Eight Steps to Eliminating Security Risks in WordPress

by Sean Michael Kerner

If you’re self-hosting WordPress on your own server, keep the core server software updated, including the operating system, Web server, PHP and MySQL applications.

All versions of WordPress since the 3.7 update in October 2013 can be enabled to automatically update the WordPress application for important bug and security fixes.

Keeping the server and WordPress itself updated is not enough. It’s critically important to make sure that both plug-ins and themes are always updated. WordPress provides an easy-to-access view that provides full visibility into items that must be updated.

It’s important to configure the WordPress administrator log-in page (/wp-admin) to be accessible via HTTPS/SSL. Otherwise, the administrator password is being sent in the clear and can easily be intercepted by an attacker.

For both WordPress.com as well as self-hosted sites, users should employ two-factor authentication, which requires a second password (or factor) to log into the site, providing an additional measure of security.

Multiple vendors provide WordPress security add-ons to help users lock down their sites. Among them are Wordfence and Sucuri, which can easily be found by searching in the WordPress plug-in listings.

Another useful tool from Sucuri is the WordPress distributed denial-of-service (DDoS) checker, which can identify if a given site is being used as part of an attack against others.

WordPress regularly updates its listing of best practices on how to harden and secure sites.