The enormous popularity of WordPress comes with a cost – the more websites use it, the more cybercriminals are tempted to exploit any vulnerability they can find for their malicious gains. WordPress can be a very secure platform with the right approach, but its open-source nature means that new threats are constantly on the rise. It’s a bit like a drag race between WordPress security experts and the hackers, where there are no rules or finish line. The best we can do is force the bad guys to the pit stop as often as possible.
In the following article, we will look at the most common security dangers lurking at the unaware website owners and the ways to increase WordPress security. Read on to learn about steps to secure and protect your WordPress website.
Is WordPress secure?
Well, it depends, and mostly on you, by the way. But before we get to that, let’s first look at the numbers – globally, over 90k attacks on WordPress sites are happening every… minute. And hackers do not discriminate; they target giant companies as well as private microblogs, which means you’re never safe even if your website gets less than 50 visits a month.
The biggest strength of WordPress is, at the same time, its biggest weakness. An open-source software where everyone can create a new plugin or theme constitutes an excellent platform for thousands of creative coders who use its flexibility and openness in good faith. But it also leaves the door open for hackers who seek opportunities for easy money or just want to ruin someone else’s day. In fact, over 90% of reported WordPress vulnerabilities originate from community-made plugins.
The above doesn’t mean the core software itself is 100% secure, although it’s pretty close to perfect. WordPress foundation employs top-tier professionals to identify and patch vulnerabilities in the system. And they do their job exceptionally well, fixing critical issues and delivering regular updates – the core WP files are at fault only in 4% of the cases. But, as we mentioned before, it’s a never-ending race with no clear winners at a given time. You can do a lot to make your WordPress website secure, but it’s important to remember – there is no such thing as a perfectly safe platform. Security is about risk mitigation, not risk elimination.
Most common security threats for WordPress
Depending on their skill and determination, cybercriminals can harm your website in several ways, both primitive or highly elaborate. Here’s the selection of the most common methods used for exploiting WordPress security issues:
Brute-force login attempts
A highly simplistic type of attack. It uses an automated script to enter username-password pairs, to eventually guess the right combination and obtain access to the site. It’s simple to perform and, luckily, simple to prevent. Make sure your password is much stronger than “123456”, consider implementing two-step verification, and limit login attempts – these measures are enough to successfully avoid brute-force break-ins.
A backdoor vulnerability allows attackers to bypass security encryption and access your site without proper login credentials. Hackers use different means to access the root folder (e.g., by FTP) and inject malicious code posing as legitimate WordPress files. A single successful backdoor attack can endanger all sites on the same server. And even though the backdoors are able to wreak a lot of havoc, they can be easily prevented by enforcing two-step verification, IP blocking, and restricting admin access.
Cross-Site Scripting (XSS)
This is the most prevalent liability found in WordPress plugins. XSS occurs when a hacker injects an executable script into a trusted website or application. Cross-Site Scripting is often initiated by an unaware user tricked into clicking a malicious link or user form. The primary purpose of XSS attacks is to take over the active session cookie and gain access to the site.
One of the most disruptive types of attacks, DoS shuts authorized users out from accessing their websites. It utilizes errors and bugs found in the software to overload the server’s memory with traffic and effectively crash it. Website owners using previous versions of WordPress are particularly susceptible to DoS attacks, as the older software contains numerous bugs tempting hackers to have an easy shot at them. An “upgraded” version of this method, called Distributed Denial-of-Service, is performed by several machines simultaneously and can cause a massive disruption even to the biggest and properly secured websites.
Often staged with the use of backdoors via FTP or wp-admin – the hacker injects encoded malicious code into the core WordPress files, causing your site to direct traffic to phishing or malware-ridden sites. The measures for avoiding malicious redirects are similar to backdoors prevention.
The list above is not exhaustive – other types of attack:
- SQL injections
- Cross-site Request Forgery
must also never be ignored when WordPress security is at stake.
WordPress Security – the fundamentals
Specific threats require specific countermeasures. But the most efficient factor in mitigating the dangers of potential hacker attacks comes from strictly following the WordPress security best practices. Ignoring any of the basic steps below will leave your website vulnerable, so always make sure to:
- Choose a trusted web hosting provider. A good hosting company would always take extra measures to provide an additional layer of security on the server. This can be achieved by constant monitoring for suspicious activity, keeping the server software updated at all times, and deploying reliable disaster recovery plans to save your data when things go south.
