Every WordPress website – no matter how much or little traffic it gets – is vulnerable to threats which can do great harm.
I know that sounds terrifying but fortunately there are a lot of simple things to do to keep your site safe and secure.
Just burying your head in the sand is not a smart strategy for maintaining your website and keeping it online.
But it’s more than just keeping your site online. Some sites, when compromised, can do harm to their visitors without them even knowing about it. For example, your site can be used to spread malware causing your site to be blacklisted on Google.
This is a long post so if you want some basic FAQ here they are.
Do WordPress Sites Need Security?
- WordPress is a popular content management system (CMS), which means that there are many potential targets for hackers.
- WordPress sites usually contain sensitive information, such as user login details and personal information.
- WordPress sites can be vulnerable to attack if not properly configured or updated.
Yes, WordPress can be secure. However, it is important to note that no CMS is 100% secure. There are always going to be security risks associated with any platform, and WordPress is no different. That being said, there are a number of steps you can take to help make your WordPress site as secure as possible.
One of the most important things you can do is keep your WordPress installation up to date. New versions of WordPress are released regularly, and each new version includes security fixes for vulnerabilities that have been discovered. By keeping your site up to date, you’ll help to close any potential security holes that could be exploited by hackers.
Another important security measure is to use strong passwords for all your logins.
How Do I Make My WordPress Site Secure?
Following these simple tips will help make your WordPress site more secure and less likely to be hacked.
1. Use a strong password for your WordPress admin account and never share it with anyone.
2. Keep your WordPress installation up to date by always updating to the latest version.
3. Use only trusted themes and plugins from reputable sources.
4. Don’t click on any suspicious links or download any files from untrustworthy sources.
5. Backup your WordPress site regularly so you can restore it if it’s ever hacked.
Here are the simple things you can do to safeguard your WordPress website.
What Are The Most Common Threats You Should Be Aware Of?
Fortunately you don’t need to become a hacker to protect yourself from one. But knowledge of a few most common vulnerabilities can go a long way.
Brute Force Attacks
What do you think would happen if a burglar had enough experience and time to pick a lock?
That’s what a brute force attack is like.
This kind of threat is an attack that tries to guess the password or username of a user by trying different combinations. This can be very time consuming and often requires sophisticated software to carry out. However, if the attacker has access to a list of common passwords or usernames, they can often successfully break into your site at the WP Login screen.
File Inclusion Exploits
A file inclusion exploit is a type of attack that allows an attacker to include a file (usually malicious code) on a server that is running an older version of WordPress. This exploit can be used to take over the website or to cause other damage.
What kind of harm could you be looking at if a file were used to exploit malicious code?
If an attacker is able to successfully exploit a file inclusion vulnerability, they can potentially gain access to sensitive information stored on the server, including passwords and credit card numbers. They may also be able to delete files or inject malicious code that will be executed on the server. This can cause serious damage to the website and its visitors.
SQL Malicious Injection
If an attacker gets access to your database, you’re going to be in for a world of hurt. A malicious injection can allow an attacker to execute code that can delete your content, corrupt your database, or even give the attacker full control of your server. In short: it’s bad news.
What could you do about this?
Fortunately, there are a few things you can do to protect yourself. First, make sure you’re using a strong password for your database. Second, keep your WordPress installation up to date. Both of these will help to keep your site safe from SQL injection attacks.
Cross Site Scripting
Cross Site Scripting (XSS) vulnerabilities can be exploited in a number of ways, but they all involve injecting malicious code into a web page. This can be done through flaws in the website’s code, by compromising the server that hosts the website, or by tricking users into clicking on a malicious link.
Once the code has been injected, it can be used to perform a variety of actions such as the theft of sensitive information, redirecting users to malicious websites, and more.
Malware
Malware is a type of software that can damage or disable computers and computer systems. WordPress websites can be particularly vulnerable to malware attacks, as they are often left unpatched and unprotected. If your WordPress website is infected with malware, it could result in your site being hacked, your data being stolen, or your site being used to distribute malware to other users.
