WordPress is the most popular content management system on theplanet: 27% of all websites are built on WordPress. But doesWordPress have security issues? Let's talk about website securityand eight practices to make WordPress secure for a credit union website.

People often judge a credit union by its website. Your websiteis your biggest branch and most frequent touch point with members.If your website gets hacked, relationships will be compromised. Forthese reasons, choosing a secure content management system isextremely important.

There are many CMS alternatives. At the forefront of thesealternatives is WordPress because it's 10 times more popular than anyother CMS on the planet (source: w3techs.com). Compared to otherCMSs, WordPress has the most plugins, themes and developers, aswell as the largest community of users helping users. But does thepopularity of WordPress come at a price? Does popularity also meanmore hackers and vulnerabilities?

Is WordPress Secure?

The question, “Is WordPress secure?” is actually somewhatmisleading. That's like asking, “Is the Microsoft Windows operatingsystem secure?”

Microsoft Windows is the most popular operating system in theworld. Microsoft has done its part to make the Windows systemsecure, but some people use PCs insecurely. Ultimately, thesecurity of a PC is determined by the user, not Microsoft. If youprotect your operating system, it will be secure.

Similarly, WordPress is the most popular content managementsystem on the planet for many good reasons. Its popularity meansthere are some people who use it insecurely. So yes, a WordPresssite can have security issues, but that does notmean all WordPress sites are inevitably insecure. Nor does it meanthat the WordPress system is insecure. For example, Boxeldercu.comis a 2016 CUNA Diamond Award-Winning website and it's built onWordPress; it's a very secure website. (You can read about BoxElder's website on bloomcu.com.)

At its core, WordPress is extremely secure (seewordpress.org/about/security). In fact, when compared tocompetitors, WordPress is probably the most secure contentmanagement system on earth. While the popularity of WordPress doesmean more people are trying to hack it, WordPress has beenremarkably successful at resisting attacks. If you study thehistory of WordPress security, you'll see that WordPress softwareis NOT the security issue you should be worried about (source:managewp.com/is-wordpress-secure). The security threat you shouldbe worried about is yourself. WordPress users are the securityissue, not WordPress.

The truth is, no website on earth is 100% secure, no matter whatCMS it's built on (or not built on). Yet, the popularity ofWordPress yields an unmatched advantage: When threats arise, thebiggest CMS community in the world works together to providesolutions, fast. Having the largest CMS community to help youresolve issues is a huge advantage WordPress has over otherCMSs.

The best anyone can do to secure a website is minimize securitythreats by following eight practices. Below, I explain eight thingsyou can do to make a WordPress site secure, but first let's take alook at some brands that use WordPress.

The World's Biggest Brands Use WordPress

27% of all websites are built on WordPress. That might seemunbelievable because there are hundreds of millions of websites inthe world, but it's true. The smart folks at W3Techs have beentracking the usage of content management systems on the web since2011. W3Techs uses a very specific methodology to provide thesenumbers.

Below are some brands that use WordPress:

Walt Disney: Walt Disney is one of the mostwell-known brands in history. Walt Disney relies on WordPress.WordPress Website: thewaltdisneycompany.com

Glad – Don't get mad, get Glad. I bet thisbrand is glad they use WordPress for their website. WordPressWebsite: www.glad.com

NFL: The NFL uses WordPress to share sportsnews and insights. WordPress Website: blogs.nfl.com

Canada: Yeah, Canada – you read that correctly.Canada uses WordPress to share news – lots of news. WordPressWebsite: o.canada.com

Motley Crue: If you like 80s rock music maybeyou're heard of Motley Crue. These hair-metal rockers use WordPressto share news, sell tickets and swag, and connect with fans.WordPress Website: www.motley.com

Martha Stewart: Martha Stewart uses WordPressto share content with the world. WordPress Website:www.themarthablog.com

Target: Ahhh. Target, my favorite place to shopfor socks, patio decorations and canned salsa. Target usesWordPress to share content. WordPress Website:pulse.target.com

Gateway Bank: Gateway Bank uses WordPress tomaintain their responsive website. It's a beautiful WordPresswebsite. WordPress Website: gcbaz.com

What are the chances of these brands using WordPress if it'sinsecure? Answer: No chance. World-class brands have the option touse any CMS they want. They use WordPress because it's the best CMSand it's secure. Making WordPress safe for credit union websites is amatter of following eight security practices.

