As a business owner, you know how important it is to protect your company’s data. You likely also know that WordPress is a popular target for hackers, due to the sheer number of websites that are powered by it.
In this blog article, we’ll discuss some of the ways you can make your WordPress website more secure. We’ll also provide tips on how to quickly and easily implement these security measures. So don’t wait; read on to learn more!
Providing your customers with the best experience humanly possible is the underlying principle for earning repeat sales and customer loyalty. In this article, we discuss one of the most crucial, or if not the most crucial element for providing the best experience to your customer — cybersecurity.
Businesses are emphasizing a lot on enhancing customer satisfaction and experience, and consumers are also looking for those companies that actually deliver on their promises. When your business grows, the number of issues you’ll need to solve will tend to escalate and correspondingly, the expectations your customers have on how you address those issues will go up as well. Keeping your customers’ information safe and secure is undoubtedly one of those issues. If you’re not able to provide this essential assurance from the very start, then it indicates that you probably aren’t being careful enough about your customer security and experience. Your business will likely also end up with dissatisfied customers and you may even become in breach of privacy and due diligence regulations that often attract significant penalties.
There is no other choice. If you are a brand with an online presence, then prioritizing on website security should be the forefront of your brand’s operation. And if WordPress happens to be your CMS of choice, then it’s not even a question. You should definitely be prioritizing your website security, as research suggests that more than 90,000 attacks are launched by hackers against WordPress websites every single minute. Oops! I don’t think you were ready for this statistic, right? Yes, it’s hard to believe – but true!
However, on a positive note, most of these vicious attacks that hackers attempt can be easily prevented. In this article, we will discuss some of the most common and deadly security vulnerabilities that come with using WordPress and we’ll also get into the preventive steps that you can use for making your WordPress website safe and secure.
Let’s cover the 3 reasons why every successful WordPress website emphasises website safety and security.
To Protect Your Information and Brand Reputation
If hackers are successful in attaining your (or your website visitors) personal information, then it’s quite obvious that things can get pretty bad for your company. Security breaches can have disastrous results which can lead to identity theft, data leaks, ransomware, SQL Injection, servers crashing, and so forth. And imagine the adverse impact it can have to a company’s brand image and reputation. People’s perception and trust of your brand could be irreparably damaged and your brand equity will take a major hit.
Your Visitors Expect It
As customers, we expect that our personal information is going to be used and stored safely. Given the risk associated with information theft and data misuse, it is natural for visitors to expect good website safety and security. And if visitors come across one bad news about your site’s security, then it’s over! They most likely will not come back and why would they.
Google Likes Secure Websites
Website security affects SEO as well. Security has been (and will continue to be) one of the simplest ways to boost your search rank. The visibility that your website tends to get from a search on Google (or any other search engines) is directly correlated to your website security. So if you are struggling with your search rankings then you should definitely consider emphasizing on website safety and security.
It’s a no-brainer that making your website secure and less vulnerable to hacker attacks should be a key concern for your company. Every website (whether it be of a multinational corporation or an inspiring start-up) should prioritize on ensuring safety for their visitors and users, and this brings us to the question…
Answering this question is a bit complicated. Well, if you want the answer summed up in a single sentence then, yes! WordPress is secure but only if its users take security seriously and follow the best practices to make their website less vulnerable to attackers.
Given the extremely high number of websites that are built around WordPress, WordPress is one of the most popular, if not the most popular target for cyberattacks. There is no denying the potential cyber attack vulnerabilities that a poorly maintained WordPress website can involve.. A recent study by cybersecurity provider Sucuri reported that out of every ten CMS-powered websites successfully hacked in 2018, nine used WordPress.
This fact, however, might make sense as around 36% of all websites built globally use WordPress, which sums up to over 400 million websites world-wide. But before you start having second thoughts about using WordPress for your website, you should know it’s not entirely WordPress’ fault or not the fault of the product itself.
The fact that WordPress is open-source software, and anyone with knowledge and expertise can easily modify and distribute the source code is the main reason for such vulnerabilities. Being an open-source platform, WordPress can easily be customized and optimized. There are countless plugins and themes available. And developers who have the skills can easily modify the backend code themselves. This kind of user flexibility is what makes WordPress unique and powerful and is the reason why it is so widely used.
However, there are always two sides to a story and no benefits can exist without possible disadvantages. So all this flexibility and freedom also means that an improperly optimized or maintained WordPress site is highly prone to numerous security issues. How many times have you heard this popular saying “with great power, comes great responsibility” and this applies to WordPress as well. This software allows a lot of power to its users, and with great power (let’s say it one more time) comes the great responsibility. The responsibility that many are straight-up neglecting or ignoring with their WordPress websites. Hackers know this very well and target the weak and vulnerable websites accordingly.
