Used by 60% of all CMS websites around the world with 14% of that being ecommerce sites, it is no surprise that WordPress is the target of many malicious attacks. In fact, there are more than 11,000 attacks per minute.
Does it mean that you need to question WordPress security?
WordPress is a strong and robust platform, but it is not perfect. Despite being regularly updated, there might be a few potential security leaks that are easily exploited by hackers.
In this article, I would like to talk about WordPress security and share a few security tips. As a little bonus, I’ll include a step-by-step guide advising what to do if your site was compromised.
How Secure is WordPress?
Backed by 50 leading experts to maintain its security, WordPress is one of the best platforms in terms of security.
That being said, you can build an online business or a professional portfolio site using WordPress without worrying. But, there are a few things that you should not take for granted to safeguard your site.
Here are some of the possible breach points:
- Compromised/simple passwords. Using a simple password creates the biggest threat to your WordPress site. While you might prefer to have an easy-to-remember password, this practice will lead to a disaster.
- Plugin and theme vulnerabilities. Despite promoting best security practice to plugin and theme developers, chances are a few irresponsible people may use WordPress plugins and themes for bad purposes, or simply leave holes in security.
- Brute force attacks. Brute force attackers try to guess your password using computer programs. People that use short passwords are especially at risk, and might lose control of their WordPress credentials.
- WordPress Vulnerabilities. According to Imperva, WordPress has the most vulnerabilities found compared to other content management systems like Drupal or Joomla!. That being said, the more vulnerable there are, the higher chance you will run into problems.
- Malware. Malware — malicious software — is a serious threat to your WordPress site that may inject code to core files and gain control over site behaviors. If you find suspicious redirection links, you should be worried.
Again, with a huge user base, WordPress becomes a favorite for hackers. Luckily, the community finds great ways to protect their websites.
What are they? Stay with me, I will explain it in the next section.
WordPress Security Tips You Should Follow
As it is impossible to make your WordPress sites 100% secure, you can do your best to make it less vulnerable.
Here are the tips to protect your WordPress site:
1. Keep a Strong Password
No more “123456”, a strong password is a must.
Also, you should skip using any personal information that is closely related to you like favorite sports teams or your date of birth. That’s the kind of information that is easy to find.
Not only that, you should always change your password at certain intervals, for example, every three months. And, it is highly recommended to use different passwords for different accounts.
Of course, along with these practices, make sure your internet connection is secured and connect to a VPN every time you are forced to use unsafe public networks, otherwise, hackers can leak your passwords.
2. Keep WordPress Updated
Running the latest version of WordPress is always recommended.
Having massive support from active communities, enables WordPress to be an amazing platform that never ceases to improve.
Each WordPress release introduces new features like the Gutenberg editor, fixes bugs – some of which are from user reports, – patches security vulnerabilities and improves speed to allow better ranking on the search engine result pages (SERP).
3. Update Your WordPress Plugins
If you see a red circle notification on your dashboard’s update and plugin menu, it might be a call to update your WordPress plugins right away.
While you should always check if the updates might change your preset settings, using the latest version is always better.
In fact, you will never know where the threats come from, as what happened to the Yellow Pencil Visual Theme Customizer plugin — affecting 30,000 websites.
In addition, checking your plugin security regularly is a good idea, even while using WordPress updates.
4. Ensure Correct User Permissions
WordPress uses roles to let you manage user permissions.
There are six of them:
- Super Admin — manages all WordPress sites within a network.
- Administrator — is responsible for managing a single WordPress site.
- Editor — can publish posts of other users.
- Author — manages and publishes their own posts.
- Contributor — an author with no access to publishing posts.
- Subscriber — the signed reader managing their own profiles.
For a personal blogger, this doesn’t matter that much. But for a business that handles many websites within a network, the failure to set user permissions is a recipe for disaster.
5. Use HTTPS
If you need an extra security layer, then use HTTPS — Hypertext Transfer Protocol Secure — instead of HTTP.
It is a better way of exchanging data and communicating from browser to server. HTTPS uses encryption to protect you from man-in-the-middle types of attacks. Once you activated HTTPS, you will see a green padlock on your browser’s URL bar.
When you send a request to the server using an HTTPS connection, your browser will check the validity of the certificate to make sure that it is from the legitimate authority/server. Click on the green padlock to get the details.
HTTPS is important because it improves your website’s integrity, helps it rank higher on the search engine result pages, and protects your visitors.
6. Create a Backup of Your Site
Backing up your WordPress site is a must. You should not wait to do that until something goes wrong.
Here are the reasons why you need to create a backup in the first place:
- Server Failure. There is no 100% guarantee a hosting server won’t fail and lose your data..
