WordPress Security VS Functionality – Striking the Right Balance

Last updated on May 14th, 2015 by Robert Abela. Filed under WordPress Security Tutorials

The more functionality your WordPress has the bigger the attack surface is. The more lines of code there are, and the more plugins you install the more prone to malicious hacker attack your WordPress will be.

Ever heard this before? While many believe such facts are true, it all depends on how well things are executed. Don’t let the above reasoning deter you from building your own website with all the required functionality. Security is all about striking the right balance, as this article explains.

Finding the right balance between WordPress security and functionality

Full Functionality and Maximum WordPress Security

Let’s set the facts straight first. There is no WordPress or any other website that is 100% secure. The most secure thing to do is to do nothing at all. Though in reality you need a website, so not doing anything at all is not an option. You should be able to provide the most possible functionality to your visitors and customers without jeopardizing the security of your WordPress website and your business.

Before deciding what functionality or WordPress plugins you need you have to understand the purpose of the website. For example if a website is used to sell WordPress plugins premium add-ons, the website’s scope can be broken down as per the below:

  • Provide visitors with all the information they need about the plugins and add-ons
  • Allow visitors to buy the premium add-ons
  • Allow customers to login to the user portal to check the license, download link, renew the license etc.

To achieve the above functionality on WordPress you have to install a number of plugins since such functionality is not available by default. You also need forms that accept user input. This means that your website has to accept HTTP POST requests, which are the basic ingredient an attacker needs to craft an attack. It also means that you will add lines of code by installing plugins, therefore you are increasing the attack surface of your WordPress.

Though unless you provide such functionality you won’t be able to sell the premium add-ons and provide a good service to your customers while generating income. So what can you do to ensure full functionality without jeopardizing the security of your WordPress websites and blogs?

Choosing the Right Plugins

Instead of not doing anything at all build the website to sell add-ons and when doing so make sure you carefully choose which plugins to install and use. You can find ample of documentation and guidelines that explain how to choose WordPress plugins.

Do Not Install WordPress Plugins That Are Not Needed

I have reviewed and cleaned up many WordPress installations. One common problem that always stands out is the good number of both active and inactive plugins they have installed but are no longer used or needed. The same applies for WordPress themes. Once I have seen a website with more than 20 installed themes.

Uninstall (and make sure all files are deleted) any WordPress plugin or theme which is no longer being used. First of all you ensure that your WordPress installation is easier to manage and secondly keep in mind that if a plugin’s code is vulnerable to a specific attack, even if disabled most of the time it can be still exploited.

Test All WordPress Plugins and Functionality before Going Live

Testing is crucial. If your business depends on your WordPress website or blog you invest in a staging / test website. Test environments allow you to test specific functionality or plugin before installing it on the live website. If you are doing a lot of customizations, a staging website gives you the opportunity to test the code and having it audited before implementing it on the live website.

It is always easier and less of a hassle if you identify a security issue on a staging website rather than a hacker identifying a security issue and exploiting it on your live website.

Security Audit for Your WordPress Customizations

If you have WordPress customizations, or a custom WordPress theme or plugin hire security professionals to make a security source code audit for you. Many shy away from such services because customizations are always changing, and new functionality is constantly being added to the WordPress website or blog. In such situation work out a plan with your security professionals and consultants so every few months or so (depending on the frequency of the changes you are applying) they audit the changes you have implemented. By agreeing and working on long term projects with contractors you can save a lot of money and gain a lot of benefits.

Hire Experienced Professionals

If you need a design, a customization or any other type of service always work with professionals. Nothing against newbies here but the experience many long standing professionals have plays a major role, especially when talking about WordPress security. It might cost you a bit more but it definitely won’t cost you as much as recovering from a hack, and getting back your business and website’s reputation.

Should You Limit Your Website’s Functionality in Favour of WordPress Security?

You should never limit the core functionality of your website or blog in favour of WordPress security. I am not saying that if you need a specific functionality that you know will jeopardize the security of your WordPress you should go for it. I am saying that if you need a specific functionality that will help you grow your business or ease the operations, do your homework wisely and implement it.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

Leave a Reply

Your email address will not be published. Required fields are marked *