Protect Your WordPress Ecosystem April 23, 2022 by Brent Delperdang Thinking in: CMS/Websites, Strategy WordPress is a platform with an open source ecosystem full of options and flexibility. Did you know nearly a third of all websites are built on WordPress? This is one of the many reasons it is a great nonprofit website builder…. and this also makes it a prime target for security threats. Are you paying attention to the space inside your WordPress ecosystem? Keeping your website secure and safe is absolutely critical for your organization and your constituents, but it’s estimated that almost 70% of all WordPress sites have unpatched vulnerabilities. Don’t let your site be one of them! It’s your responsibility as a site owner to keep it protected. So, where should you start and what do you need to do? Here are our top security measures you can take today to keep your WordPress website safe. Tend to the Core Platform and Foundational PluginsStay on top of updates to both WordPress core and WordPress plugins as they become available. Most updates include security patches that protect WordPress from the latest known threats. We share more about importance of keeping your systems updated in our post about Proactive Cybersecurity Action.Ground your website with a solid foundationStaying up-to-date also means you should be using a secure and reliable hosting service that has foundational protections in place for your server, including backups.Monitor for Weedy, Outdated, PluginsThere are thousands of plugins available. In fact, the WordPress plugin directory has over 55,000 plugins registered. As plugins age, their developers come and go – sometimes a developer can drop support for a plugin without warning, and it can start to decay. Make sure to regularly check your plugins to confirm the last time the developer made an update available. If it’s been longer than 6-12 months, you may need to look for an alternative and replant before an invasive species takes over. Prune the number of Admin accountsAs your site (and organization!) grows and ages, the number of admin accounts may have grown along with it. If that is the case, review your existing admin accounts to see if any are no longer necessary. If you find some that are no longer needed, you can either downgrade that account to a non-admin permission level or remove it altogether.Update your password with a secure passwordIt’s estimated that 8% of (over 35 million) WordPress sites are hacked due to weak passwords. Use a secure generator like 1 Password or generate a unique password using the passphrase method. See more password tips that apply to any technology you use, in our Salesforce Password Security post.Consider Two-Factor AuthenticationTwo-factor authentication, or 2FA, is a stronger method of access security that requires 2 steps for logging in. Step one is typically the username/password combination that you’re used to. Step two typically requires entering a uniquely generated security code that must be accessed by a device you own via text or a special authenticator app. This enhances your site’s security because a would-be attacker now needs more than just a leaked username and password to access the site. Keeping your WordPress ecosystem functioning properly takes time, planning, and resources. If you’re feeling a little overwhelmed by all these considerations, we’re here to help! BackOffice Thinking has dedicated support personnel that tend to the planning, preparing, and executing of security updates as they become available. For those who need extra time and less worry about their security vulnerabilities, contact us about your WordPress security support needs. More from Our Series on Cybersecurity: Nonprofit Leadership’s Role in CybersecurityProactive Cybersecurity Action for Your Nonprofit’s Website and CiviCRMSalesforce Password Security Practices Additional Resources: 1PasswordPassphrase Method Share via: Facebook Twitter LinkedIn
