If you own a website, you should take your website security seriously, especially if your website is a WordPress site.
WordPress is a secure CMS, but because it is an open source system, it suffers from various critical vulnerabilities. Fortunately, securing WordPress is simple when you take the right steps.
In this article, we’ll go into detail about the most common and dangerous security vulnerabilities that come with using WordPress. Then, we’ll cover all the steps to running a safe and secure WordPress site.
Why You Need WordPress Security
Let’s discuss the reasons why every successful website built with WordPress prioritizes security. These apply to businesses of all sizes.
Also, what is the connection between securing a WordPress site and choosing appropriate web hosting?
Security protects your information and reputation
If attackers obtain personal information about you or your website visitors, there’s no end to what they can do with it. Security breaches open the door to public data leaks, identity theft, ransomware, server crashes, and the list, unfortunately, goes on and on. Needless to say, any of these events are far from ideal for the growth and reputation of your business, and are usually a huge waste of time, money, and energy.
Your visitors expect website security from you.
As your business grows, the number of problems you have to solve and your customers’ expectations of how you will handle those problems will increase. One of those problems is keeping your customers’ information secure. If you can’t provide this basic service from the start, you will undermine your customer’s trust in you.
Your customers need to trust that their information will be used and stored securely, whether it’s contact information, payment details, or a basic survey response. There’s a catch-22 here: If your security measures are working, your customers will never have to know. But if they ever see news about your website’s security, chances are it’ll be bad news and most of them won’t come back.
Google loves secure websites.
Keeping your WordPress site secure is a cornerstone of maintaining a high-ranking website.
why? Because a secure website is a searchable website. Website security directly affects your website’s ranking in Google (and other search engines). Security is one of the easiest ways to boost your website’s search engine rankings.
It’s clear that protecting your online assets should be a top concern. Every website needs to ensure safety for its visitors and users, and we’ll go over the steps to do so. But first, you might be wondering: Is WordPress a secure website builder ?
How secure is WordPress?
WordPress is a secure content management system. However, it can be vulnerable to attacks – just like any CMS.
There’s no getting around it: Websites that use WordPress are a popular target for cyberattacks. In its WordPress Security Report, a firewall service called Wordfence blocked 18.5 billion password phishing requests on WordPress sites. That’s almost 20 billion attacks on WordPress sites alone.
This may be less surprising, considering that 42.7% of all websites use WordPress. Still, nearly twenty billion attacks is still quite high, even when you consider WordPress’ market share.
8 out of 10 WordPress security risks fall into the “medium” or “high” severity rating according to the common vulnerability scoring system.
But before you delete your WordPress account, you should know that these numbers aren’t entirely WordPress’ fault. Or, at least, not the fault of the WordPress product itself.
WordPress employs a large security team of world-class researchers and engineers who search for vulnerabilities in its system, and regularly releases security updates for its software. When it comes to the core of WordPress, we’re backed up. The problem is in how WordPress is made available to its users.
WordPress is open source software, meaning the source code is available for anyone to modify and distribute. Because WordPress is open source, the software is infinitely customizable and optimized. There are thousands of plugins, themes, and developers with the skills to modify the backend code themselves. This flexibility is a defining feature of WordPress, and a huge part of what makes it so powerful and popular.
The downside to all this freedom is that a poorly configured or maintained WordPress site is prone to a myriad of security issues. WordPress gives great power to its users, and with great power comes great responsibility. A responsibility that many shirk. Hackers know this and target WordPress sites accordingly.
However, you can rest easy knowing the following: Perfect security simply does not exist, especially on the Internet. As WordPress states:
“[S]ecurity…is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”
“Security… is about reducing risk, not eliminating risk. It’s about using all the appropriate controls at your disposal, within reason, that allow you to improve your overall posture and reduce the chances of making yourself a target, and then being hacked.”
You can never be completely immune to online threats, but you can take steps to greatly reduce the likelihood of them occurring. The fact that you’re reading this means you probably care about security and are willing to go the extra mile to keep yourself and your visitors safe. In short, WordPress is secure, but only if its users take security seriously and follow best practices.
