a shared responsibility.
WordPress security should be taken seriously but doesn’t need to be time consuming. Focus on the basis, put basic security measures in place and you’re way ahead of the curve on protecting your site and its content.