The facts are that there is no website that is totally 100% secure and it’s not just WordPress. As WordPress states:
“Security…is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”
You can never completely eliminate online threats, that’s simply not possible. But what you can do is take necessary precautions to safeguard your website as best as possible and make the potential threats much less likely to occur.
You probably understand by now that doing nothing in regards to the security of your WordPress site could see you having all sorts of issues with your online presence. Below are some of the most common types of cyberattacks that WordPress websites tend to encounter:
Brute-Force Login Attempts
Brute-Force Login attacks happen when the hackers use automation to enter as many username-password combinations as possible instantaneously (in a matter of seconds actually), eventually guessing the right combination to get access to the website.
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) is a very common form of cyberattack. This kind of attack occurs when the attackers inject malicious code into the backend of the site they want to target in order to extract vital information and create chaos in the site’s functionality. This kind of infectious code could be injected in the backend, or could also simply be submitted as an input in a user form.
Database Injections, also widely referred to as a SQL injection, occurs when attackers inject a series of infected code to a target website through some kind of user input, usually a contact form. And when the harmful code gets stored on the site’s database, it runs on the website and confidential information stored in the database can be extracted and misused.
Attackers use backdoors to bypass the standard WordPress login and gain access to their target website. Backdoor is a file containing code that is usually placed in between other WordPress source files, making it very difficult for an inexperienced user to trace and locate it.
Denial-of-Service (DoS) Attacks
Attackers execute DoS attacks by overloading a server with high website traffic and causing a crash. These kinds of attacks restrict authorised users from accessing their own account. And making matters worse, if the attacks are carried out through multiple machines at once then the effects are more severe.
Phishing occurs when attackers contact their target by pretending as a legitimate company. The attackers act as a potential client and induce their target to give up the personal information, download a malicious file, or visit an infected site. If the hackers are able to access your WordPress account, they could even execute phishing attacks on your customer base while posing your identity.
Hotlinking happens when another website puts out embedded content that has been hosted on your site without your active consent. While this is more theft than an attack, hotlinking is not legal and presents the victim with devastating issues to deal with, since every time when a content (usually an image) is retrieved from their site and posted on another site, they should pay for it.
For all of these above-mentioned attacks to take place, however, attackers need to discover soft spots and loopholes in a website’s security. Below are some of the most common weak points and security vulnerabilities that hackers look for when targeting an attack:
Plugins: Majority of WordPress security breaches that people encounter are related to third-party plugins. Plugins are one of the most preferred gateways for hackers as they are created by third-party developers and have the power to access your site’s backend easily.
Outdated WordPress versions: WordPress releases new version updates time and again to address different security vulnerabilities. When new updates with the fixes come out, the issues and vulnerabilities associated with the previous version are known publicly. And hackers use this to their advantage by targeting the bugs and issues, targeting the older versions of WordPress that are online.
The login page: All of the WordPress website’s backend login page by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Hackers can easily locate this page and attempt a brute force entry into the account.
Themes: Interestingly enough, even the WordPress theme that you choose can open up the doors to potential security breaches. Themes that are old and outdated can be incompatible with the most recent version, which can allow easy access to your source files, leading to security vulnerabilities.
Now that we know about the possible threats, let’s discuss ways to reduce the chances of such vicious cyberattacks on your WordPress site.
The underlying factor for effectively securing your WordPress website is by keeping your accounts safe and free from malicious and unauthorised login attempts. In order to do this:
Use strong passwords: It’s 2020 and technological advancement is making big waves. But still, people are using “12345” as their password. Using strong passwords can go a long way in effectively securing your website. You need to ensure that all users with accounts on your WordPress CMS backend are using strong log-in passwords from the beginning.
Enable two-factor authentication: Two-factor authentication is undoubtedly one of the simplest, yet most effective ways to secure your website. By enabling two-factor authentication, users will need to verify their log-in with a second device in order to gain access such as their smartphone
Don’t make any account username as “admin”: Hackers are most likely to plug in this username in their very first attempt of a brute force login attempt, so you need to create your account with any other username apart from “admin”. If you already have an account by this name, then create a new administrator account with a different username, or you can also use the Username Changer plugin.
Limit login attempts: By setting up a limit on the number of times a user can enter the wrong credentials in a specific duration will help prevent the chances of a brute-force login. Some hosting services and firewalls have this feature enabled by default, but you can also install different plugins for doing this job. One of those plugins is Limit Login Attempts.