- WordPress Update Failure. Due to some errors, your WordPress core updates might run unexpectedly and break your site.
- Usage Failure. When customizing your website, you might make mistakes that ruin your website.
- Threat. Once your site becomes the victim of an attack, you need to restore the damage as soon as possible.
Fortunately, there are many WordPress plugins for backing up your website.
Powered by the famous JetPack plugin, VaultPress is a great plugin to back up your WordPress site.
This plugin helps you back up everything from posts and media files to dashboard settings automatically.
VaultPress has a personal plan that costs $39/year perfect for small businesses, startups, and personal sites. You will get:
- Daily backups with unlimited storage.
- Brute-Force Attack Protection.
- Spam Protection from comments and wingbacks.
Their Premium plan costs $99/year and Professional plan costs $299/year and provides features like:
- Security scanning.
- Malware scanning.
Backup Buddy is another amazing plugin that allows you to back up everything from posts to WordPress settings and core files. That means you will get a complete copy of your WordPress site files.
Backup Buddy comes with three pricing plans you can choose from. All the plans include one-year of plugin updates and premium support:
- The Blogger plan costs $49/year to back up one site.
- The Freelancer plan costs $79/year to back up ten sites.
- The Gold plan costs $129/year to back up unlimited sites.
This plugin is among the best backup plugins with over two million active installations and a five-star rating.
Once installed and activated, you can go to the settings page to create a backup, manual or scheduled and choose which platform to use for the storage (Dropbox, Google Drive, FTP, etc.).
Their premium version offers more features like incremental backups, database encryption, and the ability to migrate/clone websites.
Updraft Plus has four pricing plans you can choose from:
- Personal plan – $70/year for two sites.
- Business plan – $95/year for ten sites.
- Agency plan – $145/year for 35 sites.
- Enterprise plan – $195/year for unlimited sites.
7. Install a WordPress Firewall Plugin
A firewall is a program that can filter traffic to prevent a security breach.
Installing a WordPress firewall plugin is recommended to ensure that all traffic is inspected before reaching your website — good ones may enter, bad ones stay outside.
Among the best WordPress firewall plugins are SiteLock, Sucuri, and Cloudflare.
This plugin allows you to protect your WordPress site from cyber threats. While you can get great features from the free version, the premium version offers even better functionality.
SiteLock has three pricing plans you can choose from: SecureStarter ($30/month), SecureSpeed ($50/month), and SecureSite ($70/month).
You can enjoy amazing features such as:
- Blocking malicious bots.
- Customizable traffic filtering.
- Unlimited Hack repairs.
Sucuri is one of the best security WordPress plugins that has features like file integrity monitoring, blacklist monitoring, and remote malware scanning.
Similar to SiteLock, you can get their premium version to enjoy a website application firewall (WAF).
Sucuri website firewall protects you from any attacks on a WordPress site including:
- DDOS attacks.
- Zero-day exploits.
- System intrusions.
There are four pricing plans to enjoy Sucuri’s premium features: Basic ($199.99/year), Pro ($299.99/year), Business ($499.99/year), and Enterprise (custom pricing).
Cloudflare is a popular security plugin you can use for free. You need to create an account to get the features like unlimited DDOS attack mitigation, a global CDN, and a shared SSL certificate.
For more advanced features like web application firewalls (WAF), HTTP/2 prioritization, and role-based account access, you need to get one of their premium versions.
There are three pricing plans you can choose from: Pro – $20/month, Business – $200/month, Enterprise plan – custom pricing.
8. Rename the Login URL and Admin Username
To enhance WordPress security, never leave your login URL and admin username as the default option.
That being said, you need to change the “/wp-admin” URL and the username “admin” right away. This way you can reduce brute-force attempts as the attackers can’t find your admin URL.
You can do this change manually by adding a new administrator user with a custom URL and username, delete the old default one and appoint the new administrator user to handle your website. Keep in mind, always start with backing up your site.
9. Monitor Users and Accounts
Monitoring allows you to track user activities just in case errors occur.
This is important to help you investigate if some intruders try to log in. If you end up finding any suspicious activity, you can stop it before it causes damage. Not only that, monitoring let you know if there are idle users so you can log them out to prevent misuse of the account.
Unfortunately, WordPress doesn’t provide a user activity log by default. So, you need to install a plugin for that task.
WP Security Audit Log records all changes in your posts and pages, user profiles, and WordPress settings. This plugin also records failed logins and spots suspicious behavior.
On the other hand, the Activity Log plugin will write down WordPress core updates, any changes to WordPress settings, and User logs (login, logout, updated and deleted users).
10. Use Two-Factor Login Authentication
By default, you can access your WordPress dashboard by entering the correct username and password. And that’s it.
