Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.
by Jeff Carver on January 22, 2018.
Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals.
A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Brad became focused on open-source platforms when he launched his own web development company. Over time, he realized the potential that WordPress had and his company began developing exclusively on WordPress. “WordPress has always had a big focus on user experience and the user interface. Clients can easily figure out how to use it. They’re comfortable with it and they like it.”
Is WordPress Secure?
Even with the popularity of WordPress, it has its share of doubters. There are a lot of myths going around about WordPress, especially in the area of security. Brad walked us through why these myths just aren’t true.
Companies like Microsoft, Uber, Viacom, and Disney are all using WordPress. But, as Brad shares, “You need to be concerned about security no matter what platform you use. You should implement security audits and stay focused on protecting yourself.”
Unique, Complex Passwords Protect Against Hacking
A lot of the vulnerabilities are due to weaknesses in user authentication. If hackers can figure out your email and password, they can hack your site — no matter what platform you use. You need to choose a complex password that’s not easy to guess and not the same as the password you use on other sites. You can install a plugin that forces users to create strong passwords to ensure passwords are adequate.
SSL Certificates Prevent Interception
If you’re not using SSL, your information can be intercepted by a hacker. Brad cautions, “You need to be extremely careful if you’re on a public wif-fi network and you’re not using HTTPS.” A good rule of thumb is never to log in to any site on public wi-fi unless it has an SSL certificate.
Two-Factor Authentication Adds Extra Protection
It’s also a smart idea to use two-factor authentication. This method requires two forms of identification, such as logging in with your username and password and then entering a pin number. You can enable two-factor authentication on just about any platform you’re using — from banking to your hosting account.
Keep Software, Plugins, and Themes Updated
Bots scour the Internet looking for sites to compromise. Will explains, “A bot will check every site to find vulnerabilities. It will try myriad username and password combinations, trying to hit on one that works. And if you don’t keep your site’s software, plugins, and themes updated, bots can find holes to enter.”
Protect Your Server
Your server has to be protected, and not every hosting company is created equal. Brad says, “If you don’t know what you’re doing, if you’re not a SysAdmin, go with a managed host. I like managed WordPress hosts like WP Engine and Pagely, because they’re focused exclusively on WordPress and they’re really good at what they do.” Brad suggests asking the hosting company you’re considering about their approach to security and what they’re doing to protect clients’ websites.
Backups are Essential
Whether or not your site is hacked, you’ll want to have a backup in case of a data loss. Brad says, “Backups are the most important things in life! There are two approaches to backups: you can backup everything on your site, or you can just backup your database. I like to do a full backup once a week and a database backup once a day.”
Brad uses a tool called Backup Buddy that creates both types of backups on a schedule. He recommends backing up your data to two locations, to ensure you will have what you need. You should also encrypt your backups. VaultPress is good service that backs up your database in real time.
Be Careful With Plugins
There are over 50,000 plugins on WordPress.org. And there are just as many outside of WordPress.org. Plugins add code to your site, and if the code isn’t secure, it opens you up to attacks. Some plugins are highly secure, and some have serious vulnerabilities.
Brad advises, “My recommendation is to only use a plugin if you really need it. Check the reviews and ratings to see what people are saying about it. Is it actively being developed? Is the developer responsive to support request? How many active installs does it have?” A good goal is to use less than ten plugins.
What to Ask When Hiring a Development Team
When you’re looking at hiring a team, ask, “What kind of security recommendations do you have for us?” See what they’re doing with their sites and how much they know about security. If the developer doesn’t bring up security, you should.
Brad left us with a final thought: “Never get complacent. Whether it’s your WordPress site or your phone, always be thinking about security. Protect yourself.”
You can learn more about WordPress security issues by going to WordPress.tv and searching “security.”
Hear all that Brad shared in the conversation.