8 Practices to Make WordPress Secure for Credit UnionWebsites

Instead of developing a website in-house, most credit unionshire a vendor that specializes in website design and development.If a company depends on WordPress for the success of its businessand clients, you can feel more confident that the company will makesure your WordPress website is secure. If you select a vendor witha history of using WordPress, they are more likely to follow theeight security practices below.

Whatever vendor you work with, make sure the eight practicesbelow are followed.

1. Keep Your Website Updated

Each new version of WordPress brings new features and bug fixes,but also addresses known security concerns. It's easy to forgetabout your website over time, but the internet changes every dayand your website needs to change with it. When you skip or forgetabout updates, back doors open for hackers.

If you cannot stay on top of updating your website, you shouldfind someone to manage it for you. If you use dedicated WordPresshosting, your host might update WordPress automatically, which is ahelpful security feature. (For example, we host our WordPresswebsites on WP Engine because they specialize in WordPress hostingand automatically update WordPress sites.)

2. Host Your WordPress Website on SecureServers

Forty-one percent of successful WordPress attacks happen becauseof insufficient security on hosting servers (source:wpwhitesecurity.com). Website hosting these days is veryaffordable, but it's never a good idea to host your site on $5 permonth servers. Never do that! Most cheap hosting services are easytargets.

Hosting on WP Engine protects our websites with many securityfeatures that give us peace of mind: Automatic WordPress updates,real-time threat detection, enterprise-grade servers and a team ofprofessionals whose mission is to ensure my websites are never,ever compromised. WP Engine's hosting is not the cheapest, but it'sstill very affordable. Their security features are well worth theprice tag.

3. Create Unique Usernames and Passwords

Eight percent of hacks occur because the front door is left wideopen: hackers guess usernames and passwords with brute forceattacks. A brute force attack is when a hacker uses software torepetitively guess various username and passwords until they find awinning combination. They first try common usernames and passwords.For example, if your username is “admin” and your password is“password” then your website could be hacked in a matter ofseconds.

Fortunately, there is a very simple solution to prevent bruteforce attacks: Create unique usernames and passwords. Make yourpasswords strong (when you create a password in WordPress,WordPress tells you how strong it is) and don't use easy-to-guessusernames like “admin” or “administrator.” You don't have to createa crazy password you can never remember. Instead, consider makingyour password a sentence or phrase you can easily remember –include capital letters, punctuation, numbers and even spaces inyour passphrase.

Here's a nifty tool to help you create more secure passwords:howsecureismypassword.net

4. Limit Login Attempts

Limiting login attempts minimizes the risk of brute forceattacks because brute force is a process-of-elimination strategy.Usually, several thousand login attempts are required for a bruteforce attack to succeed. Therefore, limiting login attempts makesit almost impossible for a hacker to guess your username andpassword.

There are several WordPress plugins that can you help you limitlogin attempts, but before choosing a plugin, read tip #5below.

5. Use Trusted Third-Party Plugins Only

One allure of WordPress is the millions of seemingly wonderfulplugins you can instantly install on your WordPress website.However, more than half of WordPress security breaches happenbecause of vulnerable plugins. Some of the most popular plugins inthe WordPress community have caused widespread compromises,sometimes because plugins were outdated and other times becauseplugins were poorly developed.

You should only install a plugin if it meets these criteria inthe WordPress Plugin Directory:

• Last updated: Within the past three months
• Active installs: 10,000+
• Ratings: At least four out of five stars

To keep a plugin secure, you must always keep it up-to-date.Updating plugins is really important! Also, you should never use aplugin on WP Engine's blacklist (“Disallowed Plugins”). We love WPEngine because it automatically removes harmful plugins and updatesinstalled plugins as soon as updates become available.

