Translation of the article available at: https://codex.wordpress.org/Hardening_WordPress — WordPress security is taken very seriously, but as with other systems, security problems can arise if the necessary precautions are not taken. In this article we will discuss some common security issues and what you can do to keep your WordPress installation secure. This article is not the definitive guide to WordPress security issues. If you have security problems with your installation, you should consult with trusted experts who have extensive knowledge of both security and WordPress.
WHAT IS SECURITY?
Basically, what we understand by security is not about absolutely secure systems. That goal is impossible as well as difficult to achieve and maintain. When we refer to the concept of security, we are referring to risk reduction, not the elimination of all danger. It is about executing every possible and appropriate technique that allows you to assess your overall exposure and reduce the likelihood of presenting your website as a hacking target.
-
THE WEB HOSTING COMPANY
Often, the first place to start thinking about security is the web hosting company. Today, there is a large number of hosting service offerings that prioritize security. It is therefore important to understand where the hosting provider's responsibility ends and yours begins. A secure hosting service protects your privacy, data integrity, and availability of server resources. Qualities that a reliable hosting service should have are:
- Willing to discuss your security concerns and detail the processes and mechanisms available to provide a secure service.
- Provides the most recent version of all server software.
- Provides reliable backup and restore systems.
WEB APPLICATIONS
It is easy to look to your hosting service and pass all responsibility for the security of your website to them. But there are a large number of security-related decisions that fall to the owner or webmaster of the site. Hosting companies are responsible for the infrastructure the website runs on, but not for the applications you have chosen to install on your site. To understand why this is important, you should know how websites get hacked. Rarely is it due to infrastructure problems — the usual cause is a security issue within the application itself (an environment for which you are responsible).
SECURITY CONCEPTS
Keep in mind that you can improve your security by:
- Limiting access
- Making smart choices that reduce the number of entry points available to an attacker.
- Damage control
- Your system should be configured with the goal of minimizing damage in case it is compromised by a hacker.
- Preparation and knowledge
- Maintain backups and know the state of your installation at frequent intervals. Have a backup and restore plan in place for worst-case scenarios. This contingency plan will allow you to get back online in the shortest possible time.
- Trusted sources
- Do not install plugins or themes from untrusted sources. Limit your search for applications to WordPress.org or other recognized companies in the industry. Installing plugins or themes with little or no reputation can easily cause problems.
SECURITY ISSUES ON YOUR COMPUTER
Make sure the computer you use is free of spyware, malware, and viruses. It does not matter how many security levels your hosting provider has applied or how good your WordPress installation is — if your computer has a keylogger, a hacker will eventually steal your username and password and log in with full authority to do whatever they want on your installation. Always keep your operating system and software up to date. Your browser in particular should always be on the latest version. Using antivirus software can also make the difference between security and disaster.
WORDPRESS SECURITY VULNERABILITIES
Like many other modern programs, WordPress is updated frequently. Updates fix any security issues that have been detected. Keeping your site secure is an ongoing task, and therefore to achieve this goal you must keep your installation up to date at all times. Older versions of WordPress do not receive security updates. For this reason, your production version must always be the latest.