We love WordPress at AOR and we’ve been an exclusively WordPress shop since 2015 after close to a decade of WordPress experience. We made the call, choosing WordPress over other popular Content Management Systems (CMS) like Drupal and Joomla, and we haven’t looked back. One of the most important factors in picking which CMS to use is security and you better believe we wouldn’t use WordPress unless it was completely secure.
In some circles, WordPress gets a bad rap from a security standpoint but that opinion is, honestly, dated. You wouldn’t judge a 2018 Hyundai Sonata by its reliability scores back in 2009 so why would you do the same thing with a CMS?
Let’s take a look at where that reputation came from, what WordPress did to address it and then how AOR ensures the security of our WordPress sites.
Why the bad rap…and what’s been done to fix it?
Most of Wordress’ negative media attention stemmed from a slew of security concerns back in 2009 when many sites were compromised in a very short timeframe. WordPress released security patches over the next few weeks which required site owners to manually update their sites a handful of times. Not everyone took the time to update their sites when each patch came out resulting in a huge number of websites online that simply weren’t taken care of. These out of date sites were left to be targeted by hackers who developed automated ways to take advantage of the situation, wreaking havoc for months and years after that.
While the security issues were immediately dealt with, the core issue in 2009 was that a WordPress site was easy to build but hard to keep updated. So WordPress introduced a feature which automatically upgrades WordPress in the background and added another feature that allows admins to update all plugins with one single click. These changes were implemented years ago and had a huge impact on the security of WordPress sites around the world.
Why do some WordPress sites still have issues?
First of all – almost 20% of the web runs on WordPress. That, by itself, is a major reason why you might hear about issues with WordPress more frequently than other CMS.
ut you also have to consider that even the most reliable cars often have owners that don’t take care of them. WordPress is known for its ease of use and, because of that, it draws people from all technical backgrounds. It is extremely simple for someone with no experience to setup and start messing around with a WordPress site. It’s the responsibility of the person or organization who runs the website to keep it secure. With that in mind, you can imagine that a beginner with a WordPress site won’t take the necessary security precautions where a professional will know exactly how to harden WordPress against hackers.
We at AOR are professional WordPress developers and, in the many years we’ve been developing with WordPress, we’ve never had a security issue on any WordPress site that we’ve made.
How Does AOR Keep WordPress secure?
Hosting & Automatic Backups
Many WordPress site owners run into trouble because they’ll put their site on a cheap shared hosting environment with no WordPress specific features, support or security. They just have a chunk of space on a server and that’s it – file and directory permissions aren’t set correctly, WordPress specific security measures aren’t taken, they’re often subjected to “noisy neighbors” (other sites that might affect theirs on the same server), no backups are taken, no SSL certificates are set up…we could go on and on.
AOR uses WP Engine because they solve all of these hosting related problems for us. Their platform is WordPress specific, they set all file permissions automatically, run nightly security scans, backup the files daily (and on-demand), automatically remove plugins with known security risks, offer SSL certificates and have a fantastic support team who are happy to run security check-ups at any point.
Keep WordPress and Plugins Up To Date
We’ve already touched on this one – it’s now incredibly easy to keep WordPress up to date and, when we’re in charge of website maintenance, we schedule these out to keep the system as secure as possible in a timely manner.
Limit Use of 3rd Party Plugins
The more plugins you use the less control you have over the code being run on your site. Our host, WP Engine, helps us by keeping track of plugins with known security issues and will not allow these on their system. We develop all of our own functionality whenever possible and, when an excellent solution already exists, we do all the research required to make sure it’s a respected plugin with a proactive development team.
Use a Custom Theme
Just like plugins, popular themes can have security issues too. The more people that use a particular theme the more likely a hacker will be able to figure out an issue and exploit it across the many websites that use it. At AOR, we’ve developed our own completely custom WordPress theme that both cuts down on development time and increases security for every site we build.
Forcing Secure Admin Logins
It sounds so basic but one of the most common ways a website will be compromised nowadays involves an inexperienced site owner logging in using the username “admin” and a basic password. Hackers with automated programs will scour the web trying to brute force login to websites using the username “admin” and guessing the password. It’s surprisingly effective. We take our username and password security seriously and don’t encounter these types of issues.
Additional Security Plugins
For clients that request it we also have a few plugins that we will set up to add an additional layer of security. These plugins will limit login attempts and add two-step authentication for those users that want the extra peace of mind.
We have a few other tricks up our sleeve that we like to keep on the down low but implement on each of the sites that we create.
WordPress is secure!
That’s right – WordPress is, inherently, secure – you have to go out of your way to mess up that built-in security. Fortunately, we know what we’re doing and you can rest assured that a site in the hands of AOR will stay safe.