Securing your WordPress site should be top of mind for those just getting started with their blog or website. Of course, you can go a long way by securing your domain using a secure domain certificate, but one of WordPress’s strengths is also it’s weakness. Plugins.
WordPress has a great community of developers who work hard to provide plugins and themes that enhance your website or blog. However, plugins and themes often provide opportunities that hackers use to gain access to your site. Search Engine Journal recently published a post about the top threats to WordPress sites. In it, the post highlights that themes and plugins are one of the three top threats, alongside malicious login attempts and vulnerability exploits.
Securing WordPress Themes and Plugins
My theory on WordPress plugins is to only use them where necessary, and if you do use them, make sure they are either premium (meaning, you bought it) or are from reputable developers who constantly support the plugin with updates. The one piece of advice I would give is to apply updates to your plugins as soon as they are released. This reduces the likelihood that the plugin contains backdoors that a hacker can access.
I would also add that the more plugins you have, the more opportunity there is for someone to gain access to your site. If you’re not using a plugin I would recommend you deactivate it then uninstall it. This is a good habit to get into as your site grows.
Themes are the same – and free themes are generally free for a reason. They use old outdated code, or they aren’t mobile friendly or optimized. Since they’re free, they probably won’t be updated all that often because updating a theme takes work and knowledge from a developer. This allows hackers to find holes in the theme which they use maliciously for their own means.
With WordPress themes and Plugins you get what you pay for. If you don’t have the money for a theme or plugin, make sure it’s from a reputable developer who keeps their work updated.