Is Your WordPress Website Secure?

All software is vulnerable. That might sound frightening, but it’s true. Ensuring the safety of your website is crucial to preventing hackers from defacing your content, installing backdoors and secondary software, removing user accounts, and other forms of malicious attacks.

These types of attacks are happening more frequently. It’s estimated that Google blacklists nearly 70,000 websites weekly for malware and phishing. Blacklisting consists of your site being removed from Google’s index, leading to a loss in organic traffic and potentially revenue as well.

In order to proactively prevent these types of attacks from happening to your website, it’s important to make sure that you’ve taken the necessary security precautions to protect not just your site, but your business and reputation as well.

WordPress Security Benefits

Many of today’s websites are built on WordPress, an open-source content management system (CMS). 75 million websites are built on WordPress, making up approximately 30% of all websites on the internet today.

Most problems that occur with WordPress are more likely to be older, outdated versions of WordPress itself, or plugins and themes that are provided by third parties. WordPress core is very secure, and it offers several advantages over other CMSs.

 

1. Consistent Security Updates

WordPress has a special security team of around 50 experts that are constantly making updates to strengthen their core code to prevent malicious attacks from hackers. The WordPress Security Team partners with outside, expert security teams to strengthen vulnerabilities and conduct code audits that eliminate potential threats.    

2017 OWASP Top 10 Most Serious Security Risks

1. Injection
2. Broken Authentication and Session Management
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring

Part of what the Security Team addresses is the Open Web Application Security Project’s (OWASP) Top 10 (open new window) list for the most common security threats, which are the 10 most serious security risks for website owners. Through regular code audits and investigation, The Security Team ensures that serious attacks through core software, third party plugins, and themes are mitigated.

2. Backwards Compatibility

Unlike other CMS platforms like Drupal, WordPress offers backwards compatibility. This simply means that themes, plugins, and custom code will still function properly when WordPress makes updates to their core code. Backwards compatibility ensures that no WordPress user has to deal with a broken site when new updates are released, saving them from the frustration of trying to figure out how to fix a broken site.

3. Security Plugins

Plugins act as an extension of WordPress’ built-in capabilities, and there are a variety of security plugins that can help protect your website. Not all plugins are related to security, but there’s a wide selection of free and paid plugins available that protect your site and alert you of potential attacks. Security plugins include malware scanners, firewalls, backups, two-way authentication, and more. Some of the most common, and trusted, security plugins are WordFence (open new window), Sucuri Security (open new window), BulletProof Security, iThemes Security, All In One WP Security Firewall, among others.

Now that we know a few of the security benefits that are associated with using WordPress, let’s take a look at what you can do to strengthen your WordPress site security.

Strengthening Your WordPress Security

When kept updated, WordPress in general is a secure CMS, but there are a few simple steps you can take to ramp up your site’s security.

Only Install Safe Plugins That You Need

As we stated earlier, security plugins can prevent attacks from happening to your site and alert you of any suspicious activity. What some people often neglect, however, is researching  plugins before installation . There are thousands of plugins available for WordPress, but that doesn’t mean that every plugin is safe to use.

It’s important to research any plugin before installing it. We recommend examining the following criteria before installing any plugin.

• Ask yourself, “Does this plugin benefit the security of my website?” If you can’t completely justify saying yes, then you probably don’t need it.
• How long has the plugin been around? If it’s new, that could be a red flag.
• Has it been updated recently? Does it get frequent updates? This information can tell you a lot about how well the plugin will perform.
• Does the plugin have good ratings and reviews from users? Are they speaking positively about their experience using the plugin? If you’re seeing more complaints than praise, it’s best to look into other plugin options.
• Determine if there’s an alternate way to do something, rather than installing a plugin for it. For example, 301 redirects are easily done using .htaccess rules, so it’s not necessary to have a plugin dedicated solely to 301 redirects. There is always a chance a given plugin will stopped being developed. This can cause both security and compatibility issues with WordPress core, so the fewer plugins, the better.

Another thing to keep in mind is avoiding plugin bloat, which can occur when you have too many plugins installed at the same time. The more new plugins that you continue to pile on top of already-installed plugins, the more likely you are to to slow your site’s speed or eventually break something.

Choose Strong Login Credentials and Limit Admins

One of the most common ways for hackers to gain access to your site is by stealing your password. To make it harder for hackers to figure out your password, make it stronger. Avoid using extremely common and unsafe passwords like “123456” and “password123.” While these might be easy to remember, they’re also easy for hackers to figure out. We suggest creating a unique password that features at least 8 characters, with a mixture of numbers, special characters, and capitalized letters.

Relative to choosing a strong password, it’s also very important to choose a unique username. Some people might  select “admin” as their username, but this can be dangerous. By choosing a common username, you’re essentially eliminating a step for a hacker by providing them with half of the login information that they need to attack your site.

“WordPress has had a reputation for being insecure, and I think that’s not quite fair. What happens is there are so many WordPress sites out there that when hacks occur, they get magnified. Overall, WordPress core is a very secure CMS.” – Hal Burgiss CTO at DBS Interactive

Another important aspect of security is limiting who has administrative access to your site. It’s best practice to only grant admin access to those who absolutely need it. The more people that have admin access, especially those who are inexperienced with using WordPress, the more likely you risk the security of your website. Administrators have tremendous power and can break things quite easily, while other user roles can’t.

Auto Logout for Idle Users

When you’re logged into WordPress and become idle, you increase the risk of a hacker attacking your site. Hackers can hijack idle user’s sessions, causing problems that range from content defacing to changes in administrative access.

To prevent this issue from happening to your site, install the Idle User Logout plugin, configure your settings by selecting an auto logout duration, and save your changes. This ensures that you will automatically be logged out when you’re not actively using WordPress.

Enable Login Lockdown

The default setting for login attempts for WordPress is unlimited. Users can attempt to login as many times as they want before entering in the correct information. While this might be helpful for users who forget their login credentials and want to guess by the process of elimination, this opens up endless opportunities for hackers to unlock your login info.

Thankfully, you also have the option to install and enable the Login Lockdown plugin, which allows you to set a maximum number of retries when logging in, as well as setting a duration for the amount of time users must wait until they can attempt to login again.

Update Regularly

It’s recommended to always update to the latest version of WordPress whenever an update to the core code has been conducted. This helps ensure that you’re using the most safe and up-to-date version available. WordPress also makes installing these updates very easy, which is extremely convenient for admins. At the same time, be sure to apply theme and plugin updates as well.

Seek Expert Help for Increased Security

WordPress offers several security benefits to their users, but admins need to take the initiative to further protect their website from hackers by following the basic steps that we laid out. There are more advanced measures you can take to strengthen your security, and it’s best to consult with a digital agency that has experience with building secure websites on WordPress.

With years of experience building safe and secure websites for a variety of companies on WordPress, DBS Interactive has the capabilities to protect your website and business from hackers.