Website security is serious business. Knowing how to maximise your WordPress security can be the difference in losing your business or ruining your reputation. The rise in compromised websites has (and in my opinion will always) increase due to the nature of the Internet’s popularity and the demand from consumerism.
Since 2009, the number of WordPress security hacks has increased over twofold. In 2012, the number was reported to be over 170,000 sites.
If you work in online marketing, the odds are that you would have worked on, or will at some point work on a WordPress site. Thousands of malware types and infections are active on the Internet but fortunately, not all apply to WordPress. What makes WordPress security vulnerable? Here’s the most common exploits you will come across to WordPress security:
- Out-of-date software
- Poor servers
- Poor credential management
- Poor system administration
- Lack of technical knowledge
- Cutting corners
Being knowledgeable of the reasons why your WordPress security may be compromisable is half the battle. Knowing the typical types of attack could also be of great benefit. Here is a breakdown of the most common WordPress security issues you should be aware of.
A back-door allows an attacker to gain access to your website via what you would consider to be abnormal methods (i.e. FTP, WordPress admin etc). Back-doors are exceptionally dangerous and if left unchecked, can cause havoc on your server.
A drive-by download is usually embedded on your website via some type of script injection. The point of a drive-by download is often to download something onto your user’s local machine. One of the most common downloads informs the user that their website has been infected with some sort of virus and that the user needs to install an anti-virus product to fix it.
A pharma hack is one of the most prevalent exploits. It is actually categorized as SPAM (stupid-pointless-annoying-messages) and if you are found to be distributing SPAM, you run the risk of being flagged by Google with various alerts to deter visitors, such as “This site may be compromised”.
Quite simply, a malicious redirect sends a user to a malicious website. If a visitor is redirected to a website other than the main one, the website may contain infectious software, advertisements or what might appear to be random or foreign sites.
Brute force attacks
Brute force attacks occur when someone tries to gain access to your site by attempting an enormous number of different username and password combinations, until the right one is found. Password guessing is very fast when used to check all short passwords but for longer passwords, other methods can still be used to the same effect.
A zero-day attack exploits a previously unknown vulnerability on your site and occurs prior to awareness of the vulnerability. It is sometimes difficult for you to prevent this, as these attacks occur before developers have time to realise and address the vulnerability and thus, find a secure solution or update to provide you with.
Armed with this knowledge, here are my top 10 security tips to ensure your WordPress site is and remains secure:
- Make contact with your web host
- Undertake regular backups
- Default site information
- Directory hardening
- Default WordPress files
- Keep everything up-to-date
- Security plugins
Its reported that 41% of hacks occur as a result of hosting. You should contact your web host and ask them what they have put in place to establish WordPress security on their servers. Your hosts will be able to delete any generic accounts, so you should always know who is accessing your website. Avoid any unnecessary credentials or access points, including FTP, wp-admin and SSH. Stay clear of cheap hosting providers without solid customer service and high WordPress security measures in place.
Prevention is one thing, but if all else fails then you should have a backup plan. You should never rely only on your web host for your site backups. Some hosts do periodic backups, but either way it should be standard practice to routinely backup your whole site and database in case your WordPress security is compromised.
Brute force attacks on WordPress security are mostly attempting to compromise the websites administrator panels by exploiting hosts with default credentials (i.e. “admin” as a username). If your site’s username is still admin, you need to change this immediately.
Have very secure passwords, that uses a good mix of capital and non-capital letters, numbers and characters and is at last 8+ characters long is advised. Try to avoid common phrases and password variations like stuart123. Instead, use 9St1u3a!rt~? (remember to make a note in a secure place, as guessing these types of passwords is next to impossible).
WordPress databases are like the brain for your entire WordPress site – every single piece of information is stored in there and thus, makes it every hacker’s favourite target. The smartest way you can protect your database and increase the WordPress security is by changing the database prefix from wp_ to anything else – perhaps something like wp_st6u3a88r0t.
Many web hosts often provide the ability to browse a site’s directories as a default configuration. Unfortunately, this also allows a hacker to see the contents of these directories. Updating your .htaccess file can disable this (read here for more information).
Your “uploads” folder stores all the media that gets uploaded to your WordPress site. By default, this folder is also visible to anyone online. Updating your .htaccess file will prevent online users from viewing this folder too (read here for more information).
Lastly, updating your file permissions enables your core files to be secured against various other attacks. For a full list of recommended file permissions, read this article.
You should rename or delete your install.php, upgrade.php and readme.html files as these are completely unnecessary after installation and actually serve as WordPress security vulnerabilities. If you don’t want to delete these files for any reason, then you can just rename them.
You should also remove any mentions of WordPress, so that your not providing hackers with useful information that might lead to potential exploits. Remove the “Powered by WordPress” tag, the WordPress version meta data from your theme and any links back to WordPress from your website.
Hackers will look for vulnerabilities that they can exploit in older versions of WordPress, including outdated versions of WordPress plugins and themes. Ensure that all of your WordPress files, plugins, themes etc are always up-to-date to maintain strong levels of WordPress security.
Consider a situation where a security flaw is found in a older version of WordPress. If you don’t keep current with WordPress updates and don’t remove the unnecessary WordPress mentions, it is easy for people to know how best to exploit your WordPress security. Its essential to update everything as soon as new versions become available.
Using additional security measures can be effective in preventing your WordPress site from being hacked. There are a number of free WordPress security plugins available that address many of the common security issues that most WordPress website owners face. Here is a list of the better security plugins I have come across:
- Better WP Security
- Bullet Proof Security
- WP Login Security 2
- All In One WP Security & Firewall
- Sucuri WordPress Security Plugin (paid plug-in)
If your website is currently set up so that anyone can register as a user, then this can be a potential method for hackers to access your website. This option should only be necessary if you are running a community site where signing up is encouraged. So if don’t run this type of website, then you should prevent anyone from having the opportunity to register. Simply go to Settings -> General in your WordPress dashboard.
Plug-ins and themes are great. They make life easier and allow those without coding knowledge or the time needed to build a site from scratch to have a site ready in a short space of time. But beware. Many free themes are potential security risks. And out-of-date plugins can be good places for hackers to find holes in your security. Do your research and make sure only to install plugins that are tested with the latest version of WordPress and have solid reviews.
Deploying a web application firewall (WAF) on your server helps protect your site against vulnerabilities found in plug-ins, out-of-date software and zero-day attacks. You should ask your hosting provider if they offer web application security as a service. If they don’t, then it may be a good indicator of the overall level of security they can offer.
WordPress Security: Conclusion
I am of course just scratching the surface here. The knowledge and tips above should allow you to begin optimising your WordPress security. The aim of my article was not to frighten you, or point out various vulnerabilities in the WordPress platform. The reality is that any website can be hacked. But there are significant measures you can take to avoid common hacking practices from threatening your website.
Has your WordPress site been hacked before? Feel free to share your horror stories.