What can you do about this?
To protect your WordPress website from malware, you should keep your WordPress installation up to date, and use a security plugin like one of those mentioned below. You should also regularly scan your website for malware and remove any malicious code that you find.
Simple Things You Can Do To Safeguard Your WordPress Website
Keep All WordPress Software Up To Date
This is always number one on everyone’s security list. Why? WordPress, themes, and plugins change over time – mostly for new features but partly as a response to known security threats. If you don’t update your WP software, you’re just asking for problems to come your way.
Use Strong Passwords
You’d be surprised how easy it is for hackers and bots to crack a simple username and password given enough time.
Are you using passwords that are easy to remember, which unfortunately also makes them easy to guess? A strong password is one that is difficult to guess and contains a mix of upper and lower case letters, numbers, and symbols. Using a strong password helps to protect your website from being hacked.
There are a few things to keep in mind when creating a strong password:
- Make it at least 8 characters long. The longer the password, the more difficult it is to crack.
- Use a mix of upper and lower case letters, numbers, and symbols. This makes it harder for someone to guess your password.
- Avoid using easily guessed words like “password” or “admin” for the username.
Use A Managed WordPress Host
Go with a web host that provides top notch WordPress hosting services which include the following:
- Free and automatic SSL installation
- SFTP
- Daily backups with an easy restoration process
- Staging environment
- An option to easily used a CDN
Plus, most managed WordPress web hosts provide enhanced security features (such as malware scanning and removal) that can help protect your website from hackers and other online threats.
Get Themes And Plugins From Trusted Sources
You’re always safe downloading themes and plugins from the wordpress.org repository but what about from anywhere else? That depends as it’s very easy for other sites to distribute less than trustworthy software over the Internet.
Use well-known services to make safe purchases. To name just a few:
- ThemeForest
- ThemeIsle
- Envato
Of course, you’ll be making a safe bet when you purchase a plugin from a highly trusted source such as Pippin’s Plugins which provides a variety of plugins created by the well-known developer, Pippin Williamson.
Give Users Only The Level Of Access They Need
If someone is writing blog posts for you, they don’t need admin access. Assigning the role of Author or Contributor should be sufficient for writing a post.
Backup Your Site
That should be obvious, but what isn’t obvious is that it should be backed up at minimum once a day. If your site is compromised without you being aware of it, your most recent backups will probably include the security breach. This will not be helpful should you use a backup that has already been compromised.
Plugins And Services
Let’s take some time to familiarize yourself with WordPress security best practices. This will help you identify potential vulnerabilities on your site and take steps to fix them.
By following these simple steps, you can help protect your WordPress website from attack. Keep in mind that no system is impenetrable and no one step – or series of steps – will guarantee that you’ll always stay out of trouble.
Single Purpose Plugins
Limit Login Attempts Reloaded
By default, WordPress does not limit the number of attempts you – or a hacker – can make to enter into your WP Admin.
Limit Login Attempts does exactly what it sounds like: It limits the number of login attempts that a user can make to a WordPress site. This is a security measure that can help prevent brute force attacks (where a bad actor tries to gain access to a WordPress site by repeatedly guessing the username and password).
With this plugin you can specify how many login attempts a user is allowed before their IP address is temporarily blocked. This can help deter would-be hackers and make it more difficult to gain unauthorized access to your site.
WP Hide Login
Hackers know that by default your login page is located at site.com/wp-login.
This plugin changes that url to whatever url you specify making it easy to hide the default login page. This will also cut down on the chance that your site will be subject to a brute force attack.
This single purpose plugin adds another layer of security for your site which is simple to implement.
Google Authenticator – WordPress Two Factor Authentication (2FA)
Two Factor Authentication has become a standard for protecting access to all kinds of data – bank and investment account data as well as other types of sensitive information.