6. Use a Premium WordPress Security Plugin

While vulnerable plugins can make your website insecure, otherplugins are built to bolster security.

The plugins below can help you monitor and protect yourWordPress website:

Wordfence

Last updated: One week ago

Active Installs: 1+ million

Ratings: 4.9 out of five stars

iThemesSecurity

Last updated: One week ago

Active installs: 700,000+

Ratings: 4.7 out of five stars

SucuriSecurity

Last updated: One month ago

Active installs: 200,000+

Ratings: 4.6 out of five stars

BulletProofSecurity

Last updated: One month ago

Active installs: 100,000+

Ratings: 4.7 out of five stars

7. Back Up Your Website Every Day

Backing up a website is the ultimate disaster insurance for asite. If you back up a website, you can instantly restore anuncompromised version of the site from a previous save point.That's why you should back up your website every single day.

Dedicated WordPress hosts like WP Engine automatically back upwebsites daily. If your hosting provider doesn't provide dailywebsite backups, here are some safe plugins you can use:

VaultPress

BlogVault

8. Use a Content Distribution Network

A content distribution network is a network of servers aroundthe world that host and deliver your website to users. CDNsdistribute the risk of a website attack across many servers. If youhost your website on a CDN, an attack will only hit a single serverwhich will immediately stop serving your site. Website traffic isthen re-routed to a secure instance of your site on another server.This re-route happens so fast that no one is likely to notice achange on the website.

Our preferred WordPress host, WP Engine, offers CDN servicethrough its partner, NetDNA. (You can also check out MaxCDN.)

Bonus: Not only does a CDN give you better security, but you'llalso get performance advantages like a faster website.

Extra Credit

In addition to the eight essentials above, you can take securityeven further. Here are 10 more steps you can take if you need toprotect all the gold in Fort Knox.

1. Adjust installation settings
2. Identify and patch WordPress theme vulnerabilities
3. Use correct file permissions
4. Turn off PHP error reporting
5. Protect WordPress using .htaccess
6. Disable XML-RPC
7. Use two-step authentication
8. Hide your login page
9. Remove the WordPress version number
10. Scan your website regularly

To learn about these extra credit security practices, readWordPress Security: The Ultimate Guide.

I did not expound on these 10 extra credit practices becausethere's a cost threshold to consider. Like anything else in life,implementing security practices has benefits and costs. Forexample, we all might like to own Lamborghinis if they were givento us as gifts. However, we know that owning a Lambo isn'tcompletely necessary; it's kind of overkill. Instead, if we eachwon $1 million in a lottery, most of us would not buy Lamborghinis.Most of us would use the money in other ways more aligned with ourinterests.

Similarly, executing every website security practice wouldcertainly be a good thing, especially if someone is going to do itfor free. Unfortunately, few people love website security enough todo it for free. That means implementing these extra credit securityfeatures comes with a cost. If you believe the extra cost is worthit, then eat your heart out. If I were to recommend just one of theextra credit security practices that would give you the best bangfor your buck, it would be “identify and patch WordPress themevulnerabilities.

So, is WordPress Secure for Credit UnionWebsites?

Yes. WordPress is very secure. Many credit union websites arebuilt on WordPress. But a WordPress website is like any otherwebsite: Administrators must follow good security practices to keepa website safe. Therefore, a better question is, “Will YOU makeyour credit union website secure?”

If you follow the eight security practices explained aboveyou'll have one of the most secure websites in the world. Here's acondensed security checklist to follow:

1. Keep your website updated
2. Host your WordPress website on secure servers
3. Create unique usernames and passwords
4. Limit login attempts
5. Use trusted third-party plugins only
6. Use a premium WordPress security plugin
7. Back up your website every day
8. Use a content distribution network

Derik Krauss is co-founder of BloomCU. He can be reachedat 844-334-3837 or [email protected].