Website Security

Protect your website from down time and other issues through preventative measures.

Is Your WordPress Website Secure?

Website Security,Wordpress

As of 2015, WordPress is by far the most popular content management system in use. Nearly 75 million websites are currently powered by WordPress, and with good reason — it’s an excellent platform for developing websites for virtually any purpose, and it just keeps getting better. That said, the popularity of the CMS has made it a prime target for hackers, and if you haven’t taken measures to secure your WordPress website, you may be at risk.

I receive an alarming number of calls regarding WordPress intrusions. Some of the people who contact me are aware they’ve been hacked, while others have only noticed that their website is loading slowly or having other minor glitches. Sometimes evidence that your WordPress website has been hacked is prominent — there’s an advertisement for Viagra or Ugg Boots right on your homepage. Other times, however, your website may not show any signs of the hack at all. The latter is in all honesty the worse of the two scenarios, because the malware hackers plant typically produces thousands of spam pages advertising pharmaceuticals, luxury items or pornography right on your server, which will have a significantly negative impact on your website’s rank and performance and over time will cause it to drop off in Google’s search results or become blacklisted altogether.

WordPress is a great platform, and if maintained the correct way it is fairly secure, however, if you haven’t already done so, it’s imperative that you take specific measures to secure your WordPress website.

How Does a WordPress Hack Occur?

There are a number of ways a WordPress website can get “hacked.” Because WordPress and its plugins are open source, the code is available for anyone to view. If a vulnerability is found — a problem in the script that would allow someone to upload a file onto your server or execute malicious code — it’s common knowledge. This is probably the number one reason WordPress websites are compromised. WordPress and WordPress plugin updates typically fix these issues in a timely manner, but if your WordPress installation hasn’t been kept up to date, hackers are scanning the web for websites operating on outdated versions of WordPress so that they can exploit its weaknesses.

Another common vulnerability is the WordPress administrator username and password. Frequently I find administrators use “admin” as the username for their WordPress site, and hackers are aware of this as well. By using what’s known as a “brute force” attack, hackers will attempt 1,000’s of logins to your website using the admin username until they’ve successfully guessed the correct password.

If you’re managing your own WordPress installation and files, you may occasionally use FTP to upload files to your web server. If you do so using a plain-text connection rather than TSL or SFTP, you’re sending your FTP username and password out over the web which is fairly easy for hackers to intercept.

How You Can Secure Your WordPress Website

While the hacking of WordPress (and other content management systems) websites is prevalent, there’s good news. If you take a few important measures to secure your website, you can significantly reduce the risk of being hacked. No website is ever 100% secure, it’s simply not possible. But you can reduce your risk significantly. Here are a few important measures you should take.

1. Update Your WordPress, Theme & Plugins

WordPress and plugin updates aren’t always about new features and options — often times an update will include a fix to a known vulnerability. Keeping your WordPress installation, theme and any plugins you are using will ensure you’ve received these updates. Some argue in favor of waiting a bit before adopting the absolute latest version to give time for any new vulnerabilities to be identified and addressed, but whether you take this approach or not, never let your WordPress installation remain at a significantly outdated version. The same goes for plugins and themes.

2. Use Strong Passwords & Usernames

The easiest way to protect yourself again brute-force attacks is to choose strong passwords and unique usernames. Whatever you do, never use the “admin” username. If you are currently using the “admin” username, you should create a new username and delete the admin user as soon as possible.

3. Use a Secure FTP Connection

If you connect to your web server via FTP, always use a secure connection. If the default options for TLS or SSH/SFTP in your FTP program aren’t working for you, contact your hosting provider for instructions on how to connect securely to your server. It may take a few minutes to set up, but it can save you a lot of headache.

4. Harden Your WordPress Installation

There are a lot of good strategies you can use to harden your WordPress install. One of the easiest and most effective methods of protecting your installation is to install a good WordPress security plugin, such as Wordfence. A security plugin will limit login attempts so that a brute-force attack is much more difficult if not impossible, and can also scan your website for malware, employ a fire wall and alert you of any issues.

5. Remove Unused Plugins

It can be a challenge keeping all of your plugins up to date, especially if you have a lot of them. Often times website administrators or the developers who set up a website will install many different plugins before deciding on the exact ones they’ll need. If you have plugins installed on your website that you’re no longer using, the best thing to do is simply remove them.

6. Never Send Your Login Information via Email

People frequently share WordPress usernames and passwords via email, but unfortunately, email is insecure and when you do so you’re putting your information out in the open.

Back Up Your Website Files & Database

While security is important, backing up your website is imperative. If your website is compromised, it can be difficult if not impossible to identify and remove the malware from your website files and database. If even one piece of the malware remains, the back door for more malware remains.

A WordPress website is comprised of the files on your server and the database, and you need to back up both. You can do so manually via FTP and by exporting the database via PHPMyAdmin, or you can use a WordPress plugin to do so. If you opt to use a plugin, be sure that it’s working (test your backups) and store backups in an alternate location. If you store backups on the same server, if something goes wrong with the server, you’ll be out of luck.

There are also a number of automated backup providers. Your host may offer such a service, but if not, consider Code Guard or WP Vault — both will back up your website daily and can alert you of any changes to website files. Additionally, you may want to consider adding the Site Lock or another malware scanning service — the cost is low and the benefit is significant.

If you are having issues with your WordPress website or would like to learn more about securing your site, please feel free to contact me for more information.

Share this

Leave a Comment