WordPress Security Tips (2019)
Nobody likes to think about it but the fact is, the fear of being a victim of cybercrime is the most worrying among North Americans for long over a decade now.
As small business owners, we assume that, for hackers, we are small potatoes compared to large corporations with tons of customers and lots on the line but this simply isn’t true, as we’ll see in a minute.
Cyberattacks are happening all the time, and if you’re one of the many who use WordPress to power their website, there are a few things you’ll want to know to reduce the chances of being a victim of cybercrime and minimize the damage if you are in fact hacked.
No computer system is ever 100% secure but with a little proactivity and planning, you’ll give yourself the best shot against a cyberattack.
In this article, we’ll look at some of the realities of cybercrime, we’ll talk about WordPress security specifically, and some of the main things you need to do to keep your site secure and protected.
Let’s get started.
What does a Hack Mean for my Small Business?
“Cybercrime is the greatest threat to every company in the world.”
-IBM’s chairman, president and CEO
Perhaps the assumption that smaller businesses aren’t a worthy target for hackers plus not having the same level of resources that a large corporation might have to devote to online security lulls us into a sense of false-security.
As life moves to online more and more, cybercrime is becoming more prevalent, and having your business or personal computer hacked can be an ugly and expensive mess.
What does getting hacked look like?
Cybercrime comes in many flavors and not all hacks are done with malicious intent. For some computer hackers, the thrill of infiltrating a major network is enough, like the hacker who hacked telecom companies for fun.
Some hacks are designed to gain access to your site and spam your site with thousands of links to its products and services thus reducing your SEO score by lowering the quality of your site. This is akin to someone leaving a spammy comment on your site but instead of just one link, the hacker creates thousands of “cloaked” or invisible pages on your website full of spammy links.
Google blacklists about 10,000 websites every day and when your site is found to be infected by a malicious or spammy program, visitors to your site will be halted by a big fat warning page:
Getting yourself off Google’s blacklist is not a fun job, and while your site is infected, you’re losing 95% of your traffic.
Other hacks are more malicious and are designed to steal confidential information (phishing) from you or your customers. This can lead to a host of seriously bad situations like:
- extortion of a business (ransomware);
- loss of personal information;
- identity theft;
- physical costs associated with rebuilding your business after a cyberattack;
- repairing damaged customer faith after a data breach
While any website can be the target of a cyberattack, WordPress websites are particularly notable for a few reasons, as we’ll learn about in the next section.
Why WordPress Gets Hacked A Lot
Part of what makes WordPress a popular target for cyberattacks is its widespread popularity across the web.
Hacking is often focused on infiltrating the largest number of machines and infecting the largest number of hosts. 35% of the website on the internet use WordPress for their websites, and many of them are eCommerce sites containing databases and sensitive customer information. Other sites can become vehicles for spreading malicious programs (malware) to visitors that steal their sensitive information.
It`s not that WordPress has poor security at its core. WordPress is actually quite secure and they do a good job of keeping their site that way.
One problem could be that many users are using older versions of the WordPress software and to understand why that’s a problem, it’s important to realize that software matures and evolves over time. Software developers release software updates that include new features and improvements, as well as introduce additional security measures to “security vulnerabilities” as they arise.
Anyone who doesn’t update to the newest software update, assuming it’s a security update, is basically leaving a door open to anyone who is smart enough or malicious enough to create a program that can exploit that vulnerability and gain access to your computer and its files, your servers, the database that holds all your customer records, you get the idea.
The Problem with Plugins
The other major issue with WordPress, apart from using old versions of the software, are plugins and themes.
The ability to install plugins and themes, things that we use to “extend” our site are one of the things that made WordPress so popular.
However, plugins and themes (‘plugins’ from here on in) are not exempt from imperfect code, and due to how quickly we are to install a plugin and let it sit on our website ad infinitum, vulnerabilities that are either not updated to by the user or not addressed by the software developer leave potential holes for anyone with the will and intent to crawl through.
In fact, some sources claim as much as 98% of WordPress security vulnerabilities are because of plugins.
This could be because not enough WP users are keeping their plugins up to date, or due to the fact that there is just no way WordPress can make sure every plugin that’s published to the plugin directory is 100% secure forever and ever.
While WordPress does offer plugin guidelines, there are no guarantees on plugin security:
“Security is the ultimate responsibility of the plugin developer, and the Plugin Directory enforces this to the best of our ability. ”
–WordPress.org Plugin Handbook
So now that we know a little bit more about the threat plugins pose and the relative security of the WordPress platform, let’s dig into some practical tips you need to consider. This goes for anyone, and not just users of WP.
