Everything You Need To Know About WordPress Security

Whether you run a hobby blog, an online business, or an eCommerce shop, WordPress security should be a priority. After all, Google blacklists thousands of websites each day for malware and phishing. And while some of these sites are being used for malicious intent, some of them are legitimate websites that have been hacked, sometimes without the website owner noticing.

Of course, the default WordPress core is routinely audited by the WordPress Security Team and is generally secure. In fact, because of the proactive approach the team behind WordPress takes to keep people’s websites safe, it’s often more secure than other popular content management systems.

But that doesn’t mean you should neglect your site and forgo your own WordPress security efforts.

Luckily, there are many actionable security measures available you can implement so hackers can’t gain access to your site and ruin all your hard work.

But first, let’s take a look at how secure WordPress is and the types of WordPress vulnerabilities there are.

In short, yes, WordPress is secure. Unfortunately, WordPress has a bad rap in the industry for being prone to security breaches and vulnerabilities. But the truth is, some of the reasons WordPress is so susceptible to security breaches is because WordPress users fail to follow WordPress security best practices.

For example, people continue to:

• Use nulled plugins and themes (those that have been hacked or have modified code designed to cause harm or collect information)
• Implement poor system and credentials management
• Rely on the WordPress core for all their security needs
• Don’t update their software, whether that be the WordPress version, themes, or plugins

That’s not to say WordPress security issues don’t happen though. Because they do. In fact, according to Sucuri’s Website Hack Trend Report 2018, 90% of websites found to be infected were WordPress websites.

Since 34% of the world’s websites use WordPress, so it makes sense that there would be more site vulnerabilities than other lesser-known platforms. But that doesn’t negate the fact that there is a lot of room for improvement.

Before we dive into how to protect your WordPress website, let’s take a brief look at the types of security vulnerabilities that can affect your WordPress website:

• Pharma Hacks: rogue code is inserted into outdated versions of WordPress, plugins, and themes. Search engines then display ads instead of the compromised website.
• Brute Force Attacks: automated scripts are used to exploit weak passwords to gain access to your website’s backend.
• Backdoors: hackers bypass security encryption with a piece of malicious code and gain access to WordPress website through the backend (e.g., SFTP, WP-Admin, and FTP).
• Denial of Service: also known as DDoS, this is when hackers exploit errors and bugs on your website to overwhelm your site’s operating systems (e.g., web servers, networks, or applications) and shut down your site.
• Redirects: malicious code is injected onto your site to redirect users to other websites.
• Cross-Site Scripting: malicious script is injected into a trusted website or application to grab

Now, let’s take a look at how you can prevent these common WordPress security issues and protect your website.

As of today, over 115,000 websites have been hacked.

And as you watch the ticker, the number continues to climb. If this isn’t enough of a warning that you need to protect your WordPress site, we don’t know what is.

One of the easiest ways to protect your WordPress site is to make sure you run all updates when they are released.

Updates are not just for giving WordPress users brand new features. They are also to wipe out vulnerabilities, fix bugs and errors, and make the software more secure. It’s important you always use the most recent version of WordPress and update keep all themes and plugins update on your site

Did you know that the level of security your WordPress website has offsite is just as important as the security measures you take on the backend

Well, it is.

When you choose a WordPress web hosting provider, you should take care to research the security measures they put in place to protect your site’s data. After all, your host stores all your website’s data and files on their servers. And if their servers become compromised, your site becomes compromised too.

Here are some of the best security to features look for when picking a hosting plan:

• Infrastructure access restrictions using SSH (Secure Socket Shell)
• IP whitelisting for authorized users only
• Network monitoring for intrusions or unauthorized activity
• Built-in SSL (Secure Sockets Layer) encryption and firewalls
• DDos prevention
• Malware scanning, detection, and removal
• Password and user access restrictions
• Offsite backup services

Not all web hosts come with such an extensive list of security features. That said, here at 24×7 WPSupport, we pride ourselves in providing enterprise level security with all our managed WordPress hosting plans. From automatic site backups to software updates, security checks for malware to vulnerability updates, we strive to secure your website and all its data so you never have to worry.

One of the most common ways hackers get inside a WordPress website is using stolen passwords. And it doesn’t just happen in the WordPress admin area. It also happens through your FTP and hosting accounts, the database, and even your custom business email addresses that use your site’s domain name.

Listen, we understand that every account you have on the internet has different password requirements. And quite frankly, it’s hard to remember them all. But using strong passwords is necessary for keeping your site secure.

Start by using a tool such as Password Generator to create unique passwords for all your website accounts.