Choosing managed WordPress hosting is also a clever idea, as these plans usually come with automatic backups, updates, and additional security configurations to increase the safety of your website.
- Update WordPress, plugins, and themes. Get rid of unused add-ons. The WordPress software gets updated regularly in the background without users knowing. But all major updates must be installed manually, and unfortunately, too many site owners forget the importance of keeping core WP software up to date. Every WordPress update comes with crucial security and stability patches, so keeping your software outdated basically puts a target on your back for hackers.
The same goes for updating plugins and themes. Plugins/themes’ developers release updates not only with new functionalities but also with security patches. Given that plugins are hackers’ first choice as vessels for, e.g., XSS attacks, it’s essential to always keep these add-ons patched and secure. And if you don’t plan on using any particular plugin or theme anymore, just uninstall it. Not only does it take your server’s storage space, but it can also become a problem if left ignored.
- Upgrade your PHP. Whenever a new version of PHP is available, a notification pops out in your WordPress dashboard. Do not hesitate and update it ASAP. And if you can’t do it alone, get in touch with your hosting provider. PHP being a server-side code is crucial to your WordPress security and leaving the old version running is always a bad idea. The PHP updates are usually released once a month.
- Use safe usernames and passwords. We shouldn’t even mention that, to be honest. Making a unique, strong password is the most basic safety precaution anyone online should take. It seems like a piece of blatantly obvious advice, right? Sadly, the annual list of most popular passwords on the web includes entries like “123456” or “qwerty” every single year, which means millions of users willingly let their online resources open to any two-bit cybercriminal looking for easy prey. If you’re not too good at memorizing things, just use one of many trusted password managers like LastPass or Bitwarden to create and keep your strong passwords safe and secure.
Make also sure to pick safe usernames. Replace your default “admin” username with something less apparent to make the brute-force login attempts futile.
WordPress Security – 12 steps to secure and protect your website
Now that we’ve covered the absolute basics, it’s time to take a detailed look at the WordPress security precautions you can take. Some are very simple to introduce; others require a bit of technical knowledge. And specific solutions (like SSL or backups) may be already included in your hosting plan, so it’s always good to check with your hosting provider first.
1. Install Secure Sockets Layer (SSL)
SSL is a security protocol that safely encrypts the connection between the user’s browser and the website. Using SSL has many advantages – it elevates the safety of your WordPress site, gives clients a positive impression about the legitimacy of your business, and boosts your SEO. And some browsers warn the users when trying to access a site without a valid SSL certificate.
You can obtain SSL for free or pay for it. The cost is often bundled into the hosting fee; you can just contact your provider for more details. Check our guide here if you’re looking for step-by-step instructions on installing an SSL certificate on your WordPress website.
2. Add 2-Factor Authentication (2FA)
We’ve already mentioned the importance of using strong passwords. 2FA provides an additional security layer, making your login procedure practically impenetrable. With 2FA, users need to verify their sign-in attempt with a second device. The likelihood of a hacker getting his paws on both your password and mobile phone is usually equal to zero. Unless the hacker is this evil roommate of yours… Well, don’t say we didn’t warn you.
You can set 2-Factor Authentication separately for your hosting account and your WordPress installation. For the latter, you can use plugins like Two Factor Authentication or miniOrange’s Google Authenticator.
3. Limit login attempts and enable auto-logout
Another straightforward and efficient method of reducing the risk of brute-force attacks. By default, WordPress allows for an unlimited number of login requests, which means the hackers can try as many username-password combinations as they please. With plugins like Limit Login Attempts or Login Lockdown, you can set the maximum number of failed login tries before a given IP is temporarily or permanently locked out. Sometimes you won’t even need a plugin – several hosting services and firewalls offer this feature as well.
Also, make sure to enable automatic logout, especially if you tend to forget about logging out properly. Unattended idle user sessions can last for several hours, leaving your website open for snoopers and shoulder surfers. The Inactive Logout plugin will take care of this for you.
4. Delete the default “admin” user…
…and create a new one. Even though WordPress now prompts users to pick a custom name for administrator accounts, it was always just “admin” in older days. This made it easier for hackers to figure out half of the username-password equation. If “admin” is still your admin, you should delete it once you create a new one with a custom name and administrator privileges. You can also use the Easy Username Updater plugin or amend the username directly via phpMyAdmin. The latter option should be considered a last resort, though, as it’s easy to make a mistake and cause errors on your website when making changes to your WP database.