The plugin works by requiring you to enter a code from your smartphone or other device in addition to your username and password when logging in. This makes it more difficult for someone to hack into your site, even if they have your username and password.
If you have sensitive information on your site or if you simply want to add an extra level of protection, then using the Google Authenticator plugin is a good idea. However, this plugin is overkill if you don’t have terribly sensitive information in your database.
If you use this plugin, you’ll see there is a tradeoff between ease of access and security. The more of the latter, the less of the former.
Multi-Purpose Plugins
Workfence
Workfence is a Swiss army knife type of plugin as it helps you manage and secure your WordPress site. It provides different types of security services. You decide which ones to use.
The first feature is its ability to scan your site for malware and other security threats. This helps you keep your site safe from malicious attacks.
Another great feature of Workfence is its ability to block spam comments. This helps you keep your comment section clean and free of spam.
Workfence also has the ability to create reports on how your site is performing. This helps you troubleshoot problems and improve your site’s performance.
Here are other key features:
- Workfence provides an intuitive and user-friendly interface.
- The plugin is highly customizable and can be adapted to your needs.
Finally, Workfence offers a premium version that includes additional features such as scanning against real-time threats.
Sucuri
While not as well known as Wordfence, Sucuri is a noteworthy competitor plugin.
Like Wordfence, Securi helps to protect your website from hackers and malware. It does this by scanning your website for vulnerabilities and then repairing them if possible. It also blocks malicious traffic from reaching your website. This makes it an essential tool for anyone who wants to keep their website safe from harm.
Here are some of its key features:
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blocklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (premium)
Securi, owned by GoDaddy, is used by millions of websites worldwide, including some of the biggest names in the business.
iThemes Security
This plugin also provides protection services that are similar to Wordfence and Sucuri.
Here are some of its key features:
- Two Factor Authentication
- Password Requirements
- reCAPTCHA (premium)
- Passwordless Logins (Pro)
- Trusted Devices (Pro)
The setup process allows you to choose from a security template that is tailored to the needs of your site. For example, security needs for an eCommerce site differ from that of a simple blog.
Resources
Plugins And Services
Some of these – like the Google Authenticator and Limit Login Attempts – are single purpose plugins making them simple to set up and use. Others – like Wordfence and Sucuri – provide a suite of protection applications and are more difficult to understand and use.
- Google Authenticator – WordPress Two Factor Authentication (2FA)
- Limit Login Attempts
- Stop User Enumeration
- WPS Hide Login
- User Role Editor
- Activity Log
- Website File Changes Monitor
If you are going to use a protection suite, choose between the Wordfence, Sucuri OR iThemes Security plugins. Do not use more than one of these.
Tools
These are all free, so help yourself.
- Security Check from experte.com
- Sucuri Free Site Scanner
- Free Malware Scanner
- WPHackedHelp
- Why No Padlock?
Guides
Blogs
Lists
- 5 Common WordPress Security Issues
- 7 WordPress Security Best Practices
- 7 Best WordPress Security Plugins
- 17 Best WordPress Security Plugins to Lock out the Bad Guys
- 10 Reasons Why Your WordPress Site Will Get Hacked (And What you can do About It)
Good Reads
There are countless articles on the web to help you understand the nature of common threats to your site.
Some of these articles are pretty technical, so don’t say I didn’t warn you!
- Cross-Site Scripting: A Guide for WordPress Users
- WordPress Security Threats in 2020 and How to Prevent Them
- The Complete Guide to WordPress User Roles and Permissions
- iThemes – Blog
- How Firewalls Work
- Why Choose An Endpoint Firewall Like Wordfence
- A complete tutorial to cross-site scripting
- 2018-2022 Ransomware statistics and facts
- How to Protect Your WordPress Site from Brute Force Attacks
- Ransomware Facts, Trends & Statistics for 2020
- FAQ My site was hacked
- iThemes Security vs Wordfence: Which Security Plugin Should You Choose?
- What Is Xmlrpc.php in WordPress and Why You Should Disable It