• Explore
  • Blog
  • Podcast
  • EIS Archive
  • About
  • Services
  • Contact
Menu

Exploring Information Security

Securing the Future - A Journey into Cybersecurity Exploration
  • Explore
  • Blog
  • Podcast
  • EIS Archive
  • About
  • Services
  • Contact

Improve WordPress security in three steps

April 4, 2016

WordPress websites allow individuals or organizations to get a website stood up quickly. With easy customization, WordPress is a flexible and powerful platform for websites. Unfortunately, because they're easy to setup security often times gets overlooked. Outdated and unused plugins can lead to compromised website. That compromise is typically in the form of redirects to malicious sites that try to install malware on a visitors machines. Most of the time an owner is unaware of the compromise. 

All hope is not lost. There is a way to securely run a WordPress site.

These three practices will help maximize security on a WordPress site:

  • Run only the programs needed

  • Run a security plugin like iThemes

  • Keep all plugins up-to-date.

The theme here is plugins. WordPress itself is a well built platform. The security issues that arise from the core are minimal. What makes WordPress sites vulnerable are plugins. The reason for that is that anyone can create a plugin.

Only run the plugins needed

I get it. We see a plugin we like and install it on the site to try it out. We forget about it or we deactivate it to try another plugin. That plugin sits there and sits there. And sits there. And sits there. If a plugin has been sitting there for a while remove it. A deactivated plugin is vulnerable to exploitation. If it’s deactivated remove it. It's just as easy to reinstall later.

If this is for an organization the same IT principles apply. Deactivate any active plugins that seem unnecessary or unused. Wait for a period of time to ensure there are no adverse affects, then remove it. A plugin installed on the site, even if it is deactivated, is still vulnerable to a malicious actor. 

Run a security plugin

There are plenty of good security plugins available for WordPress. A security plugin will add more features and settings to help make a site more secure. Here is a list of seven courtesy of Infosec Institute . I’ve only used iThemes, so I can’t speak to the quality of the others. Try out a few and see which one works the best. Remember the section above.

Keep WordPress and plugins up-to-date

Most vulnerabilities in WordPress-based sites aren’t from WordPress. They are usually from the plugins installed on the site. The core itself is pretty solid. The plugins are usually what make the site vulnerable. Look for plugins that are kept updated. Then update when a new version is available. It’s as simple as that.

The update process is quick and painless. Make sure to have good backups. Some hosting providers will provide this feature. Login to the site weekly to check for an update. A weekly reminder works wonders.

Conclusion

Only run plugins needed on the website. That means removing all unused plugins. Install a plugin for security. There are several available. I’m the most familiar with iThemes, which is why I recommend that plugin. Try out a few and find one that fits the website the best. Keep all plugins up-to-date. Even if the website isn’t logged into on a regular basis. Set a reminder and login once a week to check for updates.

WordPress sites are one of the most vulnerable platforms out there. One of the reasons for that is that a lot of people use it. A lot of people use it, because it is an easy platform to setup and maintain. That goes for security on the platform as well. Follow the three pieces of advice above and help make the internet a safer place.

This post first appeared on Exploring Information Security.

In Technology Tags Wordpress, Security
← Getting into information security via military serviceSuccess doesn't require following your passion →

Latest PoDCASTS

Featured
Oct 29, 2024
[RERELEASE] ShowMeCon: What does Jayson E. Street, Dave Chronister, Johnny Xmas, April Wright, and Ben Brown think about security?
Oct 29, 2024
Oct 29, 2024
Oct 22, 2024
[RERELEASE] What is security awareness?
Oct 22, 2024
Oct 22, 2024
Oct 15, 2024
How to get a penetration test (pentest)
Oct 15, 2024
Oct 15, 2024
Oct 8, 2024
How to Avoid Election Scams
Oct 8, 2024
Oct 8, 2024
Oct 1, 2024
What is sober in cyber?
Oct 1, 2024
Oct 1, 2024
Sep 24, 2024
How Disinformation Will Impact The 2024 Election with Renee DiResta
Sep 24, 2024
Sep 24, 2024
Sep 17, 2024
How to Hack an Enterprise
Sep 17, 2024
Sep 17, 2024
Sep 10, 2024
Ben Burkert of Anchor.Dev on the challenges of Internal Certificate Management
Sep 10, 2024
Sep 10, 2024
Sep 4, 2024
[RERELEASE] What is Practical Web Applicaiton Penetration Testing?
Sep 4, 2024
Sep 4, 2024
Aug 27, 2024
[RERELEASE] How to find vulnerabilites
Aug 27, 2024
Aug 27, 2024

Powered by Squarespace