From there, forget having to remember all your passwords; just use a password manager like the one provided free of charge by LastPass.

And don’t forget to change your username too. Many web host provide one-click WordPress installers to install WordPress on your website with ease. They also tend to come with pre-set usernames (admin) and passwords (vary). Change the username from admin to something else so hackers don’t have easy access.

In addition, make sure you take the time to define the user roles and capabilities in your WordPress account if you have a team of people that regularly access the backend of your site. This means only creating user accounts for those that must have access to your website.

No matter how secure your site’s passwords are, it’s important to understand that cybercrime has become increasingly advanced. And when hackers use specialized software to try to break into websites, even getting past a strong password becomes possible.

One way to get around this is to enable two-factor authentication. Two-factor authentication involves a two-step process during the log in process. First, you have to input your password. Next, you’ll need to receive a special code either via a SMS (text message), phone call, or a time-based one-time password app, such as Google Authenticator .

This method is nearly 100% effective in stopping all brute force attacks on your WordPress website. After all, a hacker may be able to guess your password, but chances are they don’t have your cell phone

Okay, so you know your web host provides automated site backups in case anything happens. But what happens if your web host’s servers go down and your site is compromised?

Just because your web host has implemented specific security measures doesn’t mean security breaches can’t happen. And you need a reliable way to get a copy of your website, outside the realm of your web host, just in case something happens.

That’s where using a WordPress backup plugin comes in handy. Of course, you can always run a manual backup of your WordPress site too.

But if you want to streamline the process, use a WordPress backup plugin like:

• UpdraftPlus
• BackUpWordPress
• BackWPup
• Duplicator
• WP Database Backup

All of these solutions are highly reliable, easy to use, and found in the WordPress Repository, meaning they have been thoroughly vetted for use.

In addition to using a WordPress backup plugin, you should also use a WordPress security plugin for added layers of protection to your site.

A good security plugin will include features such as:

• Active security monitoring
• Firewalls
• Brute force attack prevention
• Blacklist monitoring
• Malware scanning and removal
• Security hardening
• Post-hack actions
• File scanning

Additionally, it should notify you immediately should anything suspicious happen on your website.

Not sure which WordPress security plugin to use?

Some of the best security plugins in the market include Sucuri Security, iThemes Security, and VaultPress.

According to official WordPress stats, 59.3% of WordPress users still use an outdated PHP version.

And pretty soon, PHP 7.1 is not going to be supported anymore (December 2019), adding another 13.1% of WordPress users to the group using an outdated version of PHP

WordPress is written using PHP as the scripting language. It is also highly responsible for the speed and performance of your website. Developers support new PHP versions for two years. During those two years, bugs and security issues are addressed on a regular basis so your site remains secure.

To check which PHP version you’re using, go to Tools > Site Health in the WordPress dashboard. Find the Server dropdown and click on it.

If you find that you’re using an outdated version of PHP, reach out to your hosting provider and see what you can do about upgrading it. If you’re using a high-quality host, changing to an updated version of PHP shouldn’t be an issue. In fact, many web hosts will automatically update your PHP version for you.

SSL (Secure Sockets Layer) is a protocol that encrypts the data that transfers between your website and a user’s browser. In other words, using an SSL certificate prevents hackers from intercepting any data that passes between your site visitor’s browser and your site (and web host servers).

It’s also worth noting that Google has officially made HTTPS a ranking signal. This means that using an SSL certificate will help you rank higher in search results, as well as secure your site.

Not to mention, anyone using the Chrome browser will see a “Not Secure” message anytime they visit a site not using HTTPS. This will hurt your chances of establishing trust with site visitors and may cause an uptick in your site’s bounce rate.

Once you enable SSL, your website’s URL will use HTTPS instead of HTTP. It will also have a green padlock sign next to it, signaling to site visitors that your website is safe and secure.

Many web hosts provide their customers with free SSL certifications. This is usually done in your hosting account. If your hosting provider doesn’t provide SSL certificates, you can always buy one using a third-party company and enable it in your hosting account.

By default, WordPress allows users to login as many times as they want. This means your website is extremely vulnerable to attack, especially if a hacker is using automated bots to break in.

To beef up your WordPress security efforts, it’s a good idea to customize how many times people can log in to your WordPress site.

For example, the free Cerber Security plugin will let you defend your website from hackers, spam, trojans, and malware. It also mitigates the number of brute force attempts on your site.

For example, you can define:

• Number of login attempts
• The duration before a retry is allowed
• Lockout duration
• Notification settings

You can also use the simpler Login Lockdown plugin that records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are recorded with a short period of time for one IP address, then Login Lockdown will lock your website and prevent further login attempts.

