In this article, we will get discuss the most common and dangerous security issues that occurs with using WordPress. After that we will discuss all the steps that are required to manage a safe & secure the WordPress website.
Why Need Security To WordPress Website
Every successful website built with WordPress security different levels.
Protects your information.
If attackers attain personal information about you or your website visitors, there’s no end to what they could do with the information. Security breaches open you up to public data leaks, identity theft, servers crashing etc.
Your visitors expect it.
As your Website grows, the number of problems you’ll need to solve and your visitors expectations for how you address those problems will increase. One of those problems is keeping your visitors information secure. If you can’t provide this fundamental service from the get-go, you will undermine your customer’s trust in you.
Secure websites just like GOOGLE.
Keeping your WordPress website secure is a cornerstone of maintaining a high-ranking website.
Clearly, protecting your online properties should be a key concern. Every website needs to ensure safety for their visitors.
WordPress safe graph?
WordPress is a safe content management system. However, it can be vulnerable to attacks — just like any CMS.
There’s no way around it: Websites that use WordPress are a popular target for cyberattacks. In its WordPress security report, a firewall service named Wordfence blocked a whooping 18.5 billion password attack requests on WordPress websites. That’s nearly 20 billion attacks on WordPress websites alone.
This might be less surprising, knowing that 42.7% of all websites use WordPress. Still, nearly twenty billion attacks is still quite high, even when taking into account WordPress’ market share.
The bad news continue: 8 out of 10 of WordPress security risks fall into the “Medium” or “High” severity score according to the Common Vulnerability Scoring System.
But before you hard-delete your WordPress account, you should know that these numbers aren’t entirely WordPress’ fault. Or, at least, not the fault of the WordPress product itself.
WordPress Security Issues
The most common types of cyberattacks on WordPress websites are
Brute-Force Login Attempts
This is one of the simplest types of attacks. A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the right credentials. Brute-force hacking can access any password-protected information, not just logins.
Cross-Site Scripting (XSS)
XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and wreak havoc on the site’s functionality. This code could be introduced in the backend by more complex means, or submitted simply as a response in a user-facing form.
Also known as a SQL injection, this happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code on its database. Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and access your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
Denial-of-Service (DoS) Attacks
These attacks prevent authorized users from accessing their own website. DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash. The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
When an attacker contacts a target posing as a legitimate company or service, this is known as phishing. Phishing attempts typically prompt the target to give up personal information, download malware, or visit a dangerous website. If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.
Hotlinking occurs when another website shows embedded content (usually an image) that is hosted on your website without permission, so that the content appears like it’s their own. While more akin to stealing than a full-blown attack, hotlinking is usually illegal and gives the victim serious issues, since they have to pay every time content is retrieved from their server when displayed on another website.
For these crimes to occur, hackers need to discover holes in a site’s security. Common vulnerabilities that hackers look for when targeting WordPress websites include:
- Plugins: Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they’re a common channel for hackers to disrupt your site’s functionality.
- Outdated WordPress versions: WordPress sometimes releases new versions of their software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers.
- The login page: The backend login page for any WordPress website by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Attackers can easily find this page and attempt a brute force entry.
- Themes: Yes, even your WordPress theme can open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities.
How to Secure Your WordPress Site
- Secure your login procedures.
- Use secure WordPress hosting.
- Update your version of WordPress.
- Update to the latest version of PHP.
- Install one or more security plugins.
- Use a secure WordPress theme.
- Enable SSL/HTTPS.
- Install a firewall.
- Back up your website.
- Conduct regular WordPress security scans.
- Filter out special characters from user input.
- Limit WordPress user permissions.
- Use WordPress monitoring.
- Log user activity.
- Change the default WordPress login URL.
- Disable file editing in the WordPress dashboard.
- Change your database file prefix.
- Disable your xmlrpc.php file.
- Consider deleting the default WordPress admin account.
- Consider hiding your WordPress version.
WordPress Security Best Practices
1. Secure your login procedures.
The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. To do this:
- Use strong passwords: We used to think there would be flying cars in the future, but as of this year, people are still using “123456” as a password. Make sure that all users with accounts on your WordPress backend are using strong passwords to log in. You might want to use one of our recommended password managers to generate strong passwords and keep track of them for you.
- Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest, yet most effective tools to secure your login.
- Don’t make any account username “admin”: Chances are, this will be the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username.
