WordPress security (revisited)

A few months ago I wrote about WordPress security. In that post I mentioned a couple of plugins that we use here at K4 Media: iThemes Security and Securi Security. While both are fine plugins, and configured correctly they should protect your site from hacks, it can be challenging to get the settings right. Very challenging, we found out.

Case in point — one of our sites running both plugins got hacked.

It wasn’t a bad hack, mind. And we caught it almost immediately. Still, having your web site hacked is bad. It rattles the confidence of your customers. Plus, cleanup is time-consuming, and the threat of re-infection is nerve-racking. As a result of the compromise, we reached out to one of our most trusted tech partners, Sydney E-Commerce. After a bit of head scratching and code re-evaluation, we are moving away from the two-plugin approach outlined previously. That security stance will be replaced by the WordPress security plugin Wordfence. Wordfence seems far easier to configure, and the reporting and monitoring is far better, which leads to a greater degree of confidence in the abilities of the plugin. Plus, it’s only one plugin, which makes management far easier.

As always, web site security is a never-ending battle. Constant vigilance is necessary. So is change.

P.S. For a great introduction to keeping your site secure, read WordPress Security: The Ultimate 32-Step Checklist.