Is your WordPress site locked down?
Unfortunately, there's no such thing as 100% safe and secure - the best you can do is take proactive measures to protect against any potential security issues.
If your site's hacked it can be a major hassle to get it back to where it was, costing you valuable time that could've been better used creating or promoting your content - not to mention the headache and hassle of going through the investigation and restoration process.
Here's an infographic that covers WordPress security and procedures you can put in place to get an edge on WordPress hackers.
Infographic Source: YourEscapeFrom9to5.com
How Do WordPress Blogs Get Hacked?
- Hosting 41%
- Themes 29%
- Plugins 22%
- Weak Passwords 8%
- 83% of WordPress Blogs that are Hacked are Not Updated
- 30,000 Web Sites are Hacked a Day
- On Average, a Website is Hacked Every 5 Seconds
If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack and is one of the primary reasons you should always keep WordPress up to date - WordPress.org
How to Prevent WordPress Security Issues?
- Don't Use the Default Admin Account - This is one of the most common and elementary mistakes you can make from a security perspective. What username do you think hackers try first when trying to gain access to any site? Admin, that's right. Create another username and assign admin rights to that user before deleting the old admin user account.
- Close Comments After 30 or 60 days - OK, this might be controversial and not everyone is going to agree with this. If you're getting hit by a lot of spam comments you can try closing comments after 30 or 60 days - it has certainly cut down my spam comments drastically. Using spam comments filtering plugin like Akismet is a must.
- Get Rid of the Login Link from your Blog - Regardless of what CMS your website is running on (WordPress or similar) having a login link to the admin interface is like giving the location to the locker in the bank. Removing the login link from your website won't guarantee safety from hackers, but it puts another step in the path for them to get through - the more barriers the better.
- Always Keep WordPress Up-to-Date with the Latest Version - This is a no-brainer; especially when you know that 83% of blogs that get hacked are not up-to-date. Most big blogs use the WordPress auto update feature to keep their blogs away from security vulnerabilities.
- Report WordPress Bugs and Security Issues - WordPress is the most used CMS on the web and the user community is huge. Every day new issues are being reported and patched. If you find a bug or an issue, report it so the whole community can benefit. You can report bugs here.
- Lock Down File Permissions and Write Access - If you want to take your website security a step further, you can lock down files and who has write access. You can do this in many ways: a plugin or even through the settings (cPanel) of your web host. If you are not sure how to do this; it is best to contact your web host support team and they should be able to help.
- Use a WordPress Security Plugin and Limit Failed Login Attempts - If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery - Login LockDown
After the research for this post, I've started using Login LockDown plugin to see if I can block malicious login attempts. I'm not sure how good this is so if you have any thoughts please leave a comment below.
- Consider Two-step Authentication - The traditional login requires a username, password and this is a one-step authentication. In order to increase security, you could have two-factor authentication (2FA) like an SMS code used by some banks. You can use Google Authenticator for 2FA if your site is eCommerce/WooCommerce store or similar that needs added protection. This, of course, depends on what kind of site you have and the information you are trying to protect; for a simple blog it may not be worth the effort or hassle.
Web Site Host, Themes & Plugins
Most of the above WordPress security tips are for protecting your site from security issues - the below tips are for being prepared in case of a security breach.
- Re-Evaluate Your Web Host's Backups and Recovery - If your site's hacked you need a backup to restore your site to its previous glory (pre-attack). It's too late to find out that you don't a have a weekly or daily backup; otherwise, you'll lose content and valuable time. The backup should also be offsite and not on the same server as your website files are as they may be down or even infected. Check with your web host before it is too late.
- Check Your Host's Speed, Stability, Security and Uptime - When selecting a web host, if you didn't consider security, stability and up-time then now is a good time as ever. 41% of security issues are through the host.
- Re-Evaluate Your Website Theme and Plugins - 51% of security vulnerabilities are through the theme and plugins used by a site. Keep your plugins up to date and constantly remove unwanted plugins; this also helps with speeding up your WordPress site.
Your Computer and Network
- Ensure Your Computer is Free of Malware, Spyware and Virus Infections
- Work From Trusted Networks - Avoid Internet Cafes and Free WiFi, Where Possible
- Make Sure Your Passwords are Strong (including WordPress, Emails etc.)
- Take Advantage of a CDN's (Content Distribution Network) Firewall - Not only CDN's can help with reducing website load times but they also have a firewall as an added layer of protection that the hackers need to breach before getting to your site and its data. I use CloudFlare CDN as it is free and easy to set up.
WordPress Security Plugins
A simple first step towards protecting your WordPress site is to start with a security plugin. Here's a list you can choose from. Don't install more than one as they might have compatibility issues or overlapping functionality.
- iThemes Security - offers a wide range of security features.
- Bulletproof Security - protects your site via .htaccess.
- All in One WP Security and Firewall - adds a firewall to your site.
- Sucuri Scanner - scans your site for malware etc.
- Wordfence - full-featured security plugin.
- Exploit Scanner - searches your database for any suspicious code.
Use this post as a proactive reminder to check your WordPress site for security issues. You can start with your username and password - if you are using 'Admin' as your username your first step is to create another Admin user and delete the default account as you can't change the username. Make sure your password is strong and not something like 'password' that can get hacked easily. Keep your WordPress, theme and plugins updated. Use a CDN for better performance and as an added layer of protection. Good luck with locking down your WordPress site. Remember, prevention is better than cure.