WordPress Security: High-Level Overviews and Generalizations

If you didn’t catch my webinar with Oliver Sild this week and security is not your strong suit, you missed out on some really good information.

I would, of course, encourage you to watch the whole thing — but I know not everyone’s got an hour to stop down in the middle of the week, so I thought I’d share my biggest takeaways and changes I’ll be making going forward…

Keep in mind, these are high-level overviews and generalizations 😅

• Having something on the network layer, like Cloudflare (learn how to set up Cloudflare), is great for filtering out bad traffic before it ever hits your site and can help fight back against DDoS attacks, but it’s more “generic” in its protection and doesn’t know what software is on your website.
• Choosing a managed host that’s focused on security is a big piece of the puzzle. Since your host sits outside of your application, it offers a different layer of protection and can be a more reliable solution for malware detection. But be careful — the term “managed hosting” is thrown out liberally, and not all hosts are created equally (I’m begging Oliver to put together a list of what he believes a good managed host should offer).
• Keeping your software up-to-date is vital. And while, yes, you may fear auto-updates, they’ve gotten much better and patching vulnerabilities through software updates is critical. Even if you can’t trust auto-updates on all your plugins, maybe there are some?
• The popular security plugins everyone’s heard of can offer some protection, but are not the “all-in-one” or “silver-bullet” they are often marketed as. If hackers are able to get into your site, the first thing they’ll do is turn your security plugins off, rendering them useless.
• Security is everyone’s responsibility. If your client is willing to share passwords via email or reuse the same password on every account, then their user account on WordPress is a sitting duck. Consider limiting who has access to your sites to only people who are completely necessary, talk to them about good security habits, and consider implementing two-factor authentication.
• I asked Oliver what he thought the most dangerous misconception is about security, and without hesitation, he said “set it and forget it”. Security is a continuous process (like it or not!) and if you’re going to use WordPress, it has to be monitored on an ongoing basis.

This webinar ended up being a great companion to our Security Weekly series where we’re diving into each of these topics in more detail.