- Limit login attempts: Placing a cap on the number of times a user enters the wrong credentials in a certain amount of time will prevent hackers from brute-forcing a login. Some hosting services and firewalls might take care of this for you, but you can also install a plugin like Limit Login Attempts for the job.
- Add a captcha: You’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. You can use plugins to add a captcha to your site. reCaptcha by BestWebSoft is one we recommend — see our guide to enabling Google reCaptcha in WordPress.
- Enable auto-logout: While you should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping in your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
2. Use secure WordPress hosting.
When choosing the service that hosts your website, there are many factors to take into account, but security should be a top priority. Consider services that have taken steps to protect your information and promptly recover if an attack occurs. See our list of recommended WordPress hosting providers.
3. Update your version of WordPress.
Outdated versions of the WordPress software are a very common target for hackers. Make sure you regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities found in older versions.
4. Update to the latest version of PHP.
Upgrading to the latest version of PHP is one of the most important steps you can take to keep your WordPress website secure. When an upgrade is ready, WordPress will notify you on your dashboard. It will then prompt you to head to your hosting account to upgrade to the latest PHP version. If you don’t have access to your hosting account, get in touch with your web developer to upgrade.
5. Install one or more security plugins.
We highly recommend installing one or more reputable security plugins on your website. These plugins do much of the security-related manual work for you, including scanning your website for infiltration attempts, altering source files that might leave your site susceptible, resetting and restoring the WordPress site, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list.
6. Use a secure WordPress theme.
To check whether your current theme meets WordPress’ requirements, copy your website URL (or the URL of any WordPress site or any theme’s live demo) into W3C’s validator. If you find your theme isn’t compliant, search for a new theme in the official WordPress theme directory. All themes in this directory are safely compatible with WordPress software.
7. Enable SSL/HTTPS.
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors’ web browsers, ensuring that the traffic between your site and your visitors’ computers is safe from unwelcome interceptions.
Your WordPress site needs SSL enabled. If you’re a CMS Hub user, SSL is free and built into the platform so you’re good to go. If you are using WordPress, then depending on your use case, you may opt to do this manually or use a dedicated SSL plugin. Not only will it boost SEO, but it also plays directly into your visitors’ first impression of your website. Google Chrome will even warn users if the site they’re visiting doesn’t follow the SSL protocol, which directly reduces website traffic.
To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “https://” (the “s” stands for “secure”), your connection is secured with SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website.
8. Install a firewall.
A firewall sits between the network that hosts your WordPress site and all other networks, and automatically prevents unauthorized traffic from entering your network or system from the outside. Firewalls keep out malicious activity out of your site by eliminating a direct connection between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. With the CMS Hub, your site will come with WAF within the platform. As with everything else on this list, carefully deliberate which type of firewall and which plugin works best for your needs before making your choice.
9. Back up your website.
Being hacked is bad. Losing all your information is even worse. Make sure you have your website information backed up by WordPress and your host in the event of an attack (or any other incident) that causes data loss. We recommend backups be automatic as well. See our list of the best WordPress backup plugins available.
10. Conduct regular WordPress security scans.
It’s a good idea to run routine check-ups on your site. Aim for at least once a month. There are multiple plugins that can scan your site for you. Here are the seven WordPress scanner plugins we recommend.
Once you’ve taken these basic steps, you can then move to more advanced measures to secure your WordPress website.
Advanced WordPress Security Best Practices
1. Filter out special characters from user input.
2. Limit WordPress user permissions.
3. Use WordPress monitoring.
4. Log user activity.
5. Change the default WordPress login URL.
6. Disable file editing in the WordPress dashboard.
By default, WordPress lets administrators edit the code of their files directly with the code editor. This gives attackers an easy way to alter your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the file wp-config.php:
// Disallow file edits define( 'DISALLOW_FILE_EDIT', true );
7. Change your database file prefix.
8. Disable your xmlrpc.php file.
9. Consider deleting the default WordPress admin account.
10. Consider hiding your WordPress version.
What To Do If You’re Hacked
Here’s what to do:
1. Remain calm.
2. Turn on maintenance mode on your website.
3. Start creating an incident report.
4. Reset access and permissions.
5. Diagnose the issue.
6. Review related websites and channels.
7. Reinstall backup, themes and plugins.
8. Change your site passwords again
9. Alert your customers and stakeholders.
10. Check that your website is not blacklisted by Google.
While blacklisting is necessary to keep users away from harmful websites, it will also scare most traffic from your legitimate site. Sucuri has a free tool to scan your website for Google blacklist status.