Let’s make one thing clear: WordPress security is very easy. In this short article, we aim to show you just that! By the end of this, you will have gained significant insights on security and will be ready to implement those insights on your own site.
WordPress Security: Why Does it Matter – Let’s look at some statistics so you can get a factual picture of why security matters.
According to Wp-WhiteSecurity, 73.2% of all WordPress installations are vulnerable to security breaches. Fortunately, with free tools, you can detect them.
- Panda Security states that 81% of web attacks are due to insecure passwords, poor login and password combinations.
- Smashing Magazine says that the four most commonly used WordPress exploits are Pharma Hacks, Malware redirects, password access, and backdoors.
- WordFence states that 70% of your WordPress security can be accounted for if you’ve taken measures against securing your site against brute force attacks, and plugin vulnerabilities.
Also states that security matters because WordPress websites face approximately 91,000 attacks per minute with a 100,000 sites being hacked every day. Hackers don’t discriminate and are ready to pounce on the opportunity if they feel your site is vulnerable. To ensure its security, you need to be proactive in your steps in countering these hacks.
But what are the possible attacks you will encounter? Let’s take a look at the most common forms of attacks.
How Hackers Work Their Way into Your Website
The following are nine of the most common WordPress hacks that can damage your website.
- Brute force attacks – Exploiting weak passwords, this attack aims to take full control of your site through automated scripts that try to guess the admin and password of your site.
- Backdoors – Backdoors aim to gain access to your site at the server level. This attack can even damage other sites running on the server as well.
- Cross-Site Scripting (XSS) – Injecting malicious code on your website, hackers attempt to break it by ruining the codebase (HTML, PHP, and CSS).
- Malicious Redirects – A form of link spamming, this exploit redirects your website users to dodgy websites through changing the links within your site content.
- Phishing – This one exploits your site to gain access to your personal information like credit cards, bank accounts, and other identities.
- Malware Attacks – This is an umbrella term used to signify all the hacks that fall under the category of viruses, rootkits, spamming, and other intrusions.
- DDoS Attacks – A well-coordinated attack that injects hack bots into a website. The quantity of the bots is so much that it overwhelms your site’s server, reduces performance, or brings it down entirely.
- Defacement – Hackers gain access to your site to ruin the layout of your site by changing the HTML or CSS content of your site. Similar to XSS, but political in nature.
- PHP Mailers – This one uses PHP (WordPress’ programming language) commands to take control of the mailing server to send phishing emails.
From all of this, it should be clear why WordPress security is important. While these attacks can harm any site, WordPress is a major target for the hackers since statistics show that 90% of all infected sites are running on WordPress.
Protecting Your Site from Hacks
The attacks we’ve mentioned above are the worst-case scenario of what can happen to your site. Fortunately, the ever-active WordPress community has made sure that you can deal with these hacks. Here are some of the steps you can take to protect your site from hacks.
1. Install a Powerful Security Plugin
The following are some of the plugins you can install on your WordPress to ensure security.
All of these plugins come equipped with a variety of different features that take your site’s security to the next level. Here is a short list of such features:
- Firewall for WordPress
- IP blacklisting and blocking
- Malware scans
- 2FA (Two Factor Authentication)
- Security alerts for emails
- Security recommendations
- …and more.
All of these plugins are easy to install and easy to set up. Even if you don’t have time or the skill, the configuration wizards of these plugins will ease you through the entire process.
2. Perform Malware Scans
If you’re seeing quick drops in traffic or some performance issues, then its recommended that you perform a quick site scan.
You can use online health check tools like Virustotal to check your site for any discrepancies.
If you see some problems take the necessary precautions to prevent it. Even if you don’t, it’s always beneficial to run a site check once in a while.
3. Invest in Secure Hosting
You should also protect yourself at the server level by choosing a host that promises the following features:
- Regular backups
- Malware scanners
- Security against DDoS attacks
- Latest OS, server software, and hardware
- …and more.
If you want to take things further, then we would recommend you to select a managed WordPress host that takes care of your site at the server level. All in all, investing in a good hosting service can pay dividends in the future.
4. Set an Uncommon Login and a Strong Password
CLU, also known as Complex, Long, and Unique is the way to go with both your login credentials and passwords. Using symbols, capital letters, numbers, and more in your passwords will ensure safety from Brute Force attacks and others malicious hacks.