WordPress Security Tips
As said before, no network or computer system is ever 100% secure, even Microsoft makes mistakes but with a little proactivity and planning, you can do a lot to ensure you can at least relax and leave the rest up to fate! While this list is not exhaustive, it will cover the main things you need to do to protect your WordPress website and yourself online.
Find a Quality Host
The first base that you need to cover is who you host your website with. You’ll want to look for a hosting provider that puts a premium on security.
You may be tempted to go with a bargain hosting provider on one of their shared servers but this is not a good idea. Studies show that 41% of WordPress hacks originated from insecure web hosting, from being a victim to a “bad neighborhood” on a shaky, insecure server.
A serious hosting provider should ensure vigilance and proactivity in protecting their system, monitoring suspicious activity on its network, keeping its own software and hardware up-to-date, and having backups in place in the event of an attack.
Fortify Your Login
Weak usernames and passwords are the next leading reason why a website might get hacked. You’ll understand why when you realize that most people use really bad and obvious usernames and passwords.
First off, always choose an original username and don’t choose the default username (like ‘admin’ in WP or ‘root’ in some other programs). Changing this already reduces the likelihood of being hacked (here’s a video on how to change your WP admin username if you’re still using the default ‘admin’ username!).
For passwords, it’s a good idea to use a password generator that creates very strong passwords for you. A password manager is also a great tool that requires you to remember only one password. Finally, it’s a smart idea to change your main password(s) regularly.
This already puts you ahead of a lot of people but if you really want to get fancy, you can utilize a Two-Factor Authentication (TFA) plugin, an increasingly popular form of login validation, as well as a Limit Login Attempts plugin for WordPress that limits hack attempts, to protect against brute-force, if not provided by your hosting provider.
Tighten your Plugin Usage
As we looked at above, plugins are probably the leading cause of why WordPress websites get hacked, and they should be looked at as much a liability as they are beneficial to your website.
Plugins and themes that are not in use should be deleted to reduce risk (and possibly improving site speed). Plugins that are in use should be monitored and updated as soon as new releases become available. Some plugins like WordFence notify you when there is a software update available, so it makes it easier to stay on top of updating thems and plugins.
WordPress automatically installs minor software updates, which saves you having to do it. Only major software updates, like WordPress’s Gutenberg (version 5), need to be updated manually.
Sometimes plugin developers give up actively developing their plugin and so their software becomes stale and outdated. Ensuring that no plugin in your repertoire goes longer than a year without a developer update should be a signal that its time to find a plugin replacement.
Before installing any plugin, you should check to see when it was last updated, how many users it has, and how their reviews are and try to make an educated decision.
Although backing up your website won’t solve all your problems in the event that you do get hacked, you’ll breathe a sigh of relief knowing you have a fresh backup of your site if you need it.
A good hosting provider should create backups of important server files and databases but you may want to create your own. If you’re doing it yourself, using a respectable backup plugin like Updraft Plus is a good choice. You can automate scheduled backups and send them to cloud storage services like Google Drive and Dropbox.
Regularly Scan Your Website
Some forms of hacking go unnoticed and can live on a computer system for a long time, quietly collecting personal data from you and your visitors.
To combat the existence of this type of malware, you’ll want to make sure to regularly scan your system for malicious or foreign code.
A good hosting provider should regularly scan their server for malware and other types of hacks but without a guarantee that your WordPress site is being scanned as well, you’ll want to take matters into your own hands and use a plugin like WPScan, WordFence, or Sucuri. It’s advisable to use a plugin for this and not a remote service (accessed from a URL) as these types of scans won’t include a scan of your server and you’ll want to include your server in your scan.
There are still a handful more WP precautions you can take, like altering your wp-config.php file or changing your WP database prefix, but to cover them all this post would have to be a lot longer!
Just remember that hacking can happen to anyone, and small businesses are not immune or rarely the target of an attack. If you’re a WordPress user, you’re an even bigger target because WordPress has such a broad user-base.
Getting hacked can carry with it some seriously harmful consequences. To reduce the likelihood of being the victim of a cyberattack, make sure to invest in proper hosting, follow good protocols for logins and passwords, keep all code and plugins up to date, and regularly scan and backup your website and server files.
Follow these tips and you’ll be in a much better position against the majority of cyberattacks and hopefully your WordPress site will remain unaffected, too.
Author: Dave Gaskin is a freelance full-stack developer and owner of Peak Websites.