5. Use themes and plugins only from trusted sources
The official WordPress repository should be your primary and, preferably, the only source of plugins and themes. It may be tempting to install a great-looking theme or freebie plugin found on some random website. Just don’t do it. More often than not, add-ons coming from unverified sources contain hidden malware and are full of vulnerabilities.
Also, make sure your current theme is compliant with WordPress standards. You can verify it with the use of the W3C Markup Validation Service.
6. Use security plugins
Adding at least one security plugin to your WordPress installation should be a no-brainer. Plugins like WordFence Security, Sucuri Security, or All In One WP Security & Firewall can quickly eliminate major vulnerabilities and give you peace of mind by scanning and monitoring activities on your website in real-time. These plugins cover almost all crucial aspects of the site’s security, doing much of the safety-related work for you.
7. Install a firewall
A firewall sits between your site’s native network and everything else outside. Ideally, it should block all unauthorized and malicious traffic before entering your network and hitting your site. The efficiency of a firewall strongly depends on its type and configuration, so make sure to carefully investigate what works best for you. You can choose between DNS-Level and Application-Level firewalls. The DNS firewalls use cloud proxy servers to filter traffic before it gets to the server; Application-Level firewalls act later, once the traffic gets to the server but before WordPress scripts are loaded.
Firewalls are often offered by hosting providers, can be bundled in security plugins, or used as a standalone version.
8. Regularly scan for malware
A functionality featured in all recommended WordPress security plugins mentioned before; you can also use one of the free malware scanning tools available online, e.g., WPSec, WordPress Vulnerability Scanner, or IsItWP Security Scanner. The scanners are very easy to use – just enter your site’s URL and click “Scan.” We recommend scanning at least once a month. Bear in mind, though, that while these tools can check your website, they will not remove any malware if found.
9. Back up your WordPress site
Hope for the best; prepare for the worst. Restoring your website from the backup may sometimes be the best and only solution to revert the damage done during the security incident. That is why it’s vital to perform your backups regularly to alleviate the potential loss of data. And it’s equally important to store the backups in a remote location and not your hosting account. Cloud storage solutions offered by Amazon, Microsoft Azure, or Dropbox are perfect for saving full-site backups. You don’t even need to do that manually – plugins like UpDraftPlus or BackWPup can perform scheduled or real-time backups in the background.
10. Disable XML-RPC in WordPress
This is one of the most advanced WordPress security measures on this list. XML-RPC is a core WordPress API created to help users connect their sites with third-party tools, mobile apps, and external services. It uses HTTP and XML protocols. Hackers use it to hide numerous login attempts under only a few login requests with the use of the system.multicall function. If you don’t need the functionality provided by XML-RPC, we recommend you disable it. There are a few methods to do it, and the quickest and simplest one is by a plugin aptly named Disable XML-RPC. Just install it, activate it, and forget. That’s all there is to it.
11. Disable File Editing
A built-in code editor in your WordPress admin dashboard can be a dangerous tool in the wrong hands. Typically it’s used to quickly edit your plugins and themes’ files. If you don’t need it, just disable it to be on the safe side. Some WordPress security plugins like Sucuri Security can do that for you; alternatively, you can add the following lines at the bottom of your wp-config.php file:
// Disallow file edits
define( 'DISALLOW_FILE_EDIT’, true );
12. Bonus WordPress security tricks
Applying all the steps listed above will indeed strengthen your site’s safety shell, making it extremely hard to crack. But there’s always more we can do, isn’t there? Apply the following measures to make your site nearly impenetrable:
- Disable PHP file execution
- Change WordPress database prefix
- Disable directory indexing and browsing
- Prevent hotlinking
- Verify file and server permissions
WordPress Security – how we do it at Develtio
With thousands of websites blacklisted daily for malware content, it’s evident that the race between security experts and cybercriminals is not slowing down. Here at Develtio, we’ve always been passionate about the safety of our clients and made security matters a top priority. That is why our customers are provided with end-products developed in strict accordance with WordPress best practices and equipped with all security measures listed above. Furthermore, we approach new projects with our “security starter pack,” a set of advanced development procedures and tools fine-tuned and honed over the years of practice. And on top of that, we routinely and automatically scan our clients’ websites for various vulnerabilities. Any discovered issues are instantly reported to us so we can act on them ASAP.
What can we do for you?
Talk to us about your project and let's start building it together!