Taking WordPress security seriously.

WordPress is quick and easy to install.  Millions of people have set up their own WordPress site, but quite a few have subsequently regretted they didn't spend a little more time thinking about security. 

When you're talking to a developer about a new WordPress site, make a point of listening out for mentions of "security".  It matters: WP is far too easy to hack if you don't pay attention to the details.

For a start, WP allows unlimited attempts to log in.  Far too many people choose their own name, or the name of their business, as their user name.  That means that if someone has worked out your user name (easy, peasy) they've got all the time in the world to try and crack your password.  And a lot of passwords are easy to work out if you know anything about a person, because people tend to choose something memorable, like a child's name and date of birth.  How many strings of unconnected letters and numbers can you remember without having to write them down somewhere?  There's a variety of methods that your web developer can use to make your site safer without you having to become World Memory Champion, including encryption of the cookies that allow your computer to "remember" your log-in details.

Some of the plugins used on WP are also vulnerable. Mostly WP sends site owners a message telling them to update a plugin, but owners don't always get around to it.  Consequently, there have been several cases of hacking that have created major problems; at one point WP forced an update to a popular program that went through without site owners even being advised to do it themselves. Some people set up plugins that aren't on WP's official moderated index, making them even more vulnerable because they may not get notified of problems and updates.  A safety-conscious developer will know which plugins are safe and which are not, and he or she won't install any unnecessary ones.

Ok, this is important if your WordPress website is not customised and is an off the shelf solution most developers will advise to set to auto-update. However, this is not a safe Release Management approach. Irrespective of whether you have a customised or off the shelf solution you should always apply the update to a test environment first. WP will become aware of potential problems well before you do, and they're pretty good about sorting them out if you let them.  So remember if you choose auto-update and let them tidy up for you; it may seem like one less thing to worry about, but in reality you could have business disruption.

One thing that's often ignored is backing up your website data.  If your site gets hacked and you manage to sort out the problem or move your site to a different domain, you'll need to reinstall the content.  If it's not backed up, you'll have to start again from scratch, and you'll probably have lost your entire database as well as all your content.  That's a nightmare - but a regular backing up schedule will prevent it, so it's worth sorting out right from the start.

We recommend taking daily backups to a separate 3rd party backup server that is not connected to the live website. Usually, these can be seven rolling days worth of backups with a monthly mirror backup. To make the best use of backup capacity, the Daily Backups should include only those changes for that day.

As you can see, WordPress is popular because it's easy to use - but it's easy to hack too.  So when you're discussing your next WP-based site, make sure your developer talks a lot about security.  If he or she doesn't, go somewhere else.

David Dwyer is Managing Director of Inspire Web Development. He has years of experience in a range of web and IT roles plus seven years in sales and marketing in a blue-chip FMCG company. David’s academic and professional qualifications include a BA (Hons) in Business Economics (Personnel & Ergonomics) from the University of Paisley, an MSc in Information Technology (Systems) from Heriot-Watt University and PRINCE2 Practitioner-level certification. He is also an active member of the British Computer Society, Entrepreneurial Exchange and Business for Scotland.

Follow Inspire on Twitter @inspireltd and @developersos