There is no such thing as a 100% perfectly secured computer system. This includes websites (which run on computer systems). When looking at securing your website, it is not a matter of risk elimination but a matter of risk reduction. WordPress is no different than other website platforms. They are all open to hacking. In this article, I will look at how you can minimize the risk of your WordPress website getting hacked.
How do hackers get in?
So, how do hackers get into a WordPress website? According to Wordfence, a recent survey showed the 62% of website owners didn’t know how an attacker entered their website. In their experience, Wordfence estimates that over 55% of hacks were through a compromised plugin. Brute force attacks (password guessing) resulted in 20% of hacked sites. We’re going to look at how to secure these two areas (taking care of these two items will keep out 75% of hacks) and look at how to expand this security to further reduce the likelihood of hackers getting into your website.
Keep WordPress updated
Update your website (core, themes, and plugins) on a regular basis. To update your website, login to the backend dashboard and look under Dashboard > Updates for a list of available updates. Follow a standard procedure for updating (plugins first, followed by themes, and finally WordPress core). Remember to check your website after each series of updates. This way, you can quickly narrow down the likely cause of any issues met. We recommend updating on a weekly basis. At Majaid Web Solutions, we use an automated updating system that checks all our clients’ websites every Sunday. From this report, we update the most vulnerable security issues first, then update the rest.
Enforce strong passwords
Counter brute force attacks by enforcing the use of strong passwords. We recommend using a password generator (such as LastPass) to create secure random passwords. Ensure you use a different password for all systems you log into. If you use your email address as part of your login, ensure you verify that your email address is not part of a data breach (use a utility like haveibeenpwned). Do not use an easily guessed or often used password (for example, the word ‘password’ occurs over 3.8 million times as a password)!
Limit user access
Limit the number of administrator accounts. Not everyone needs to be an administrator. Use the ‘Least Privilege” principle where users only receive the minimal amount of access required to do what they need on the website. Avoid popular usernames such as ‘admin’ and ‘administrator’ (admin is the default administrator login name on most WordPress websites). Do not use your company name, the names of people writing blog posts, or other names listed on the website (especially in the About Us page). Do not publish the usernames of people who write articles for your website. Frequently, we see published articles on WordPress websites that say “Published by ‘username’ on ‘date’ where ‘username’ is a valid website user. Most often these users have administrator rights.
Take steps to prevent user enumeration such as redirecting attempts to list usernames (entering ‘http://example.com/?author=1‘ in the browser window to list the name of the first user (which is typically the administrator as it is the first user account setup). Also, change login error messages so they do not provide hackers with valuable information. For example, most login error messages will display something like ‘The password you entered for username admin is incorrect.’ Do not confirm valid usernames to hackers.
Add more security
Add a security plugin such as Wordfence or Sucuri. Wordfence is installed on over 3 million websites while Sucuri is installed on over 700 thousand websites. Although they are both robust security plugins, we install Wordfence on all our client’s websites. It includes an endpoint firewall and a malware scanner that work together to help keep hackers out of your website. Wordfence has additional features which let you protect your website against brute force attacks by limiting login attempts and locking out failed login attempts. Wordfence includes a malware scanner that checks for compromised files and checks for updates to WordPress code, themes, and plugins. Subscribe to the Wordfence and Sucuri mailing lists to receive regular reports on WordPress security issues.
Choose plugins wisely
When installing plugins, choose plugins wisely. Plugins on WordPress.org go through an approval process so they are less risky. When looking to add functionality through a plugin, research several plugins and choose the best available plugin. Some things to look for in a plugin are:
- does the plugin author actively support the plugin?
- when was it last updated?
- do they have a lot of users?
- read the reviews.
- how fast is the author at fixing issues with the plugin?
- is there support after installation/purchase?
If you have any abandoned plugins installed, remove them. Also remove any inactive plugins.
Remove unused themes
Most WordPress installations come with the three latest themes installed. Website owners will try different themes when looking for a theme with the look and functionality they are looking for. When you have chosen your preferred theme, remove any unused themes. We recommend keeping the active theme and the latest WordPress core theme installed (currently twentytwenty).
With your WordPress website security set up, do not forget to regularly check your website. Visit your website, look for anything unusual. Conduct a Google search for your website. Look for content that does not belong. You can set Wordfence to scan and email you the results (i.e. on a weekly basis for regular reporting or at once whenever it detects potential hacking or malware). In conjunction with our regular Sunday update program, we have Wordfence set up to send website reports every Monday. This way, we do not get repeated notices about available updates.
Secure your web host
Finally, do not forget to add added security to your web hosting. Add a Secure Sockets Layer (SSL) certificate to your hosting account. Some web hosts charge for an SSL Certificate (GoDaddy, HostPapa, Netfirms) while others offer an SSL for free (Dreamhost, Siteground). Upgrade your PHP to the most current version. Current versions of PHP tend to be faster and more secure than earlier versions. Backup your website regularly (preferably to an offsite location like Dropbox). At Majaid Web Solutions, we back up ecommerce websites every day and others on a weekly basis. Some web hosts will back up your website on a regular basis for a fee. At least once, try to recover your website from a backup. It is disheartening to learn that your website will not restore from a backup, especially after it goes down.
Hardening your WordPress website following the procedures outlined above will help keep your website secure from hackers. Do not let a lapse in website maintenance result in a hacked website. You must check your website security on a regular basis. Not only will your website be more secure, but it will run better as well.
Need help securing your WordPress website?