Debunking WordPress security myths: How not to secure your WordPress website
There’s a lot of hype around WordPress security these days. Lots of people are getting carried away in the rush to secure their WordPress websites, installing every security plugin they can think of without really understanding what they do. At best, most of these plugins are lately unnecessary. And at worse, they can damage your website,
In truth, WordPress is very secure straight out of the box. You don’t need to install loads of security plugins to avoid getting hacked, although one or two are actually quite helpful.
In the first of this two-part series on WordPress security, I’ll help you cut through the hype and avoid installing plugins you don’t need.
Limiting login attempts
WordPress plugins such as Limit Login Attempts (and similar features that are packaged with bigger security plugins like Wordfence Security) are very popular. They claim to make brute force attacks – where an automated program hacks into your WordPress website by trying many different password combinations – difficult or impossible. They do this by locking out IP addresses for a specified period after entering more than X number of incorrect passwords.
The problem is that brute force bots are cleverer than this. Nowadays they tend to use many different IP addresses, which makes these plugins fairly useless. If you don’t believe me, read this post from the man behind WordPress.
Antivirus WordPress plugins
So-called ‘antivirus’ WordPress plugins – such as Antivirus – are a bit misleading. Most of them don’t actually remove viruses at all. All they do is scan your WordPress website for anything suspicious – for example, suspicious-looking code that might be malicious, or differences between the plugins installed your website and the versions on the WordPress plugin repository. If something is suspected then they will alert you to the problem so that you have to decide whether it really is a problem (there are a lot of red herrings) and sort it out.
This can be helpful and it’s important to find out asap if your website has been hacked. The problem is that these WordPress plugins encourage you to set up regular antivirus scans. This uses a large amount of server resources as the plugin has to scan your entire website each time. This can slow down your site and even cause your server to crash, depending on your hosting setup. It’s far better to use a plugin like File Monitor Plus to detect any changes in your files (e.g. to alert you that malicious code has been added), rather than running a resource-intensive scan of your whole site every day.
Downloaded more than 1.75 million times, Wordfence is probably the most popular WordPress security plugin at the moment. It’s very powerful and includes everything you can think of relating to WordPress security. Limited login attempts, IP address blocking, Firewall, Antivirus scans – the lot.
There are lots of all-encompassing security plugins like this, but I’ve chosen to single out Wordfence as being unnecessary and potentially damaging.
As discussed above, a lot of Wordfence’s features aren’t as useful as they look. But to make things worse, I’ve started seeing problems with WordPress websites that have Wordfence installed.
Wordfence seems to use a huge amount of resources on the server hosting the website. This uses unnecessary bandwidth, can slow down your website and damage performance, and even cause server crashes. With one website (on a VPS hosting setup), the host kept reporting regular server crashes. The client keeps increasing the RAM and space on their server (thus increasing their hosting cost). We eventually discovered that Wordfence was the culprit. After replacing it with more appropriate measures, there have been no more crashes.
WordPress security is important, but I really would advise against installing plugins that don’t actually help. At best they’re fairly pointless, and at worse they can damage your website. See my next post for advice about how to avoid these pitfalls. You’ll learn how to protect your WordPress website from hacking in a more appropriate way.
How to do WordPress security properly
So, now we know what NOT to do. To give you a quick run-down of the correct way to secure your WordPress site, I’m sharing a handy infographic that CMSTOWP have designed. This highlights the main things you need to be aware of in WordPress security, without the hype.
I agree with everything in the ‘Tips to keep your WordPress site secure’ section of the infographic. It’s all about keeping your site up to date and properly maintained. It’s not about installing fancy plugins that slow down your site. Enjoy!
Help, I’ve been hacked!
And if the worst happens and your website is hacked, there are plenty of resources. These will help you get it back online as quickly as possible. DART Creations have written a useful guide on 7 essential steps to fully restore your website.