WordPress is a great content management system for personal use, but is it safe for businesses?
When small-business owners come together, there are often heated discussions about which back-end platform is best for online use. Today, there are tons of great options available, and each has its own dedicated legions of super fans. However, for those who are new to doing business online, the choices can be confusing.
Some of the most common options include Wix, Shopify, Joomla, Drupal and WordPress. Each of these have their strengths and weaknesses, but the most popular option is easily WordPress.
Over a quarter of all websites, and over half that run a content management system (CMS), use WordPress. Yet, does simply being the most popular choice mean that WordPress is a good option for your business?
WordPress likely is a good option for your business—It offers the flexibility to do many different jobs without requiring much technology knowledge. It provides a lot of plug-and-play solutions, and it’s the type of CMS I heartily recommend to my clients.
If WordPress is so functional, and has such a low learning curve, why do some people believe WordPress isn’t secure enough for businesses?
There’s no denying that WordPress has had its fair share of highly publicized security issues, like the zero-day flaw and the SoakSoak malware fiasco. But the WordPress team was able to quickly shut down these breaches. Plus, almost all the common security holes are caused by third-party add-ons, and not the core installation. So, does WordPress deserve the label of being unsuitable as a back-end platform for businesses? No.
There are almost 75 million sites using WordPress. That makes it an extremely tempting target for hackers. It’s fair to assume that many hackers look for ways to break into WordPress websites. But, the core installation is rarely breached. In fact, no one has found a major vulnerability in the core installation of WordPress since 2013.
If the software itself isn’t to blame for poor security, what’s causing this concern? Most of the WordPress security issues are caused by the site owners themselves. Because WordPress is one of the simpler CMS platforms available, many first-time website owners use it to power their websites. Their inexperience leads to a lack of proper security measures which leaves their sites open to cyberattacks.
There’s another reason why some people think WordPress isn’t a good choice—the price. The core installation of WordPress is free, and themes and add-ons are extremely inexpensive. Many people believe when something is inexpensive, it can’t possibly be of any value. While there have been reports of free third-party add-ons containing malware, it’s unlikely if website owners use well-known add-ons. I suggest that all my clients use premium add-ons, customize their sites on their own, or outsource this to a trusted company.
What You Should Do If You Use WordPress.
If you decide that WordPress is the right CMS for your business, there are several things you should do to keep the hackers at bay. Here are four security tips to consider:
- Consider a managed WordPress host. WordPress website owners can minimize most security issues by choosing a managed WordPress hosting company. They provide a range of services, but almost all of them give you peace of mind by ensuring your WordPress website is up-to-date. Plus, they’ll monitor your website for hacking attempts. Managed WordPress hosts are commonly more expensive than the average host. However, since 41 percent of hacked WordPress websites are due to a vulnerable host, this is well worth the additional monthly fee.
- Keep everything up-to-date. Old, out-of-date WordPress core installations and third-party add-ons make your website an easy target. Experts estimate that over 50 percent of hackers gain entrance into WordPress sites through depreciated themes and add-ons. Always make sure your core installation is the newest one available. WordPress has an option to update the core installation automatically. I suggest you use this. Some third-party add-ons automatically update, but it’s always a good practice to check your vendor’s website for updates at least once a week.
- Secure passwords and admin URLs. When you install a new instance of WordPress, the software automatically sets up all the sites in the same way. That means that the username to access the back-end is ‘Admin’ and the pathway to the admin area is the same. The first thing you need to do is change both. You can hide your admin URL pathway using a security add-on, like Jetpack. You can change your username and create a strong password from the admin panel of your site.
- Get an SSL and use a secure payment gateway. Any websites that contains sensitive user information should apply for an SSL certificate. This ensures that all the information is encrypted and secured during transmission, and it helps to keep data from falling into the wrong hands. In addition, all websites that accept payments online should use a PCI-compliant payment gateway.
No matter what CMS platform you use, the security of your website comes down to how much time and money you put into protecting it.