By default, your WordPress website’s URL is domain.com/wp-admin. The problem with this is that hackers, bots, and scripts know this, making your website vulnerable to brute force attacks and other cybercrime.

That’s why you should change the WordPress login URL so the login page isn’t as obvious to those trying to break in.

The free WPS Hide Login plugin is the perfect solution. It doesn’t rename your site’s login page, change files, or rewrite rules. All it does is intercept page requests

There’s also an area to input a redirect URL when someone tries to access your site’s login page using the default domain.com/wp-admin URL. Just make sure you choose a URL that isn’t easy for bots to guess or scripts to scan.

After you’ve changed your WordPress login page’s URL, you can make it even harder for hackers to bypass it by adding a security question to the page before being able to login.

You see, automated bots that scan millions of websites trying to break in can’t answer human questions. Even if they can crack your site’s password, they won’t be able to type out an answer to a security question and your WordPress site stays protected. And even if they could, they’d never be able to guess your own personalized answer.

With a free WordPress security plugin like WP Security Question, you can easily use any of the pre-determined security questions or create your own.

In addition, decide whether to ask a security question on the login, registration, or forgot password screens (or all three).

It’s not enough to hide your WordPress default login page from hackers. Since WordPress is such a target because it’s so widely used, and hackers know they can exploit sites that have been neglected when it comes to security, it’s important to hide the fact you use WordPress for your CMS.

After all, anyone can see that you’re running an old, outdated version of WordPress by checking the source code and take advantage of known vulnerabilities for that version.

Of course, using the most recent version of WordPress prevents this. But for added security, you can also remove the WordPress version, whether it’s updated or not.

To remove the WordPress version number from your site’s header, go to your functions.php file in the WordPress dashboard and add the following code:

function wp_version_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wp_version_remove_version’);

This will not only remove the WordPress version from your site’s blog pages, but also from your feeds as well (which is one place hackers go looking).

Keep in mind, this requires you to make changes to your WordPress site’s code, which can be scary for novice website owners without a lot of technical knowledge. Plus, if you make a mistake, you risk breaking your site.

If you want, you can always use a free WordPress plugin like Remove Version Number to remove the version of WordPress you’re using from the head, RSS feeds, stylesheets, and scripts.

People that are logged into your site, but wander away from their screen leave your website vulnerable. For example, someone can hijack their session and make changes to your site, change passwords or account information, and even steal sensitive data.

To protect your WordPress users’ sessions, and your website, use a WordPress security plugin like Inactive Logout. This plugin will automatically log out idle user sessions based on the idle time you configure in its settings.

As you can see, Inactive Logout also gives you the opportunity to create a custom idle message so users that are still around can continue their session and not wonder why they’ve been logged out.

In addition, it comes with neat features like:

• Timeout countdown timer
• Wake Up! message to remind users to continue browsing
• Page redirect instead of custom popup message
• Multisite support

You might not think about how important internet connections are, but they are crucial to WordPress security. Think about it. If you’re in Starbucks using their network to work on your site’s website, you open yourself up to hack attacks.

Here are some quick tips for making sure your connection (and WordPress site) is not exposed, whether you’re at your home, office, or in a public place:

• Use a VPN service to hide your IP address and encrypt your internet traffic and activity
• Consider using a different router IP range
• Enable high-level encryption on your Wi-Fi
• Keep your router software updated at all times
• IP whitelist your Wi-Fi so only those with certain IP addresses and the password can access the network

WordPress gives you the ability to change theme and plugin files in the WordPress admin area using a built-in code editor. But if someone is able to hack into your site and access this, you could end up with a lot of security issues.

To harden security just in case someone manages to break into your site, we recommend you disable file editing.

To do this, all you have to do is add a small snippet of code to your wp-config.php file:

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

If you happen to use the Sucuri security plugin we mentioned above, you can also achieve this in the settings section with one click.

In the end, there are many ways to implement additional WordPress security measures on your website, beyond what the WordPress core provides. In fact, it’s absolutely necessary to do at least some of these to make sure you, your website, and your site visitors are fully protected.

If you ever find your WordPress site has been hacked, despite your efforts to secure it, get in touch with us here at 24xWPSupport. We specialize in helping those with websites that have been hacked with malware or viruses. Not only do we have a team of experts that can clean up and fix your site, we can do it quickly so your site isn’t flagged and banned. Don’t let the malicious intentions of someone else interfere with your livelihood or site visitors; have us help you instead!