Add a captcha: By adding a captcha, you’re adding an additional layer of security to your login by verifying that you are indeed a human being and not a computer. Again, you can use different plugins for getting this job done. Recaptcha by BestWebSoft is one of them.
Enable auto-logout: You should always remember to log out from your WordPress account when you’ve finished working. Enabling auto-logout can be helpful here as it prevents unauthorized people from snooping in your account if sometimes you happen to forget. You can use the Inactive Logout plugin for enabling auto-logout on your WordPress account.
You should take several things into consideration while picking the service that hosts your website, and speaking of considerations, security should be your top priority without a doubt. Mindfully choose only those kinds of services that are known for protecting user information and fast recovery if in case any attack takes place.
We all know the feeling of losing vital data and information. It’s devastating! Hence you need to act proactively and make sure that all your website information is backed up by WordPress and your host, so if any future incident or attack causes data loss then you would still have a back-up.
As discussed earlier, old and outdated versions of WordPress are very common target points for attackers. So, you should be checking for updates on a regular basis and installing them promptly to get rid of the security vulnerabilities existing in older versions.
One thing to note is that, before updating to the latest version, you need to first back up your site and make sure that all your plugins are compatible with the latest version of WordPress that you’re going to install. If not, then you need to update your plugins first and then move forward in updating WordPress. After updating the plugins, you can follow the update instructions on WordPress’ official website.
Installing security plugins can assist you in managing your website security. They will handle much of the security-related tasks for you, such as regularly scanning your website for various infiltration attempts, altering the source files that could leave your site susceptible, preventing content theft and misuse etc. But you need to make sure that the plugin you’re going with is a well-established and legitimate one.
With so many themes to choose from, not all themes that look good aesthetically are safe. So you should avoid the urge to go with just any WordPress theme that is pleasing to the eyes. Choose the one that complies with WordPress standards, not the one that just looks good.
To examine whether the current theme that you’re using complies with WordPress’ standards, copy your website URL into W3C’s validator and check for the results. If the results show that your theme isn’t compliant, then you can search for a new one in WordPress’ official theme directory.
SSL (Secure Sockets Layer) helps encrypt the connections between your website and visitors’ web browsers. By enabling SSL you can ensure that the traffic shared between your website and your visitors’ computers is safe and free from undesired interceptions.
Enabling SSL will have a significant effect on the first impressions your visitors get when they visit your website. Web browsers like Google Chrome will even warn their users to stay away from visiting those sites that don’t follow the SSL protocol.
To check whether your WordPress website complies with the SSL protocol, just have a look at your WordPress site’s homepage URL. If the URL begins with “https://” (the “s” refers to “security”), then your connection is secured with SSL and you’re on the safe side. If, however, the URL begins with “http://”, then it’s an indication that your site doesn’t follow the SSL protocol and you’ll need to obtain an SSL certificate for your website.
A firewall is security software that sits between two or more networks for controlling both the incoming and outgoing traffic of each network. It basically acts as a barrier between a trusted and untrusted network, preventing unauthorized traffic from getting into your network or system.
Installing firewall plugins can be a strong move in protecting your WordPress site from malicious activities. Web Application Firewall (WAF) is one of those plugins we recommend installing, but there are other numerous plugins to choose from depending on your needs and requirements.
Never Trust User Input
If any portion of your WordPress site accepts a response from the visitors, whether it be a quote request form, payment form, contact form or even your blog post’s comment section with an input field, this presents serious risks for an XSS or database injection attack. Hackers can input malicious code into any of these fields and easily disrupt the backend of your site.
To prevent this from happening, you need to filter out special characters from your user input before your site processes it and stores it on the database. You can also use a WordPress form plugin for getting this job done automatically for you.
Limit WordPress User Permissions
If your website has more than one user account, then it would be best to change the roles of each user and limit their access to only what they need, depending on their respective jobs. Doing so will help reduce the possibility of a brute-force login attempt into an admin account, and also reduce the possible harm that can be done if a hacker is successful in guessing the right user credentials. By default, WordPress allows six different user roles to choose from.
Use WordPress Monitoring
Using a monitoring system for your WordPress site will help keep an eye on potential attempts of a cyberattack. If any kind of suspicious activity is happening in the background, then it will alert you beforehand so that you can think and act proactively.
Change the Default WordPress Login URL
You should change the default URL for your login page as it is very easy to find and locate, and attackers tend to target that soft spot. We recommend using plugins like WPS Hide Login for changing your default login page URL.
