Wordpress Security

A Guide To User Safety

Keeping your WordPress site secure takes a little effort but should be top of the agenda for anyone serious about their website. WordPress security is a complicated topic; this guide will take you through the most important issues affecting WordPress installations and give you a better understanding of how to manage the varied risks associated with building a site powered by the CMS.

Taking a few steps to counter vulnerabilities will keep your site secure and prevent WordPress security hacks. This article covers everything you need to be aware of about potential security threats and how to counter them. In addition to basic tips to help protect your website against hackers and malware, this piece also covers updates, backups, database protection and security plugins.

Since WordPress holds such a large piece of the CMS market share, it comes with extra security concerns. It’s a popular target for hackers because it offers them many potential victims to pick from. Their goals can include stealing personal information, adding malware, making a website unavailable to users or to send spam email —the list goes on.

With so many hackers with a vested interest in infiltrating WordPress sites, you may wonder if the software is secure. In a word, yes, WordPress can be a very secure platform if you take the necessary steps.


Why would my site be hacked?

It’s a mistake to think that your site is too small or insignificant for a hacker to target. Anyone running a small business website or even a simple blog is a potential target and must keep security in mind. Before moving on to specific preventative measures, let’s review the two approaches used to hack WordPress websites.

Hackers target individual sites as well as large clusters. With individual sites, they place all their resources into infiltrating one particular site by pinpointing it’s vulnerabilities. With groups, they will target the widest number of websites possible with automated tools. These tools scan a range of IP addresses for vulnerabilities which permit easy access. Sites powered by a specific version of WordPress or located on a particular shared hosting server for example. The best action you can take is to make this as difficult as possible, so they go elsewhere.


Spotlight on Common WordPress security vulnerabilities

A website that’s 100% secure is a work of fiction; every WordPress site owner needs to take steps to keep it as protected as much as is possible. The best approach is to implement security practices against the largest and most common threats. To do so, you need and being able to assess the risks you’re facing. Hackers exploiting software vulnerabilities present the biggest problem for WordPress users. The WordPress platform itself isn't entirely to blame; the biggest issues are directly related its extensibility and the frequency of updates.

In most cases, WordPress-powered sites are compromised because their core software, files, themes, and plugins are outdated making them traceable. This is an open invitation to hackers.

Access is also a huge factor. Errors along this line include: common usernames like "admin"; passwords that aren't strong enough and installing plugins and themes without doing any basic research into their credentials.


Preventing WordPress hacks

The reason behind many hacked WordPress websites is that site administrators fail to take any basic preventative action until it’s too late. Then comes the process of fixing a hacked site, costing time and money. You can lose customers, and the security breach can even impact your organic Google ranking.

You need to approach your website’s security proactively because by the time you notice that something’s gone wrong, it’s too late. Avoid any inconvenience and spare yourself some energy and money by taking measures to prevent a cyber attack.

There are multiple ways to prevent or deter hackers. You have to target any vulnerabilities and take the necessary steps to get them in good shape. To get started, you don't need any prior security knowledge, just some basic familiarity with WordPress.

Account security

Take a holistic approach to account security by keeping not only your WordPress Core secure but all other related accounts secure such as your host and PHP or database. We recommend adopting the following methods to keep your WordPress core secure.

  • WordPress comes with the default user 'admin'. By keeping this, you are making a hacker's life 50% easier. After all, a username makes up half the login credentials, for this reason, we advise you avoid the username 'admin'. To remove admin and create a new administrator following these steps:

    1. From your WordPress admin panel locate Users and click Add New. Enter a new user with Administrator role making sure you choose a strong password using the password generator.

    2. Finalize by logging out of WordPress and log back in with your new user. From the Admin panel, go to User and remove the user 'admin'.

    3. If the account admin has existing posts, assign the attributes and links on to the newly created user.

  • You might think a safe password is just something memorable with numbers, but realistically, a strong password consists of more than 12 characters combining numbers and upper and lower case letter. We recommend using a password generator tool to create a strong password for your WordPress accounts, and anything else related to your site, such as your email, domain registrar or cPanel. A hacker could do a lot of damage if they got access to any of these. For this reason, avoid using the same logins for each of your online accounts. We recommend using LastPass to manage your passwords. This is a helpful application that generates strong passwords and manages multiple login credentials.

  • Limit access to your site by granting user roles relevant to the task of the person working on your website. This is crucial if you have multiple people working on your site. Create individual login credentials appropriate to the work each person is doing, from the contributors to the authors, editors, and developers.

  • The administrator role has many rights; don't assign it to someone unless they definitely needs access to the full scope of the Admin roles functions.

