How to Properly Secure Your WordPress Website
As far as online security is concerned, WordPress has never really had the best reputation. This has only worsened alongside the uptick in high-profile security scares over the past few years.
Back in early 2017, for example, an unauthenticated privilege escalation vulnerability in WordPress’s underlying REST API resulted in the defacement of more than 1.5 million websites!
And the infamous Panama Papers data breach — in which 11.5 million financial documents were leaked by a lone whistle blower — was traced (at least in part) to a security exploit within a popular WordPress plugin.
Though devastating in scope, stories like this are unsurprising.
All of this has led many within the web design and development communities to ask:
Is WordPress still a secure solution for creating websites in 2019? And if so, how can I make sure that my websites (or my clients’ websites) are kept safe from similar attacks?
These are all legitimate questions — especially considering the recent concerns over Meltdown and Spectre attacks. And I hope to answer them in the remainder of this blog post.
Just How Secure Is WordPress?
The short answer is, it depends.
On the one hand, the WordPress core is consistently maintained by a team of expert developers — in partnership with the Leadership Team and global community — who work hard to identify and resolve vulnerabilities within the underlying software.
Security patches are included in WordPress updates that are released on a consistent basis. In one case, a security vulnerability was fixed within 40 minutes of its discovery!
Yet despite the diligent efforts of the WordPress Security Team, the platform remains an extremely popular target for cyber attacks — representing 83% of compromised websites identified by Sucuri in 2017.
Because it is the most widely-used content management system (CMS) on the web, with an estimated 60% market share, WordPress represents a massive pool of potential marks for cyber criminals.
In addition, the platform is often used by inexperienced web users who are unlikely to take the necessary precautions to secure their websites against such threats as brute-force attacks, SQL injections, and authenticated bypasses.
How to Keep Your Website Safe
Some of you might be a bit worried by this point.
If so, I encourage you to take comfort in the fact that the vast bulk of WordPress cyber attacks happen as a result of site owners’ failure to take basic security precautions.
This means that protecting your website (or your clients’ websites) is still largely within your control.
Even if you don’t consider yourself a WordPress “expert,” or particularly well-versed in cyber security, there are several quick steps that you can take right now to significantly reduce your chances of being hacked.
Let’s go over the basics.
Regularly Update Your Assets
If you only remember one thing from this entire blog post, let it be this.
Because the overwhelming majority of WordPress attacks are due to out-of-date software, keeping your site assets up-to-date is the single most important action you can take for the security of your website.
A typical WordPress website is composed of three main assets:
- The WordPress core software
- A WordPress theme (and perhaps a child theme)
- Additional, third-party WordPress plug-ins
Proper security involves ensuring that all three of these components are regularly updated so that all known security flaws can be quickly patched — with particular attention paid to plugins.
According to a recent WordFence study, WordPress plugin vulnerabilities supplied nearly 56 percent of known entry points of hackers!
What’s more: One report suggests that the website targeted by the Panama Papers attacker had been running an out-of-date version of the popular Slider Revolution plugin.
Regularly update all components of your WordPress website, and you’ll have removed one of the most common threats to your online security.
Invest in a Solid Hosting Provider
WordPress websites are by nature “dynamic.” This means that they use a server-side scripting language (PHP, in this case) in order to display content to users.
Because WordPress is so dependent upon this constant communication with the server, effective WordPress security necessarily involves proper server configuration and maintenance, as well.
Stay with me here.
I realize that this is likely to fall far beyond the scope or technical know-how of most WordPress users — and this is perfectly fine. Because there are several managed hosting service providers who will do all of this for you.
WPEngine is an extremely popular managed hosting service whose plans all come equipped with (among other things) automatic WordPress core updates, firewall protection, and the most recent version of PHP.
This last point is critical, as PHP is the crux of your entire WordPress site.
Each major release of the language is fully supported for two full years following its release — during which time security issues are regularly identified and resolved. Currently any release below PHP 7.0 no longer receives security support.
According to WordPress’s own data, more than 77 percent of all WordPress websites are running unsupported versions of PHP. These sites are all wide open to attack!
Invest in a quality hosting provider like WPEngine or Kinsta, and enjoy the peace of mind that comes along with having someone else worry about all of this for you.
Secure Your Administrative Dashboard
It’s fairly easy to gain access to WordPress’s administrative (or admin) dashboard — especially considering that the vast majority of them retain the default URL of www.domain.com/wp-admin.
The simple act of customizing this default URL will significantly reduce your odds of becoming the target of a brute force attack, in which automated “bots” will attempt various combinations of login credentials in order to access your dashboard.
The WPS Hide Login plugin will allow you to easily change your login URL to something that would be much more difficult for hackers to guess and target, like www.domain.com/184aub26s8. (Just make sure that you remember it.)
Another solution would be to limit the number of login attempts to your dashboard.
By default, WordPress allows unlimited attempts — meaning that bots can take as much time as needed in order to guess your credentials, with no repercussions.
A plugin like WPS Limit Login will automatically block a user’s IP address after a certain number of failed login attempts. This will make brute force attacks against your admin dashboard extremely difficult.
And don’t think you need to worry about these kinds of attacks? Think again.
Individualized brute force attacks are extremely rare. In the vast majority of cases, they are executed by computer programs whose sole job is to parse the net for vulnerabilities — regardless of where they might be!
The Bottom Line
A spate of recent high-profile incidents has reminded us that in 2019 cyber security must be taken seriously.
This applies especially to all website owners, but especially those who have created sites using WordPress, a popular CMS that is also an extremely attractive target for cyber criminals.
Fortunately, however, the lion’s share of publicized WordPress attacks have been the result — not of fundamental flaws within the platform itself — but of poor management.
By ensuring that all site assets are regularly updated, choosing a high-quality hosting provider, and taking some basic precautions against brute force attacks, WordPress site owners can rest easy knowing that their websites aren’t among the 70% currently deemed vulnerable to attack.
If you are a small- to medium-sized business owner looking to invest in a custom and secure website for your business, head on over to bit.ly/asdnewproject to request a free quote for your next design project.