Conduct Regular WordPress Security Scans
To be on the safe side, make a habit of running regular check-ups on your WordPress website. Monthly routine check-ups would be good. Twice a month would be even better. You can also find different WordPress plugins such as Defender, Wordfence, Security Ninja etc. that can scan your site and search for loopholes automatically.
Disable File Editing
WordPress, by default, lets administrators directly edit the code of their files through code editors. This kind of flexibility allows space for security vulnerabilities, since if any hacker successfully breaks into your account then they can easily alter your files and modify them. You can use plugins to disable this feature, or you can also do some light coding for disabling it yourself.
Consider Deleting the Default WordPress Admin Account
As we’ve discussed earlier the importance of changing the “admin” username for your default admin account, but if you’re willing to take things up a notch, then you should consider deleting this default account altogether, and creating a new WordPress account with the same administrator permissions.
Okay, so you’ve gone through and even implemented some or if not all of the above-mentioned preventive measures. But now you want to take things to the next level and be extra cautious if unfortunately, something does indeed go wrong. Or, something has already gone wrong. One way or the other, here are the things that you want to do:
Well that is easier said than done, right? Keeping calm in catastrophic situations is tough. But just remember that you’re not the only one who is going through this and there are thousands, if not millions of victims throughout the globe who have fallen victim of such crime. Keeping your mind cool and clear is very crucial as it helps you locate the source of the breach so that you can look for ways to resolve it.
Turn On Maintenance Mode On Your Website
Turning on the maintenance mode and limiting access to your website, will keep your visitors away and safe from the potential attack. Don’t rush to reopen your website though and open it only when you are completely sure that the situation is fully under control.
Draft an Incident Report
Mindfully record all the useful details that can help resolve the situation. Some of the details that you would want to look for include:
Reset Access and Permissions
And speaking of users, if there are multiple users on your WordPress website then we highly recommend updating the passwords on their work as well as personal devices (and not to forget their personal accounts too), as you never know what the hackers were successful in accessing beyond your WordPress website.
Diagnose the Issue
Depending on the scale of the attack, you can either investigate the issue yourself with the help of a security plugin, or, if the attack is a severe one, you can hire a professional who can investigate and diagnose the problem for you and repair the damage done to your site. Also, don’t forget to scan for renaming malicious files and codes that hackers could have left behind that you might want to get rid of.
Review Related Websites and Channels
If there are any other online platforms (social media accounts or other WordPress accounts) linked to your website then you might want to examine those platforms to see if they were affected by the attack as well. We strongly recommend changing your passwords for these accounts as well.
Reinstall Backup, Themes and Plugins
Re-install your current theme and plugins, and double-check to see if they’re safe or not. If you happen to have a backup in place, then you can restore the most recent backup prior to the attack.
Change Your Site Passwords Again
I know we’ve already discussed resetting all your WordPress passwords, but chances are that these credentials could be compromised while fixing the issue. So you might want to go the extra mile and be extra careful.
Alert Your Customers and Stakeholders
Once the issue has been resolved and your website is up and running again, we recommend reaching out to your clients and stakeholders to tell them about the attack, especially if their personal information was compromised. I know it’s scary and they might not be happy with the news, but it’s the right thing to do as transparency matters in a relationship.
Check That Your Website Is Not Blacklisted by Google
Check whether your site has been blacklisted by Google as a consequence of the attack. If it has indeed been blacklisted then Google will warn users about visiting your website in a blunt and straightforward manner.
Although blacklisting is needed as it prevents users from visiting malicious websites, however, on the contrary, it also scares away the traffic from a legitimate website. You can use a free tool by Sucuri to scan your website for Google blacklist status.
Follow the Best Practices Listed Above
By mindfully taking as many preventive measures as possible, you can drastically reduce the chances of a potential attack or two. Always remember that taking precautions is better than care.
Once you start venturing down the rabbit hole of website vulnerabilities, finding your way back can be very tough. So why get trapped in an unnecessary dilemma when you can prevent the situation beforehand with proactive thinking and action.
Cybercrime is one of the greatest or if not the greatest threat to any company in existence, whether it be a small start-up or a blue-chip corporation. And needless to say, it will continue to be in the days to come. Although technology is evolving and security engineers are developing new and innovative ways to stop and counteract the attacks. It’s a two-edged sword, however, and with the evolving technology, hackers are evolving too. And we are trapped in the middle of this never-ending cycle.
So, what can we do on our part? Well, we’ve discussed this throughout the article – taking as many possible precautions as we can to significantly reduce the likely-hood of being attacked. And if unfortunately, something does indeed go wrong then we will be in much better shape.
June 08, 2020