  • Brute Force attacks can be a problem even if you're not using the default admin and have a strong password set up. To address this, use Two-Factor Authentication. It’s the standard today for enhanced security to gain access, Gmail, and Paypal users will be familiar with how this works, and you can add it to your WordPress as well using the Google Authenticator plugin.

  • The concept of Least Privileged is giving people permissions based on what they need access to, when they need it, and for how long. If they need admin access momentarily for a configuration change, grant it, and remove it once it's resolved. Assigning people the appropriate levels of access reduce your security risk exponentially.

  • Add a security question to your WordPress login screen using the WP Security Questions plugin to make unauthorized access even harder.

  • Limit Login Attempts - By default, WordPress lets users attempt to log in as many times as they want which again leaves sites powered by this software vulnerable to brute force attacks as hackers can try multiple combinations to crack your password. Fix this by limiting the failed login attempts a user can make.

  • Firewalls are a great defense against external attacks but require a bit of work. Firewall plugins shield your site from all incoming traffic, monitoring traffic and blocking common security threats before they reach your site. Deploying one of the best ways to stay ahead of emerging threats used in tandem with a wider security framework. There are two common types of firewall, Cloud-based firewalls, and end point.

  • DNS Level Firewalls are the superior of the two. They route your site traffic through their cloud proxy servers ensuring only genuine traffic reach your site. On the other hand, an Application Firewall is triggered after it reaches your server, before your website loads. It’s not the most efficient way to block bad traffic and not as efficient as a DNS level firewall in reducing server load.

  • Consider Wordfence for a basic free application level firewall. Another useful firewall service is Sucuri, the leading premium WordPress security company. It offers everything from DNS Level Firewall and other prevention services including intrusion and brute force as well as malware and blacklist removal. Sucuri also employs tactics to improve your website’s performance by reducing server load, all easily accessible from one plugin. Setting up is straightforward, you need to add a DNS A record to your domain and direct it to the Sucuri cloud proxy instead of your website.

Keep WordPress up to date

Keeping your WordPress installation up to date should be a matter of course. Make sure your WordPress core files are updated with the latest release to keep your site safe from outside interference.

WordPress notifies users in their Dash when a new version is released. You can also subscribe to the WordPress Releases RSS feed for this information. There are also plugins available which keep your site automatically up to date. Aside from the software, be vigilant with your themes and plugins. Be careful to deactivate and remove unused themes and plugins. They can pose a security risk since they will eventually get outdated making them vulnerable, so as a rule of thumb, if you're not using it, delete it.

Secure Plugins and Themes

The popularity of WordPress means there’s an expanse of plugins — each one having the potential to open up additional vulnerabilities. It's best to stick to trusted plugins and themes from the WordPress repository or well-known companies to avoid future problems. Reputable theme providers and plugin developers are more likely to take a proactive approach to security, for example, many of the top WordPress plugin or theme developers are audited by a third-party before release.

When you install a WordPress plugin, you're granting it access to your WordPress files, directories, and database. You can't limit this access which is why it's important to understand what a plugin will be accessing. To get this information read the plugin documentation and reviews to check its reputation. Once you're satisfied, you can grant a plugin access to your system by installing it.

WordPress backups

WordPress users often don’t realize the importance of backups and website security until it's too late and their website is hacked. If you back up regularly, you can quickly restore your WordPress site should a problem arise. This makes them an important line of defense against cyber attacks. To be on the safe side, make regular backups to a remote location (not your hosting account) such as a cloud service.

There are several ways to backup your site. Most decent hosting providers run automated backups. To be on the safe side, check when you sign up. There’s also an abundance of plugins to get the job done such as VaultPress and BackupBuddy. These plugins are reliable and most importantly, easy to use.

WordPress hosting

Your host plays an important role in the security of your site. Many WordPress hosting solutions offer proactive security measures such as blocking an IP address after a given number of failed login attempts, automatic backups and updates and advanced security configurations. If you want to take the worry out of keeping your site secure, you need look no further than EasyWP to cover your WordPress hosting and security needs.


Monitor your site

It should go without saying, but you should keep an eye on what’s happening with your website. Being vigilant can potentially avert damage by catching a security breach as early as possible. For example, regularly check your analytics for any sudden changes to your site’s traffic. Has it suddenly dipped dramatically? Are users visiting a page you don’t remember creating? Issues like this can indicate a problem. Use these tools to monitor your website:

  • Search for your website in Google using "site:http://yourdomain.com" – Is your website description and your meta descriptions as you created them? Hackers can hijack meta descriptions and stuff them with keywords related to an entirely different website they are forwarding your visitors on to. Are there any suspicious changes in the number of pages indexed? Sudden or negative changes in your indexed pages are red flags in terms of your site security.