WordPress security issues
So what could happen if a person chooses to push all these numbers aside and do nothing to secure their WordPress site? As it turns out, a lot. The most common types of cyberattacks on WordPress sites are:
Brute-Force Login Attempts
This is one of the simplest types of attacks. Brute-Force logins occur when attackers use automation to enter many username-password combinations very quickly, eventually guessing the correct data. Brute-Force hacking can access any password-protected information, not just logins.
Cross-Site Scripting ( XSS )
XSS occurs when an attacker “injects” malicious code into the backend of a target website to extract information and wreak havoc on the website’s functionality. This code can be presented on the backend through more complex means, or simply served as a response in a user-facing form.
Database Injections
Also known as SQL injection, this occurs when an attacker sends a malicious line of code to a website through some user input, such as a contact form. The website then stores the code in its database. Similar to an XSS attack, the malicious code runs on the website to obtain or compromise confidential information stored in the database.
Backdoors
A backdoor is a file that contains code that allows an attacker to bypass the normal WordPress login and access your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult for inexperienced users to find. Even after removal, attackers can write versions of this backdoor and continue to use it to bypass your login.
Although WordPress limits the types of files users can upload to reduce the chance of backdoors, it’s still an issue to be aware of.
Denial -of-Service (DoS ) Attacks
These attacks prevent authorized users from accessing their website. DoS attacks are often carried out by overloading a server with traffic and causing it to crash. The effects are exacerbated in the case of a distributed denial of service (DDoS) attack, a DoS attack carried out by many machines at once.
Phishing
When an attacker contacts a target by impersonating a legitimate company or service, it’s called phishing. Phishing attempts typically trick the victim into giving up personal information, downloading malware, or visiting a dangerous website. If an attacker gains access to your WordPress account, they can even coordinate phishing attacks on your customers while impersonating you.
Hotlinking – Hotlinking
Hotlinking occurs when another website displays embedded content (usually an image) hosted on your site without permission, making it appear as if the content is theirs. Although more like theft than a full-blown attack, hotlinking is usually illegal and causes serious problems for the victim, as they have to pay every time the content is retrieved from their server when displayed on another site.
For these crimes to occur, hackers need to discover holes in the website’s security. Common vulnerabilities that hackers look for when targeting WordPress sites include:
PLUGINS : Third-party plugins are often responsible for WordPress security breaches. Because plugins are created by third parties and have access to the backend of your site, they are a common channel for hackers to disrupt your site’s functionality.
Outdated WordPress versions: WordPress sometimes releases new versions of its software to fix security vulnerabilities. When patches are released, the vulnerabilities become public knowledge, exposing the problems with older versions of WordPress to hackers.
The login page: The backend login page of any WordPress site by default is the main URL of the site with “/wp-admin” or “/wp-login.php” appended to the end. Attackers can easily find this page and try to log in.
Themes: Yes, even your WordPress theme can expose your site to cyberattacks. Outdated themes may not be compatible with the latest version of WordPress, making it easy to access your source files. Also, many third-party themes do not adhere to WordPress coding standards, causing compatibility issues and similar vulnerabilities.
Now that we’ve gotten past the scary part, let’s discuss what you can do to reduce the threat of a cyber attack on your WordPress site.
Website security, and WordPress site security in particular, comes down to maintaining a set of best practices. Some of these apply to all sites in general (e.g. strong passwords and two-factor authentication, SSL, and firewalls), while others apply specifically to WordPress sites (e.g. using secure plugins and a secure WordPress theme).
To keep your site safe, we recommend adhering to as many of these best practices as possible. First, we’ll cover the basic best practices. Then we’ll add additional steps you can take if your site is particularly at risk or if you want to go further.
Best practices for securing WordPress websites
- אבטח את הליכי הכניסה שלך
The most basic step to securing your website is protecting your accounts from malicious login attempts. To do this:
Use strong passwords: We used to think flying cars would be the future, but as of this year, people are still using “123456” as a password. Make sure all users with accounts on your WordPress Backend are using strong passwords to log in.
Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their login with a second device. It’s one of the simplest, yet most effective, tools for securing your login.
Do not make any account username “admin”: This will most likely be the first username attackers log in to during a brute-force login attempt. If you have already created a user with this name, create a new administrator account with a different username.
Limit login attempts: Setting a limit on the number of times a user enters incorrect credentials in a certain period of time will prevent hackers from forcing a login. Some hosting services and firewalls are supposed to handle this for you, but you can also install a plugin like Limit Login Attempts to do the job.
Add captcha: You’ve probably seen this security feature on many other websites. It adds an extra layer of security to your login by verifying that you are indeed a human and not a robot. You can use plugins to add captcha to your site. reCaptcha by BestWebSoft is a plugin we recommend – check out our guide on how to enable Google reCaptcha in WordPress.
Enable Auto Logout: While you should remember to log out of your WP account when you’re done, auto logout prevents strangers from snooping around in your account. To enable automatic logout of your WordPress account, try the Inactive Logout plugin.
2. Use secure WordPress hosting
When choosing your website host, there are many factors to consider, but security should be a top priority. Consider services that have taken steps to protect your information and recover immediately if an attack occurs.
3. Update your WordPress version.
Outdated versions of WordPress software are a very common target for hackers. Be sure to regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities found in older versions.
To update WordPress to the latest version, first backup your site and check that your plugins are compatible with the latest version of WordPress, update plugins accordingly.
After updating your plugins, follow the update instructions on the WordPress website.
4.Update to the latest version of PHP
Upgrading to the latest version of PHP is one of the most important steps you can take to keep your WordPress site secure. When the upgrade is ready, WordPress will notify you in your dashboard. It will then prompt you to go to your hosting account to upgrade to the latest PHP version. If you don’t have access to your hosting account, contact your web developer to upgrade.
5. Install one or more security plugins
We highly recommend installing one or more reputable security plugins on your website. These plugins do a lot of the manual work related to security for you, including scanning your site for intrusion attempts, modifying source files that could leave your site vulnerable, resetting and restoring your WordPress site, and preventing content theft like hotlinking. A few reputable plugins will cover almost everything on this list.
No matter what plugins you decide to install, whether related to website security or not, make sure they are reputable and legitimate.
6. Use a secure WordPress theme
Just like you shouldn’t install a suspicious plugin on your site, you shouldn’t use just any WordPress theme that looks good. To avoid vulnerabilities caused by a WordPress theme, choose one that complies with WordPress standards.
To check if your current design meets WordPress requirements, copy your website URL (or the URL of any WordPress site or live demo of any theme) into the W3C validator. If you find that your theme is not compliant, search for a new theme in the official WordPress theme directory. All themes in this directory are safely compatible with WordPress software. Alternatively, check out HubSpot’s list of recommended themes, or search the marketplace for other trusted themes.
7. Enable SSL/HTTPS
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and your visitors’ web browsers, ensuring that traffic between your website and your visitors’ computers is safe from unwanted visitors.
Your WordPress site needs SSL enabled. If you are using CMS Hub, SSL is free and built into the platform. If you are using WordPress, then depending on your use case, you can choose to do this manually or use a dedicated SSL plugin. This will not only boost your website’s SEO, but it also plays directly into your visitors’ first impression of your site. Google Chrome will even warn users if the site they are visiting is not SSL compliant, which directly reduces traffic to the site.
To see if your WordPress site is SSL compliant, visit the homepage of your WordPress site. If the homepage URL starts with “https://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL starts with “http://”, you will need to obtain an SSL certificate for your site.
8. Install a firewall
A firewall sits between the network hosting your WordPress site and all other networks, automatically preventing unauthorized traffic from entering your network or system from the outside. Firewalls prevent malicious activity from outside your site by eliminating direct connections between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. With CMS Hub, your site will come with a WAF built into the platform. As with everything else on this list, carefully consider which type of firewall and plugin best suits your needs before making your choice.
