I’ve been hearing a lot that WordPress is not secure. Probably you’ve heard that too. Despite all these misconceptions, this is, in fact, a pretty secure CMS and most of the vulnerabilities are caused by external factors. In this post, I will provide you with DIY tips for taking your WordPress website security to the next level.
How any why do WordPress websites get hacked
Many of my clients who came to me with a request to clean up their website were asking the same question. Why someone hacked my website specifically. My answer is that in 99.99% of cases, they are being victims of automated attacks. Usually, nobody is targeting your website specifically. Hackers are running automated software which has modules for exploiting different vulnerabilities. For example, let’s take the “Slider Revolution” plugin. Some of the versions of this plugin have known vulnerabilities allowing hackers to upload an arbitrary file to the server. Hackers would get a list of websites and run the script which would try to upload an arbitrary file using this known loophole. Let’s say they have a list of 10,000 WordPress website URLs. The vast majority of such websites are probably built using some premium themes and most of such themes are using “Slider Revolution”. So there’s a big chance that at least around 10-15% (the number is not accurate) will be using a vulnerable plugin and make a perfect target for an attack.
They would usually upload a file which serves as a backdoor (script allowing hackers to penetrate your website and have full access). As you might know, there’s no legit way to promote gambling, porn and some other types of websites so what they usually do is sell traffic to such website owners. This means that most likely your website will display ads or completely redirect to one of such sites.
Your server most likely has a mail server installed (especially if you have a shared hosting). In such a case, hackers can use it for sending out tons of spam.
So, there’s no fun in getting hacked.
So, How do I improve your website security?
Here, I will provide some DIY tips which won’t take long to implement and will keep your website safe from any automated attacks.
- Use strong passwords;
- Do not create an account called “admin”;
- Make sure your file and folder permissions are correct;
- Use fewer plugins;
- Keep WordPress core, themes and plugins up to date;
- Install Wordfence or similar plugin;
- Make regular backups;
- Scan your website using WP-Scan;
- Use a custom theme and plugins;
- Use HTTPS;
Use strong passwords
Sometimes people think that using passwords like “letmein” or “P@ssword” is considered strong, but when someone attempts to hack your website using “brute force” attack (a type of attack when a script is using a huge list of passwords and tries to use them one by one), they will try using the most popular passwords. Even though your password is hard to guess for a human, statistics show that a lot of users come up with pretty similar ones. Make sure to use a strong pass. You can use many different online services to generate one. For example, you can use this online password generator. More information regarding the risks associated with re-using passwords could be found in PixelPrivacy blog post.
Do not create an account called “admin”
From my observations, automated attacks are trying to use “admin” username and pick a password for it. Make sure there is no user called “admin”. Also, try avoiding usernames matching your domain. For example, if your website is “somesite.com”, try to avoid creating a username called “somesite”.
Make sure your file and folder permissions are correct
In general, folders should have 755 and files should have 644 read/write/execution permissions. Here is a nice article explaining how to check and fix permissions.
Use fewer plugins
I have seen tons of WordPress sites packed with a lot of third-party plugins. This is a quite bad idea. The problem is that each plugin is a potential threat to your website. More plugins you install, more risks you accept. There have been cases when plugins from an official WordPress repository had malicious code embedded in them. They are developed by random developers and are not being checked very carefully. Often very popular premium plugins have vulnerabilities. So be very careful before installing one, read reviews, check how many downloads it had and what people say about it. Also, remove inactive plugins completely.
Keep WordPress core, themes and plugins up to date
It’s very important to keep everything up to date and do updates at least 1-2 times per month. New vulnerabilities are being discovered constantly and new updates might be patching discovered loopholes.
Install Wordfence or similar plugin
Wordfence is a great security plugin. It might also be the most popular one. There are also other ones, but I’ve been using a free version of WF and it works amazingly. It blocks many different types of attacks, sends email notifications when someone logs or when you need to update something. Really useful stuff.
Make regular backups
It’s a good idea to make backups almost every time you make an update. Sometimes plugin or theme updates can break something, so it’s good to have a backup so you can roll back the changes. Also, if your website gets hacked, it’s always much better to restore it from backup rather than cleaning up the hacked version.
Scan your website using WP-Scan
If you are comfortable using a command line, I would recommend using WPscan. This is a vulnerability scanner tool created for security professionals and WordPress site maintainers. It can uncover more weak spots you might want to harden.
Use a custom theme and plugins
It’s a good idea to use a custom theme developed specifically for your website. First of all, it will be much more lightweight (if it’s well-coded) which is beneficial for SEO and user experience in general, but also, you will eliminate most of the vulnerabilities of popular multipurpose themes. I have discussed the pros and cons of using a custom theme in this article.
Last but not least, use HTTPS protocol. SSL certificates are pretty cheap or even free nowadays so it’s good to have this extra security level.
In some cases, it is worth doing additional security checkup. For example, if you have some other websites hosted on the same server, and these websites have a different CMS your WordPress website might get hacked through the other website. Malicious code can be uploaded to the server and then it can access files of your site and modify them. In such cases, I recommend downloading the whole archive with all the files and doing a manual inspection of files using different anti-malware tools or simply using “grep” to search for patterns of malicious code.
As you can see, it’s not very hard to keep your WordPress website in a good shape from a security standpoint. You just need to follow the steps outlined above, do regular backups and keep everything up to date.