  • One of the best tools to help monitor your overall site health and performance in the Google search index is Google Search Control. This invaluable application will display a Site Health alert when any problems are detected or events which prevent Google from crawling your site.

  • Online scanners such as Securi’s SiteCheck scanner remotely scan the look of your website as a user or a search engine would, this can even be automated with plugins such as Quttera Web Malware Scanner.

  • Availability monitoring services let you monitor how easy your website is for users to access. Plugins such as UptimeRobot hhelp with this, it will send you alerts if your website goes down for any reason. Websitepulse will assist you in monitoring any web page changes which give a warning if your site has been attacked and alert you within minutes. This gives you precious time to action damage control which we’ll come to.

  • File integrity monitoring systems such as Wordfence and File Monitor give you early warning of an intrusion by looking at an application and identifying if the integrity of any files has changed.

Database security

Make it difficult for a hacker to gain access to your WordPress database by taking steps to boost its armor and out of the wrong hands. The following tips will make it harder for anyone to gain unauthorized access to specific parts of your database:

  • Disable File Editor - This means a hacker will need to have FTP access to infiltrate your core and theme files. To apply this, append the following lines to the end of your wp-config file:

    ## Disable Editing in Dashboard

    define('DISALLOW_FILE_EDIT', true);

  • Your site might be at risk if you're using the default wp_ prefix in your database which makes it easier for hackers to edit. Change these predictable prefixes in a few steps or save time using the Better WP Security plugin. Head to security, select the prefix tab and hit the Change Database Table Prefix button.

  • Hide error login messages - Small details are easy to overlook but error login messages can assist hackers with information such as if they got a username correct or not. This information should be hidden from unauthorized logins. It’s best to change this to a generic message such as “The username or password is incorrect”’. This way, you’re not giving out any specific information, but assisting a user if they have simply mistyped something causing a login to fail.

  • From your WordPress dash go to Appearance and click Editor. Select Theme Function from the right sidebar to open your functions.php file, add this code to your theme’s functions.php file and click Update File:

    add_filter('login_errors', create_function('$no_login_error', 'return "The username or password is incorrect."'));

  • Your site will now be more secure in the face of a direct hacking attempt.

  • Protect the wp-admin directory - Keeping this protected adds a layer of protection against your website being hacked. For anyone to gain access to your files or directory after wp_admin, they will need to successfully log in. The simplest way to action this is using the AskApache Password Protect plugin or if your web host provides a cPanel admin login, set the protections on your folders using the user-friendly interface within the cPanel password protect directories.

  • Prevent directory exposure - Hackers will cash in on exposed directories (and their files). To check how well your WordPress directories are protected, open this URL into your browser: http://www.domain.com/wp-includes/.

  • If the page in your browser loads blank or redirects you to the homepage, your directory is safe. If the screen shows your folder directories, you're in trouble. To prevent unwanted access, place the following code inside your .htaccess file:


Security plugins

Security plugins are easy all-in-one solutions for WordPress websites. The following are a selection of useful plugins to keep your site safe and minimize risks.

  • WordPress has a default login URL which makes it easier to hack. Use WPS hide Login to create a custom URL for accessing WordPress. This light plugin lets you safely change your login URL to anything you like. Even if a hacker has your password, they won’t know your URL address to log in to your admin panel.

  • The WordFence plugin protects your from brute force attacks and limits the amount of failed attempts of logging in to your admin panel.

  • WP DB Backup is a simple plugin which lets you backup your core database tables and because it's straightforward to use, it's one of the most widely used WordPress security plugins.

  • Since Google cracks down on spam, use a spam block plugin such as the 5-star Anti-spam plugin to block and remove annoying spam messages for you.

  • The Antivirus plugin is popular among WordPress users to keep their websites secure from bots, viruses and malware.


Measures to fix a hacked site

Cleaning up a WordPress site is difficult and time-consuming, and we’d advise you to let a professional take care of it. Hackers install backdoors on affected sites, and if these aren’t fixed properly, it’s more likely that your website will get hacked again.

  1. Restore your website to the latest backup and change all your passwords.

  2. Learn from analyzing the backups, logs and everything else to find the source of the vulnerability that was exploited so you can restore the best version.

  3. Finally, even though malware isn’t too much trouble to detect and remove, in most cases, you’ll need professional help to make sure the job is done properly.

You may also like

Need help? We're always here for you.

× Close