9. Back up your website
Having a hack is bad. Losing all your data is even worse. Make sure your website data is backed up by WordPress and your host in case of a hack (or any other incident) that causes data loss. We recommend that backups are automatic as well.
10. Perform regular WordPress security scans
It is recommended to perform routine checks on your site. Aim for at least once a month. There are several plugins that can crawl your site for you.
Once you’ve taken these basic steps, you can move on to more advanced measures to secure your WordPress site.
Advanced WordPress Security Best Practices
1. Filter special characters from the user receiver
If any part of your site receives a response from visitors, whether it’s a payment form, a contact form, or even a comments section on a blog post, it’s an opportunity for an XSS or database injection attack. Attackers could enter malicious code into any of these text fields and disrupt your site’s backend.
To avoid this problem, make sure to filter out special characters from the user input before it is processed by your website and stored in the database. You can also use a plugin to detect malicious code. Alternatively, you can use a WordPress form plugin to automatically filter out these characters.
2. Restrict WordPress User Permissions
If your WordPress site has multiple user accounts, we recommend changing each user’s roles to limit each user’s access to only what they are authorized to do. WordPress has six roles to choose from for each user. By limiting the number of users with administrator privileges, you reduce the chance of an attacker breaking into the admin account, and limit the damage that can be done if the attacker guesses the user’s passwords correctly.
3. Use WordPress Monitoring
A monitoring system on your website will alert you to any suspicious activity that occurs on your site. Ideally, your other measures would prevent such activity, but it’s better to find out sooner rather than later. You can use a WordPress monitoring plugin to get notified in case there’s a hack.
4. Logging user activity.
Here’s another way to get out of trouble before it happens: Create a log of all the activity that users do on your site, and periodically check this log for suspicious activity. This way, you’ll see if another user is acting suspiciously (e.g. trying to change passwords, modify theme or plugin files, install or disable plugins without permission). Logs are also useful for cleaning up after a hack, showing you what went wrong and when.
This doesn’t mean that all password changes or file changes are always signs that there’s a hacker on your team. However, if you employ a lot of external contributors and give them access privileges, it’s always a good idea to keep an eye on things.
Many WordPress plugins create activity logs, and there are several dedicated logging plugins for WordPress such as WP Activity Log or the free Activity Log plugin.
5. Change the Default WordPress Login URL
As I mentioned, it’s easy to find the default WordPress login page URL for any WordPress site. Plugins like WPS Hide Login change this login page URL for you.
6. Disable file editing in the WordPress dashboard.
By default, WordPress allows administrators to edit the code of their files directly with the code editor. This gives attackers an easy way to modify your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some simple coding to disable it yourself. Add the code below to the end of your wp-config.php file:
// Disallow file edits
define( ‘DISALLOW_FILE_EDIT’, true );
7. Change your database file prefix
The file names that make up your WordPress database start with “wp_” by default. Hackers leverage this setting to locate your database files by name and perform SQL injections.
A simple fix? Change the prefix to something else, like “wpdb_” or “wptable_.” This can be configured when you install the WordPress CMS. If your site is already live with this setup, you can rename these files. In this case, we highly recommend using a plugin to handle this process, as your database stores all of your content and misconfiguration will break your site. Look for the ability to change table prefixes among the features of your preferred security plugin.
8. Disable your php file.
XML-RPC is a communication protocol that allows the WordPress CMS to interact with external web and mobile applications. Since the integration of the WordPress REST API, XML-RPC has been used much less frequently than it once was. However, it is still exploited by some to launch powerful attacks on WordPress sites.
This is because XML-RPC technology allows attackers to submit requests containing hundreds of commands, making it easier to perform brute-force login attacks. XML-RPC is also less secure than REST because its requests contain authentication credentials that can be exploited.
If you don’t use XML-RPC, you can disable the xmlrpc.php file. First, check if your site is using the file. Plug your URL into this XML-RPC validation to see if your site is currently using the protocol. If not, the easiest way to disable the file is with a plugin like Disable XML-RPC-API. Your WordPress security plugin may also be able to do this for you.
