WordPress is a safe content management system. However, it can be vulnerable to attacks just like any CMS. Therefore WordPress website security is an incredibly important issue to consider.
As WordPress is the the most popular CMS ( almost 43% of websites are WordPress) it also means that WordPress websites are a popular target for cyberattacks. , a firewall service named Wordfence firewall blocked a massive 18.5 billion password attack requests on WordPress websites in its WordPress security report.
WordPress is open-source software, meaning that the source code is available for anyone to modify and distribute. Being open-source, WordPress is infinitely customisable and optimisable. There are thousands of themes, plugins, and developers with the skills to modify the backend code themselves. This flexibility is a defining feature of WordPress, and a huge part of what makes it so powerful and widely-used.
The negative to all this flexibility is that an improperly configured or maintained WordPress website is prone to a range of security issues. WordPress offers a lot of power to its web developers and users, and with great power comes great responsibility. Unfortunately this is a responsibility that many website owners are avoiding. Hackers and the unscrupulous know this and target WordPress websites accordingly.
WordPress Website Security is risk reduction
WordPress security…is risk reduction, not risk elimination. Perfect security simply doesn’t exist, especially online.
What you need to ensure is that you employ all the appropriate controls available to you, within reason. This way you can reduce the odds of making yourself a target and subsequently getting hacked.
You can never guarantee complete immunity to online threats, but you can take steps to make them much less likely to occur. In summary, WordPress is secure, but only if its users take security seriously and follow best WordPress practices.
WordPress Security Issues
Can you choose to do nothing about WordPress Website security and if you do are there any implications. If you choose to do nothing to secure your WordPress site there are many implications. The most common types of cyberattacks on WordPress websites are listed below:
Brute-Force Login Attempts
- Brute Force logins are one of the simplest types of attacks.
- A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the right credentials.
- Brute-force hacking can access any password-protected information, not just logins.
- This is why you should never have a user name of “admin” and a password that’s “password”
Cross-Site Scripting (XSS)
- XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and cause havoc on the functionality of the site.
- The malicious code could be introduced in the backend by more complex means, or submitted simply as a response in a user-facing form.
- This happens when an attacker submits a string of harmful code to a website through some user input, like a contact form.
- The website then stores the code on its database.
- Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
- This type of attack is also known as a SQL injection
- A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and access your site at any time.
- Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users.
- Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
WordPress does restrict what file types users can upload to reduce the chance of backdoors, though it’s a problem to be aware of.
Denial-of-Service (DoS) Attacks
- These attacks prevent authorised users from accessing their own website.
- DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash.
- The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
- These attacks make the headlines when banks or major online retailers are unable to deal with online enquiries
- When an attacker contacts a target posing as a legitimate company or service, this is known as phishing.
- Phishing attempts typically prompt the target to give up personal information, download malware, or visit a dangerous website.
- If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.
Hackers need Holes
For the above to occur, hackers need to discover holes in a WordPress website security. The most common vulnerabilities that hackers are looking for when targeting WordPress websites include:
- Plugins: Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they’re a common channel for hackers to disrupt your site’s functionality.
- For this reason plugin selection and maintenance is critical
- Outdated WordPress versions: WordPress sometimes releases new versions of their software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers. For this reason once we know that a new WordPress version is suitable we apply to all sites
- The login page: The backend login page for any WordPress website by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Attackers can easily find this page and attempt a brute force entry.
- Two key elements to consider
- User name – should always be unique and avoid using “Admin” or “User” as user names
- Password – by default WordPress will create a very secure password. Including random letters, numbers and symbols, which would be very difficult to crack. It is important that any users, editors or managers do not swap their complex password for a simpler more crackable password e.g. a1b2c3d4
- Two key elements to consider
- Themes: WordPress themes can be a weakness and open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Many 3rd party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities. When designing and building websites we have a theme that meets all WordPress requirements.
5 Low / No Cost Ways To Secure A WordPress Website
1. Install an SSL certificate.
SSL, also known as Secure Sockets Layer, is a protocol that creates an encrypted link between a web server and a web browser. That means any data exchanged between a visitor and website will be secure.
Having an SSL certificate for your WordPress website is a must — especially if you are running an ecommerce store. The SSL certificate will help protect your customers’ sensitive payment information.
Fortunately, you do not need any technical knowledge to have your website secured with SSL. You can easily get an SSL certificate from a hosting provider, domain registrar, or certificate authority (CA). While the prices vary, you can get an SSL certificate for free. For customers who host their websites with us we provide them for free in our hosting package.
2. Update your site regularly.
Outdated software can put your website at risk for cyber attacks, viruses and other security issues. To help avoid these problems, by keeping your website up-to-date by regularly checking for any updates or setting up auto-updates. These updates usually contain security patches from developers so it’s essential to make them as soon as possible.
