It’s well-known that WordPress is the most popular content management system in the world, powering 40% of all websites as of 2021. But the problem with any popular software is that hackers have more incentive to target users relying on that software. After all, if they find a vulnerability in the software, then they can exploit many users quickly. And that’s exactly what happened only last May when nearly a million WordPress sites were attacked in a single month.
Table of Contents
Is WordPress Software Safe?
Your business website is important to you. So maybe you’re wondering, should you abandon WordPress for one of its (hopefully) safer competitors?
Probably not. Experts agree that the core WordPress software is fairly secure. Being the biggest CMS on the web means WordPress can invest in a top-notch security team to monitor its software and regularly push security updates and patches. Further, WordPress implements encryption by default, integrates firewalls, and monitors activity on sites it hosts. The company also operates a bug bounty program via HackerOne that rewards white hat hackers that alert WordPress about software vulnerabilities. You can learn more about WordPress security here.
How do WordPress Sites Get Hacked?
Security firm Wordfence released the results of their 2020 study on the types of threats targeting WordPress sites. The study looked at over 4 million WordPress sites and concluded that most security threats to WordPress come from malware from pirated themes and plugins, malicious login attempts, and vulnerability exploits.
By far, the greatest of these threats was malware from pirated themes and plugins. Wordfence found over 70 million malicious files on 1.2 million WordPress websites during 2020. More than 17% of infected sites had malware from a hacked plugin or theme. Thankfully, many of these threats can be avoided by simply purchasing plugins legitimately or only using free plugins from the WordPress Plugin Directory.
Other threats can be harder to defend against. For instance, Wordfence recorded 90 billion malicious login attempts from over 57 million unique IP addresses against WordPress sites last year. As Search Engine Journal points out, that’s a rate of 2,800 attacks per second. Additionally, Wordfence reported 4.3 billion attempts to exploit vulnerabilities in websites. Of the 4 million sites the company monitored, every site experienced at least one exploit of a site vulnerability.
How can I Protect My WordPress Website?
The good news here is that while you can’t make your site a perfect fortress, you can go a long way in preventing problems. And many of these security measures are simple fixes that don’t require you to be a security expert.
Update Core Software
Updates are a pain, especially if they take a long time. You have to pause what you’re doing, and you never know when an update will introduce an inconvenience or change the way your site looks. But updates are important. They secure vulnerabilities and introduce new technology to keep your site safer. To make it easier, you can set your website to update automatically so you always have the latest version of WordPress without the trouble of manual updates.
Monitor Plugins and Themes
A good plugin can be a life-saver, but it’s important to keep plugins updated for the same reason you update your WordPress software—security fixes. Remove old plugins or plugins that are no longer supported because they will no longer receive security updates even though they may have vulnerabilities. They may also conflict with newer versions of WordPress. Also, be careful installing plugins. It’s best to use plugins from the WordPress Plugin Directory because they are vetted, and always check the reviews before you install anything!
The same goes for themes. It’s safest to either use a theme from the official WordPress Theme Directory or pay for one from a reputable company whose work meets WordPress’s standards for code. Jamie Juviler of HubSpot also points out that if you’re uncertain of how safe a theme is, you can paste it into W3C’s validator to make sure the code is good quality.
Install a Security Plugin
We just warned you that plugins can be a security risk, however, there are some outstanding security plugins that can protect your site effectively. They use security features you’re already familiar with like firewalls, antivirus and antimalware scanners, and traffic monitors, and many can stop bad actors before they even reach your site. A few of the top plugins include known names like Sucuri, Wordfence, iThemes, All In One WP Security & Firewall, and WP Cerber.
Two-factor authentication, or 2FA, can make your website much safer by requiring an additional step whenever someone logs in. Some users install 2FA plugins, but WordPress is actually already set up for this. All you have to do is set up 2FA for your site. If 2FA is an unfamiliar concept, we actually explained what it is and its effectiveness in our blog post “What Is Two-Factor Authentication And Does It Work?”
Change Default Username and Login URL
Login credentials consist of a username and password. If someone has your username, they’re halfway to logging into your site. Since the default admin username for many WordPress sites is simply “admin,” you should change your username to something unique to you. WP Beginner has a handy step-by-step guide with three different methods for changing your username.
Like admin usernames, default login URLs for WordPress sites are all the same: yoursitename.com/wp-admin. Changing this URL makes it harder for unauthorized users to find a place to try to login. There are many ways you can change the default login URL including installing plugins that do this for you. But plugins aren’t required. If you’re a more tech-savvy user, you can access your MyPhPAdmin and make the change there. Kinsta offers a thorough guide to changing your login URL that offers a few ways to do this.
Maintain User Permissions and Authorized Users
WordPress offers six types of roles for users of a site. It’s important to make sure you assign your website’s users the right roles so they have the permissions they need, but not permissions beyond what their job requires. This limits each user’s ability to accidentally (or intentionally) cause problems with the site or divulge secure information. Known as “identity access and management,” this strategy is a core component of cybersecurity for businesses. Similarly, it’s important to remove old users from a site.
Advanced Strategies to Secure Your WordPress Website
Website owners with some web development knowledge, or who employ an IT team, can take security measures even further with some more advanced steps for protecting your WordPress website.
Enable Web Application Firewall
A Web Application Firewall, or WAF, is a firewall similar to the one you’re probably running on your computer now. Like a security guard, it monitors traffic trying to reach your website and decides what should and what shouldn’t be allowed to pass. Firewalls are an essential part of cybersecurity because they block most threats before they even reach your site.
If you’re already using a security plugin, it likely has a firewall built in. If not, there are a number of great firewall plugins to choose from including Sucuri and Cloudflare. WP Beginner also has a list of top WordPress firewall plugins.
Move Your Website to SSL
If you’ve visited a website and noticed a small lock in the search bar, that’s a sign the website is using SSL. Secure Sockets Layer, known as SSL, is a rule that forces a website to encrypt data transferred between the website and a site visitor’s browser. This makes the data less likely to be stolen during transfer. Many web hosting companies offer free SSL certificates, but if yours doesn’t then WP Beginner offers instructions for how to get a free SSL for your site. Beyond making your website that much more secure, an SSL certificate inspires confidence in your site users.
Disable PHP Execution in Untrusted Folders
Andrej Kovacevic, writing for FreeCodeCamp.org, advises WordPress users to take two important steps to protect their sites. The first is to “disable PHP execution in untrusted folders.” In layman’s terms, if your website allows users to upload information to the site, such as images or comments, then your site will have a writable upload folder. This is a folder that effectively lets users add code to your site, and attackers can use files like this to inject malicious code. However, adding a short bit of code to your .htaccess file will prevent users from uploading executable files that could unleash a monster within your site.
Disable PHP Error Display
The second step Kovacevic suggests is disabling PHP error display. When a WordPress site breaks, it displays error messages. This can be helpful if you’re the web developer running the site, but if you’re a hacker, it can reveal vulnerabilities to exploit. Again, simply adding a single line of code to your wp-config.php file will disable this error reporting, making hackers have to work harder to find your site’s weaknesses.
Is Your Company’s Website Really Secure?
Security is complicated. New threats are evolving all the time, and keeping up with them is a full-time job.
Our full-time job.
Trust your website to the experts at TracSoft. With over 20 years of experience, we have the knowledge and expertise to protect your website like no one else. We offer 24/7 system monitoring, effective network security, and reliable system backups that keep your data safe and give you peace of mind.
Contact TracSoft today and know your website—and your business—is secure.