When your site is launched, you want to sleep well at night knowing that your visitors get the experience you designed for them, and that the site is running as it should.
With the extensive use of WordPress around the world, hacking is a serious threat and every WP website owner should make sure to make their sites secure.
But how difficult is it to stay safe? Is it just laziness that causes some sites to get hacked, or is it seriously challenging to make your site protected? We take you through the best practices and the reasons behind WordPress security threats.
Are you protected?
Maybe you’re considering setting up a new site on WordPress, or you’re already running one, and you wonder if you are actually protected from hackers.
Well even the most secure systems get hacked, so no, you’re not.
But think about this analogy: if there’s a big wall around your house, chances are the burglars will target other houses before yours. Unless they know you’ve got plenty of gold inside that makes it worth the effort.
Security experts often say that they don’t work with risk elimination, they work with risk reduction. This aligns with general theory on risk management, which outlines four ways of treating a risk:
- Avoid the activity altogether (don’t own a house)
- Reduce the impact or likelihood (don’t carry valuable items, or install a fence)
- Share or transfer the effect (get insurance)
- Retain the risk (accept the loss, e.g. by budgeting for the eventuality of theft)
Notice that only one of them can eliminate the risk – not having a website at all. That doesn’t feel like an attractive option, and not really an interesting life strategy in general. Therefore, this article will focus on the second strategy – reducing the impact or likelihood.
But first, let’s look for a second at why WordPress sites get hacked in the first place.
Why do WP sites get hacked?
What are the hackers looking for when going after your website? The web security company Sucuri talks about common reasons for attacks in their webinar, including:
- To distribute malware
- Defacement, which means replacing your content, usually to spread electronic graffiti or political messages
- To send spam emails
- Phishing for usernames, passwords and credit card information.
Very few attacks are actually targeting a specific site. There’s just no reason for someone to make the effort. Instead, over 99% of attacks are automated and reach for sites that are vulnerable in order to gain large-scale effects, like the four listed above.
A WordPress site sets up a good fence from scratch, but if there’s a hole in the fence on one site, that means the same hole exists in many other sites running the same version of WordPress and/or plugins.
That’s where a lot of the vulnerability comes from, a large amount of sites share the same universal keys to entry. A custom WordPress theme helps, since it doesn’t have more code than needed and doesn’t become the target of the mass attacks itself.
With each WordPress update, old holes are fixed, and new ones open up. Hopefully, the new holes are detected and shut before any attacks happen on your site, but it’s important to keep updating your site to make sure it stays ahead of any perpetrators.
What types of security liabilities are there?
There are typical security issues that WordPress websites owners need to be aware of, and make sure to stay protected from.
- Brute Force Attacks
Your site gets attacked by automated scripts that attempt to login to your admin page or FTP, guessing usernames and passwords.
- Attacks on software vulnerabilities
All software is susceptible to attacks, and WordPress is no exception. However, the WordPress core is considered to be very safe at its core, as long as it’s kept up to date.
According to a security article from WordPress.org, the extensions of WordPress in the form of plugins and themes are “the #1 attack vector being exploited by cyber criminals to hack and otherwise misuse WordPress sites”.
There are several ways that these can be liabilities to your site:
- They are not updated to include the latest security fixes.
- You looked for a free version of a premium plugin and found a malicious one.
- The plugin or theme is not secure to begin with
- The plugin or theme is no longer being supported with updates by the creator
As you can see, for well established plugins and themes with serious companies backing them, the security is also very good as long as they’re running on updated versions.
- Cross Site Scripting
If someone breaks into a neighboring site that is hosted on the same server as yours, maybe your second site or one on the same shared hosting, they may access your site as well. I won’t go into detail on how it works, but you’ll find articles where you can learn more about “XSS” if you google for it.
The quick guide to staying safe
If you want your website to have a high fence, i.e. have a fence that is high enough compared to the interest for someone to hack it, here’s a quick guide to what you should do:
- Prevent Brute Force Attacks
- Make it more difficult to guess your login information:
- Change the URL for the login page.
- Avoid the username “admin” or “administrator”.
- Use a long, non-obvious password.
- Implement Two-Factor Authentication (2FA), e.g. using Google Authenticator.
- Limit the number of login attempts from the same IP address, e.g. using Login Lockdown.
- Remove user profiles that are no longer needed, e.g. those that got access to make a temporary fix on your site.
- Use secure FTP (SFTP) to protect people from stealing your information in transit.
- Minimize the impact:
- Restrict user privileges to a minimum, a principle referred to as “The Least Privileged Principle”. Someone contributing to the blog doesn’t need administrator rights, and so on.
- Disable the possibility to change files from the dashboard (in the Appearance/Editor menu). This can be done by adding a few lines of code to wp-config.php.
- Make it more difficult to guess your login information:
- Minimize software vulnerability
- Get a well established hosting provider for your site who knows how to minimize the server-side vulnerabilities.
- Only use trusted themes, plugins and other third-party integrations. Make sure to check their ratings, number of downloads, compatibility, and date of latest update.
- Remove plugins and themes that you are not using, and in general keep the number of used plugins to a minimum.
- Update your WordPress core, themes and plugins regularly. You can set WordPress to do it automatically, schedule yourself to go in every other week or so to look for updates, or subscribe to updates from your plugin and theme providers.
- Close down access to files and directories that shouldn’t be accessed by visitors using the .htaccess file. Examples include .htaccess itself, the wp-config.php file, the upload directory, and the admin directory.
- Minimize the risk for Cross Site Scripting
- Avoid shared hosting solutions from unreliable hosting providers.
- Use multiple databases if you have more than one site on your server.
Besides the recommendations above on how to treat specific types of attacks, here are three general recommendations that can really help you:
- Make sure to keep a backup of your files and databases to reduce the impact when something happens.
- Install a security plugin to help scan your site for hidden malware and detect hacking attempts.
- Keep your local environment safe to prevent hackers from accessing your information via unprotected networks or virus-infected computers.
WordPress security is not only about user laziness, anyone can get hacked. But most of the problems users face can be traced back to either unawareness or laziness, since a few easy tricks can help you avoid most attacks.
If you have a website that you care about, and you don’t want to spend endless hours trying to restore a compromised site: take preventive action.
And remember that security is not something you just set up according to the instructions above and then forget about.
You also need to treat it as a form of maintenance. Update your plugins and themes, check that they are still supported, and make regular audits of your site to ensure no malware has made its way through the fence, e.g. using security plugins.
That way, you’ll sleep well at night. And if you’re still anxious, here’s some more reading with further instructions and more perspectives on the topic:
- WordPress.org: “Hardening WordPress”
- Yoast.com: “WordPress Security”
- WPBeginner.com: “The Ultimate WordPress Security Guide – Step by Step (2017)”
- Colorlib.com: “Beefing Up WordPress Security – A Complete Guide To Securing WordPress Sites”