Even though WordPress advises that they take security seriously, it is easy to make your website vulnerable to hackers and viruses with ease if you’re not cautious. As with any system there are potential security issues that may arise if some basic security precautions aren’t taken. This post will take you through some common vulnerabilities and the things you can do to help avoid them.
If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their system files and plugins are outdated. Outdated files are traceable and it’s an open invitation to hackers.
Since version 3.7, WordPress has featured automatic updates. If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date. The same applies to your plugins and can be even more critical here as numerous third-party developers may have developed these.
- Always run the very latest version of WordPress
- Always run the very latest versions of your plugins and themes.
- Be conservative in your selection of plugins and themes.
- Remove unused plugins, themes and users.
Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for others to guess and hard for an attack to succeed. Many automatic password generators are available that can be used to create secure passwords that include a combination of numbers, letters and symbols.
Things to avoid when choosing a password:
- Any relation to your own real name, username, company name, or name of your website.
- A word from a dictionary, in any language.
- A short password.
- Any numeric-only or alphabetic-only password (a mixture of both is best).
Consider enabling two-factor authentication which forces approval for login via a secondary method (such as a smart phone).
Hackers often rely on automated scripts to do their dirty work. These scripts can make numerous attempts to log into your WordPress administration page by trying thousands and millions of combinations of usernames and passwords. Not only can being bombed with login attempts slow down your website for legitimate users, it may also succeed—giving hackers complete control of your site. An effective defence to this is to install a login limiter for WordPress. A login limiter can essentially block or quarantine an IP address or username which tries and fails to send login requests above a threshold rate. There are also many other WordPress specific security plugins available to provide even further guards of defence such as Better WP Security, WordFence, BulletProof Security, etc.
Many default WordPress installs include an administrator user account whose username is simply “admin”. Hackers may try to log into this account using guessed passwords.
Things to avoid when choosing a username:
- Using the default username of ‘admin’.
- Avoid your admin username from being displayed on your website.
If you use the default username to post articles / blog posts onto your WordPress website you are most likely sharing the administrative username for your website. Hackers can easily find this username and then use it to run scripts against your website where they just need to guess the password. It is usually best to create an alternative username with lower-level privileges to your websites administration, such as an ‘editor’ or ‘contributor’ and that username can then be displayed on your website alongside posts (if desired). Alternatively you could just have the username omitted from the front end of your website altogether.
Loss of Data Vulnerabilities:
Back up your data regularly, including your databases or at the very least content on your site.
A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire website installation in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have pre-compromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.
Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site. Being able to react quickly to any type of hacking attempt or vulnerability is also something important to look for when looking at hosting providers.
Still worried about security on your website?
Keep in mind that since WordPress is an open-source platform security vulnerabilities will almost always exist; but if you are vigilant with your website and put even some of the above measures in place then you are well on the road to securing your website. This is by no means a complete list of vulnerabilities with WordPress, but a great starting point.