The 3 Most Important Things for WordPress Security

1. Great Hosting 01:42
2. Strong Passwords/Updated Plugins, Themes 03:14
3. Brute Force Protection 04:19

Read the full episode transcript below:

00:25 David Blackmon: Hey everybody. Welcome to another episode of WP The Podcast brought to you by WP Gears. I’m David Blackmon.

00:35 Tim Strifler: And I’m Tim Strifler.

00:37 David Blackmon: Today we’re going to talk about the three most important things for WordPress security. Security is important in this day and age. Tim, take it away. Sorry folks. I’m sick, still under the weather, so. I was going to talk about dive in, but I’m going to let Tim do some talking.

00:57 Tim Strifler: Yeah, no worries. I want to say before I dive into the three most important things, I want to say that there are a lot of security plugins out there. There’s a couple of big ones, WordFence, iThemes Security, and they’re great. But they do a lot and it’s … for most websites, it’s a little bit overkill, and it’s not always necessary to do all those things. I wanted to kind of narrow in. And if you’re doing those things and it’s a habit and you have no problem doing it, I’m not saying change it. But I wanted to share the things that we feel are the most important things that are going to make the most impact, because disclaimer, I don’t use WordFence, I don’t use iThemes Security. I use these three things here.

01:42 Tim Strifler: The first one, the first most important thing, this is at the top of the list and it’s 100% the most important on the list and that’s use great hosting. Back in the day when I first got going I was using crappy shared hosting. It was very cheap and I thought it was good enough, I thought it did the job, until my website got hacked. I was on … Shared hosting means that you are sharing the server with usually hundreds of other websites. My website got hacked. And here’s the thing. I had it lock down with iThemes Security. I had everything turned on. It was like Fort Knox. I didn’t do anything wrong. It was nothing that I did. It was because the other websites on the server were doing things insecure and basically that the server got penetrated and it was hacked. So my website got hacked as a result. It had nothing to do with what I was doing.

02:40 Tim Strifler: That’s why great hosting is so important. I am now on WP Engine. I also have a Flywheel account. So with those, they’re more expensive, but they’re managed hosting platforms. They have a lot of security built in at the server level, and so I don’t … I’ve never had the need for the really intense security plugins because they’re doing it for me. So I don’t have to worry about it. My sites have never gotten hacked. I get more traffic now than ever before, and I’ve never had to worry about it.

03:14 Tim Strifler: Now there’s two additional things on this list, and David, feel free to jump in at any time if you want. There’s two things on this list that I think also go together with great hosting, and that is just some common sense security practices, and that is strong passwords. Never use password as your password or 1234. You want a strong password that’s something random that no one’s going to guess or anything like that, that’s not going to be easily hacked by a bot or anything like that. I usually use the ones that are generated, which is a bunch of characters. I don’t have to memorize it. It is saved in LastPass or something like that.

03:52 Tim Strifler: Then in addition to that, make sure your plugins, WordPress itself, and your themes, all that are updated. Vulnerabilities are found all the time with different WordPress plugins and themes. And so they patch those plugins, those vulnerabilities. So you need to make sure that you keep those updated so that if a attacker finds that you have that plugin, they won’t be able to exploit that vulnerability. That’s the second thing.

04:19 Tim Strifler: The third thing on the list is use some sort of brute force protection. Now I’m pretty sure WP Engine actually has that built in to their server. Basically what a brute force attack is, is when a bot or a series of bots basically together will go and attempt to hack your website, log in with your username and password. So what they do is they do 100 different attempts a second to guess the username and password combination. Then the goal is if they do it enough times, they will either a) be successful and get into your site, or b) bring down your site because your server can’t handle that many access attempts.

05:04 Tim Strifler: What brute force protection is is if there is three or four incorrect attempts within a certain amount of time, it will automatically block that IP address. It’ll automatically block those bots because a real person won’t be trying that many different username and password combinations that quickly and someone’s not going to type in the wrong password that many times in a row. Most people have it saved in something like LastPass or they’re going to remember and type it correctly. So brute force protection is definitely something that’s really important.

05:37 Tim Strifler: Now I’m not saying the other things that WordFence or iThemes Security aren’t important, but they’re not nearly as important. Most of the time, if you do these things, your website will not get hacked. That’s my opinion. If you have thoughts, leave a comment on the post here for episode 514 and let us know your thoughts and if you have any experience with getting hacked and what you did to basically resolve it.

06:04 David Blackmon: Awesome. Tomorrow we’ve got another great topic. Is it too late to get into WordPress? Tim, until tomorrow. We’ll see you then.

06:13 Tim Strifler: Take care. Bye-bye.