With usernames, don’t just rely on the regular old “admin”. It’s common and provides an easy gateway for hackers to access your site.
You can use a site like Passwords generator to help you come up with a good password.
5. Keep Your WordPress and Plugins Updated
Constant updates on your phone’s apps and software are a common occurrence. It’s there to help protect your apps and phone from security vulnerabilities.
Similar with WordPress, you need to constantly update your plugins and the WordPress versions (as soon as it comes out) to ensure top notch security.
6. Disable XML-RPC
XML-RPC itself isn’t harmful since it allows you to connect to web and mobile applications. However, it opens serious doors for hackers to penetrate your site.
In simple terms, hackers can exploit XML-RPC by using a call function that lets them fly under the radar without knowing the hacker has tried thousands of passwords and login combinations on your site.
iThemes security does a good job of protecting you against these brute force attacks. If you’re not using XML-RPC, then the security plugin can even remove its functionality entirely.
7. Use latest PHP version
The PHP version you’re using on your site is detrimental to your WordPress security. Similar to WordPress, PHP also regularly releases new versions that promise better WordPress security.
As of this writing, the latest PHP version being used is 7.4.5. If you haven’t already updated your PHP, do so right now.
Besides the obvious benefit of getting more security, you are also gaining significant benefits in terms of performance boosts.
We have a special PHP Upgrade service. See details of this service at https://www.wpfixit.com/product/wordpress-php-7-compatibility-service
8. Limit Access Control
The most vulnerable parts of your website are the index.php, functions.php, and wp-config.php files.
The wp-config file in particular is very vulnerable since it can facilitate a multitude of attacks on your site. To protect your files, you should ideally hide them, remove any controls for file-editing, change the database prefix (wp_), and restrict user access to PHP files.
The WordPress Codex has a detailed list of how you can keep your files secure, so be sure to check that out.
9. Eliminate Spam and Its Various Types
Spamming is a curse upon the internet. Spam comments, splogs (entire blogs of spam filled with questionable links), trackbacks, and pingbacks, are some of the varieties of spam on the internet.
Fortunately, preventing spam is easy with the help of built-in plugins like Akismet and WordFence.
10. Activate Two Factor Authentication
Two-factor authentication (2FA) is a great way to ensure the log-in security of your website. While it is a time-consuming process (access factor code from email), it is well worth the risk if you’re not sure about your site’s security.
WordFence is perhaps the best plugin for creating a two-factor authentication process on your site.
11. Hide your WordPress version
This is a rather small consideration, but if hackers know your WordPress version and find out that’s it’s not the latest one, they can perform a hack on it.
If it’s an older version and somehow you forgot to update it, then it gives hackers serious ground to hack your site.
12. Manage your WordPress user permissions
If you have multiple users on your sites like editors or developers, then it is recommended that you manage their user-roles correctly. Giving them full permissions will only increase your chances of a hack.
So, try to manage your user roles and their permissions correctly. Additionally, keep a check on the users to ensure that they are people you know. You can use a plugin like User Role Editor for that purpose.
13.Log Out Idle WordPress Users
Users who are logged in but aren’t active pose a crucial security risk. The site becomes prone to hijacking. Their session can be hacked, their passwords changed, and other account changes can be made.
To ensure that a user is locked out when he/she is inactive, you can use a plugin like Inactive Logout and configure the plugin to logout any users who are idle.
14. Limit Login Attempts
With the default WordPress installation, users can login to a site as many times as they want. This makes your site vulnerable to hacks since hackers can try an infinite number of login password combinations without the fear of being locked out or their IP blocked.
To limit login attempts, you can use a plugin like Login Lockdown to restrict the number of attempts a person can log in to your site.
15. Monitor your site security
Once you’ve finished with making your site secure, all you have to do is constantly monitor and keep active in blocking any threats that come your way. Plugins like WordFence can go a long way if you are proactive about your security.
The plugins can prove useful in blocking plenty of different attacks which include, but are not limited to, the following:
- Brute Force Attacks
- User roles, logins, and permissions
- Version management (update alerts)
Additionally, you can view the Google Search Console for more information on your security and site performance.
Even if you don’t have the skill or time, we hope that this article proved a good gateway to you in the world of WordPress security. If you’re a newbie looking to get your site developed with the latest security standards, then try hiring a competent WordPress developer to complete your project.