WordPress Best Practices & Security

Building the Best WordPress Websites

There are many things to consider when building a WordPress website. Aside from the obvious message, audience, and marketing aspect, there are technical considerations that should be addressed at the beginning of a project so that you don’t find yourself “painted into a corner” and unable to make changes later on. By following industry standard WordPress best practices for design, development, and hosting, you’ll be able to avoid problems.

WordPress Security

While perfect security is never possible, there are things that you can do when developing a WordPress website to significantly reduce risks and ensure recovery should a problem occur.

• Hide the standard WordPress login area. WordPress is the most popular content management system in use today, powering over 25% of websites, worldwide. That means millions of websites can be accessed simply by adding “/wp-admin” to the end of the address. Changing this will send most attackers off to an easier target.
• Force strong passwords. By including code that forces strong passwords for all users you’ll avoid having a client or someone else introduce vulnerability later on.
• Limit the number of incorrect login attempts. Frequently attackers use automated scripts to repeatedly enter a variety of usernames and passwords. By limiting the number of incorrect login attempts, you’ll discourage these “brute force” attacks.
• Use a separate username and WordPress nickname. Articles and posts are often published under the username byline. By requiring a posts to be published under a separate “nickname” you make it more difficult for a hacker to learn your WordPress login credentials.
• Protect system files. Blocking public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess files prevents disclosing important information about your site.
• Disable directory browsing. The contents of a web directory that does not include an index file can be easily viewed by anyone online.

Design & Development

• Use the latest version of WordPress. WordPress is updated regularly to address ever-changing security threats, so always maintain the latest version.
• Never modify core WordPress files. If core WordPress files are modified to accommodate a design or functionality need, the changes will be overwritten when WordPress is updated, potentially breaking your site.
• Use recent HTML and CSS coding conventions. Currently HTML5 and CSS3 are the most recent version finalized, and published by the World Wide Web Consortium (W3C).
• Use recent versions of javascript. Often plugin developers will include out-dated or conflicting versions of jquery.php within their code. You may want to consider loading the latest scripts directly from the Google Javascript libraries so that you’ll know they are always up-to-date.
• Remove installation files. Remove wp-config-sample.php and /wp-admin/install.php after installation. These files are used during the initial installation of WordPress, but can introduce security holes after installation is complete.
• Limit plugins. One of the great things about WordPress is the many plugins that are available to accomplish just about any task you can think of. Over-reliance on plugins, however, can create slow, code-heavy sites and conflicting code. Consider coding functionality directly into your site. When you do use a plugin, make sure that it is from the WordPress.org repository or a well-known company or developer.
• Set proper directory permissions. WordPress needs to allow various files to be writable by the server, but this can sometimes be dangerous. Try and set directory permissions to be as restrictive as possible.

Hosting

Customers often assume that their hosting provider monitors their website and takes care of security. While some do, most only provide security that limits damage to the hosting providers servers, not your site.

• Avoid shared and “underpowered” hosting. Shared hosting environments can be a bargain and seem to offer the same features as more expensive dedicated server plans, but your website will be hosted together with hundreds of other sites on the same machine. Someone else gets busy–your site slows down. Somebody else gets hacked–they slip into your site while they are there. These “noisy-neighbors” can have a direct impact on your website’s performance.
• Backup both website files and databases. Schedule frequent and ongoing backups of your website files and databases. You may want to backup all of your website files each month and backup the database weekly, depending upon how often your site is updated.
• Use version controlling. If you’re operating a large or enterprise-level website with frequent changes and multiple users, a version control system will enable you to track changes that are made to your site and revert to earlier versions when problems arise. Git and Subversion are both popular version control tools. You may also want to develop a “staging” site to develop, test, and review new content and functionality before deployment to the live site.

WordPress Resources

Here are a few tools that we’ve found useful when designing WordPress sites.

• The Online Manual for WordPress WordPress information and documentation. codex.wordpress.org
• iTheme Security A great tool for protecting your WordPress. website.wordpress.org/plugins/better-wp-security
• WordPress Code Reference A directory of WordPress functions, hooks, classes, and methods. developer.wordpress.org/reference
• WordPress Myths & Misconceptions It can be easy to be misled by someone who is not experienced or familiar with WordPress. Here are a few misconceptions we’ve heard over the years.  datachieve.com/wordpress-myths/