Again with our WordPress managed hosting ad secure and protect service which takes care of updates for you.
3. Use STRONG passwords.
Do not use A1B2C3D4E5 or password or passw0rd or Letmein
Using simple passwords like common words, number sequences, your name, or the name of your website is like inviting hackers into your home. These sorts of passwords make it easy to hack into your website.
Using strong passwords is a simple, free way to protect your website. Strong passwords include:
- A combination of alphabetical and numerical characters
- Capital as well as lower case letters
- Special characters
If you have a hard time coming up with a strong password, your browser can suggest one for you. We suggest using a password tool like Roboform. This overcomes the difficulty of remembering passwords, but also creates and remembers complex passwords for you.
4. Ensure your WordPress website is backed up regularly.
Creating routine backups of your website is not a proactive approach to website security — but it is essential in cases of malicious attacks, hardware failure, or natural disasters. Having a backup of your site means that it can be restored in no time. Without a backup, you risk losing all your data, customizations, and settings.
You can create a backup of your website’s core files, media, non-media content, and databases too. Backups will save you the time, money, and effort required in dealing with data loss. You can create backups manually, with a tool, or rely on your hosting provider to do so. Most tools and hosting providers will let you schedule and automate backups.
Our hosting, includes a 30-day rolling backup.
5. Ensure your staff are trained.
Even the top cyber security companies can be fooled by smart hackers, but sometimes the culprit is found among untrained staff members. Your employees might be the best of the best in their field but they can still make innocent mistakes that open the gates for attacks and viruses.
If people within your business have backend access to the website ensure they
- Have their own unique wp-admin strong password
- They have received cyber awareness security training
WordPress Website Maintenance
To minimise the risks to your website your website should be regularly maintained. Regular monthly maintenance to update the plugins and themes does need to be done on a specific day, as updates are being continuously made throughout the month. By regularly monitoring the websites you can ensure that the websites stay up to date and secure as possible at all times. For instance, Yoast SEO was updated three times last month. Maintenance is not only to do with updating plugins, it should encompass additional items. The following are some typical issues found during monthly maintenance .
- Are all external resources working correctly
- Are forms displaying correctly and all placeholders showing.
- Are there any plugins that are classed as abandoned that haven’t been updated for a long time. These can lead to security issues if they are not maintained and also, may not function correctly with the latest versions of WordPress. Ideally should be replaced with an alternative.
- Are plugins up to date sometimes plugins like Yoast SEO are updated multiple times in a month
- Are PHP versions up to date or outdated
- Old themes should be removed – ideally there should only be a maximum of two parent themes, and if used, a child theme. So if your website has themes 2015, 2016, 2017, 2018, 2019, 2020, 2021 still installed then be aware
The Benefit of WordPress Website Security
WordPress is a great platform, but if you wan to keep the hackers at bay then you need to make sure that your theme, plugins and PHP are kept updated. The complexities and intricacies of the plugins means that they need to be updated professionally.
There are several benefits to keeping a WordPress website up-to-date with ongoing updates and maintenance. Here are some of the key benefits:
- Security: One of the biggest benefits of ongoing updates and maintenance is that it helps to keep your website secure. WordPress is a popular target for hackers, and outdated software can make your website vulnerable to attacks. By keeping your website up-to-date, you can reduce the risk of security breaches and keep your visitors’ data safe.
- Improved performance: WordPress updates often include performance improvements and bug fixes. These updates can help your website run faster and more efficiently, which can improve the user experience for your visitors.
- Compatibility: Ongoing updates and maintenance can also ensure that your website remains compatible with the latest web technologies and standards. This can help to future-proof your website and ensure that it continues to work well as technology evolves.
- New features: WordPress updates often include new features and functionality that can help you to enhance your website and provide a better user experience. By staying up-to-date with these updates, you can take advantage of these new features and stay ahead of your competition.
- Support: Finally, ongoing updates and maintenance can help you to ensure that you receive the best possible support for your website. WordPress is a popular platform with a large community of users, and by keeping your website up-to-date, you can ensure that you have access to the latest support resources and information.
Ongoing updates and maintenance for your WordPress website can help to ensure that your website remains secure, performs well, remains compatible with the latest web technologies, offers new features, and receives the best possible support.
If you would like to know more about WordPress Website Security contact Andrew Goode MBA, MSc, FCIM Click here to arrange a call
Other articles linked with marketing metrics that may provide additional insight. Marketing metrics and analytics, marketing ROI Planning , marketing revenue analytics and Marketing Measurement Metrics and Website Design