With this single-factor mechanism, attackers might still gain access to your WordPress dashboard by guessing your password via brute-force attempts or keylogging.
Simply put, even if you know the password, if you fail to enter the randomly generated authentication code, you won’t have access. This two-factor login authentication is also recommended to limit login attempts.
11. Disable File Editing and .PHP Execution
Most attackers use themes or plugins to inject malicious code to hack your WordPress site. As files in theme and plugin folders are editable by default to allow customization, this opens you up to potential danger.
To prevent hackers from editing those files and taking advantage of your site, you can disable editing for certain files in your WordPress dashboard. To do that, you can open your wp-config.php file and insert the code below:
define( ‘DISALLOW_FILE_EDIT’, true );
In addition, you should also disable .PHP execution too. This is to prevent things like the MailPoet plugin hack. As you might have heard, hackers exploited the MailPoet plugin bug to gain access to a website and used it to send spam and host malware.
To disable .PHP execution, for example in the Uploads folder, you can follow these steps:
- Create a file named .htaccess using your favorite text editor, then add the following code:
<Files *.php> deny from all </Files>
- Upload the file to /wp-content/uploads/ folder using an FTP client like Fillezilla.
12. Use a Malware Scanner
Unless you do regular monitoring, you will never know if malware enters your website and cause disadvantages. If you are a business, malware scanning is critical to saving your reputation.
Malware may enter your website via theme or plugin holes. These malicious scripts are used to:
- Access personal information like email address and passwords.
- Redirect your visitors to a malicious website owned by the hackers.
- Modifying your content.
- Shut down your website.
To scan for malware, there are great plugins available:
Powered by Sucuri, this website allows you to scan for malware and errors easily. All you have to do is enter your website URL and click Scan Website. It will give you the result as follows:
This plugin allows you to scan for malware based on the WPScan Vulnerability Database. Once installed and activated, you can sign up to get the API token, and go into the settings page.
The plugin will scan your themes, plugins, and WordPress core files daily and notify you through email at a specific time you set – daily, monthly, or a specific day of the week.
WordPress Security Compromised – What Now?
Now, after learning some tips about best security practices, I would like to recommend the steps to take when your website gets compromised.
Remember that this guide is meant to help you take immediate action. However, if you find difficulties in any of these steps, hiring a professional is strongly suggested.
1. Find the Issue
Once you know that something isn’t right, you need to locate the problem. To do this you can start with a set of questions:
- What errors notifications you found?
- Can you access your WordPress dashboard?
- Do you find any unusual behavior like redirection?
- Do you find any suspicious links or scripts?
2. Inform Your Hosting Provider
Most good hosting companies have 24/7 customer support handled by experts. You can contact them as soon as you find problems.
It is important especially if your website is on a shared server, the hosting provider will inform you about the hack — how it started and where the backdoor was — and might guide you to resolve the issue immediately.
3. Restore Your Site with a Safe Backup
If create regular backups, you can restore your site to a previous version before the hack.
While it can save your website, you might lose anything from blog posts to comments. It can, at the very least, buy you some time and prevent you from losing even more data.
4. Scan For and Remove Malware
Regular malware scanning is critical to detect any issues before it escalates. This will let you know what plugins or themes are vulnerable and need to be updated.
If you find any malware, you’d better remove it quickly. I have given examples of a few WordPress security plugins that would help you to do that earlier in the article.
5. Change All Passwords and User Permissions
There might be certain changes that were missed in the activity logs. So, you need to ensure your user permissions were not compromised or taken advantage of. You are free to remove any suspicious users you find.
WordPress is a platform backed by many security experts and offers regular updates.
However, there are potential security breach points that may threaten your site:Simple passwords.
- Plugin and theme vulnerabilities.
- Brute force attacks.
- WordPress vulnerabilities.
To keep your site as safe as possible, here are the tips we covered in this article:
- Keep a Strong Password.
- Keep WordPress Updated.
- Update Your WordPress Plugins.
- Ensure Correct User Permissions.
- Use HTTPS.
- Create a Backup of Your Site.
- Install a WordPress Firewall Plugin.
- Rename the Login URL and Admin Username.
- Monitor Users and Accounts.
- Use Two-Factor Login Authentication.
- Disable File Editing and .PHP Execution.
- Use a Malware Scanner.
But, if your website was hacked, there are certain steps you should take to regain control and prevent further damage:
- Finding the issue.
- Informing your hosting provider.
- Restoring it with a safe backup.
- Scanning for and removing malware.
- Changing all passwords and user permissions.
A threat may come from anywhere at any time. If you shield your website with the best security practices, you can reduce potential risks. Keep your website safe!