9. Consider deleting the default WordPress admin account
We discussed changing the username to “admin” for the default WordPress admin account, but if you want to take things a step further, get rid of this default account entirely, and create a new account with the same admin privileges. This is a good step to take if you think your original admin username and password have been discovered.
10. Consider hiding your WordPress version
Hiding your WordPress version will ensure that hackers don’t know that your site is vulnerable. As previously mentioned, you should always update to the latest version of WordPress. But if you haven’t had the chance to do so yet, it’s crucial to hide the potential vulnerability.
What to do if your website has been hacked?
So, you’ve implemented some or all of the above measures, and now you want to be extra prepared in case something goes wrong. Or something has gone wrong. Either way, here’s what to do:
1. Stay calm.
It’s natural to panic in these situations. Just remember that a security breach can happen to anyone. It’s necessary to keep a clear head so you can pinpoint the source of the breach and start fixing it.
2. Turn on maintenance mode on your website.
Restricting access to your website keeps visitors away from your side and safe from the attack. Open your website only when you are sure the situation is under control.
3. Start creating an incident report.
Write down all relevant details that could help solve the problem. These include, but are not limited to:
When you discovered the problem.
What do you think caused you to be attacked?
Your current theme, active plugins, storage provider, and network provider.
Any other changes you made to your WordPress site before the incident.
A log of your actions while locating and fixing the problem.
Update this document as more details emerge.
4. Reset access and permissions.
Change all account passwords on your WordPress site to prevent further changes to the site. Then, force log out any users who are still logged in.
All account holders should also strongly consider updating passwords on their work and personal devices, as well as personal accounts, as you can’t know for sure what attackers were able to access beyond your WordPress site.
5. I will diagnose the problem.
Either look for the problem yourself using a security plugin, or, depending on the extent of the breach, hire a professional to diagnose the problem and fix your site. Regardless of which method you choose, run a security scan on your site and local files to clean up any remaining malicious files or code left behind by the attackers, and to restore any missing files.
6. Review related websites and channels.
If you have accounts for any other online platforms that are linked to your website, such as a social media account or another WordPress site, check those platforms to see if they were affected. Change your passwords for those channels as well.
7. Reinstall backup, themes, and plugins.
Reinstall your theme and plugins (double check they are safe). If you have a backup, restore the last backup before the event.
8. Change your website passwords again.
Yes, you reset all your WordPress passwords in the past, but those credentials may have been compromised while you were fixing the problem.
9. Alert customers and stakeholders.
Once your website is back up and running, strongly consider contacting your customers and alerting them to the breach, especially if personal information was accessed or even leaked. It’s the right thing to do, and be prepared for negative customer reactions.
10. Check that your website is not on Google’s blacklist.
If your site has been blacklisted by Google as a result of the attack, Google will not so subtly warn users about entering your site:
While the blacklist is necessary to keep users away from harmful sites, it will also scare most of the traffic away from your legitimate site. Sucuri has a free tool to scan your site for Google blacklist status.
11. Follow the recommended methods above.
Taking every precaution possible to limit the possibility of another break-in will give you some peace of mind. Hopefully, something like this won’t happen again. But if it does, you’ll be in a much better position.
Don’t take security for granted.
Cybercriminals are constantly developing new ways to leverage a company’s online presence against them, and security engineers are always developing new methods to stop them. It’s the security cycle that’s turning on the internet, and we’re all caught in the middle. Always keep your customers’ safety in mind, so they have one less thing to worry about.
Note: Any legal information in this content is not legal advice in any way, and we strongly recommend that you consult an attorney if you would like advice regarding your interpretation of this information or its accuracy. In short, you may not rely on it as legal advice or as a recommendation for a particular legal understanding.
The article was written by Jamie Jubeler and translated from English to Hebrew by Yahav Bengiat.
Additional information:
WordPress website maintenance and security
Image by Darwin Laganzon from Pixabay
Images by Pixabay
