WordPress has many users in the business and enterprise worlds - but can it be hosted securely? Let's find out...Posted on 17 May 2016 - Hosting
WordPress has been a genuine open-source success story. Once a humble blogging CMS, it has grown to serve many users in the business and enterprise sectors.
The very nature of open-source and some high-profile horror stories mean there are still doubts about WordPress’ suitable for big businesses. Can it ever really be hosted securely?
The truth is that WordPress is no more difficult to host securely than any other CMS. Whether it is using shared, VPS or managed hosting platforms, a web hosting firm that is capable of hosting any site securely ought to be capable of hosting a WordPress site securely.
That’s because secure WordPress is not really about the underlying hosting; it’s about how you manage it after installation. We have dealt with some horrendously infected sites and also some incredibly robust ones. The best secure WordPress hosting tip we can offer is to minimise your risks by not using shared hosting, where another site may be compromised and have a knock-on effect on yours. If security matters, opt for your own VPS or managed server.
Beyond that, it is good administration that will keep your website as secure as possible. Here are some recommendations for keeping your site robust.
If WordPress updates, you update. Keep WordPress and its plugins up-to-date at all times. Vulnerabilities are regularly found in updated versions and patched in subsequent versions to remove them. You will only receive the patch if you update WordPress and its plugins promptly and regularly.
Recommended action: Enable automatic WordPress updates from within your WordPress admin panel and verify update status regularly.
Only use reputable plugins and themes and those with recent and regular updates. Your WordPress site is only as secure as the plugins you install. Most will be open-source, so there is an inherent risk in installing ANY plugin that’s not part of the WordPress core.
There are a number of security-related plugins that will help ensure your WordPress installation is protected from malicious users. This will help block those who attempt to brute-force (repeatedly guess) your login credentials, rename your wp-admin to something less obvious and apply IP address restrictions to the WP backend.
Recommended action: Install the iThemes Security plugin and follow its suggestions.
These are useful if you suspect your site may have been compromised already. A malware detection plugin will scan your WordPress code to detect and remove any malicious scripts that may have made it onto your site.
Recommended action: Install Anti-Malware Security and Brute-Force Firewall and scan your site regularly.
When your site is maliciously scanned for vulnerabilities, it can seriously impact the performance of your site and server and may even stop normal visitors from being able to access the site. By enabling caching, your site can perform much better and deal with these requests as well as allowing your normal visitors to access the site as normal.
Recommended action: Install W3 Total Cache plugin. Enable disk-based page caching, object caching and database caching. When making updates to page content, you can purge the cache to ensure the latest content appears to visitors, it will then be re-cached for future visitors.
It is good practice to follow a Development > Staging > Production deployment methodology. This is a little trickier with WordPress due to databases changes, but some of our clients have used command line tool WP-CLI, version control system Git, server automation tool Capistrano and other deployment tools to add some structure to WordPress deployments and changes.
Again, secure WordPress hosting can never be 100% guaranteed. New vulnerabilities are found almost weekly and some sites will be affected. But following the tips above for day-to-day management of your website gives you the best chance of maintaining a secure, robust website.