Is WordPress Secure?
One of the most common questions asked when discussing WordPress sites, is whether if they are secure or not.
I’m sure you have heard of stories of these sites being hacked, or read reviews from people who believe that WordPress is awful, and no serious company uses them.
I’m going to write many articles about the security of WordPress, but first I would like to talk about why are WordPress sites targeted, what are the most commonly used attack methods, and I will answer a few questions you have surely asked if your website has been a victim of hacking.
The curse of being popular
Based on statistics, 28.5% of all the websites in the world is WordPress, while 60% of them shares different content management systems (CMS). The world’s top 100 website’s 14.7% is based on WordPress.
If big companies, such as CNN, NBC or NFL is happy using WordPress, I think it can be a good solution for a smaller enterprise as well.
You might ask me, why did I include these statistics? I did, so you could understand that with a market share like this it is simply worth to attack these sites, the same way as it’s worth to write viruses for Windows. The constant attacks doesn’t mean that there is an issue with the system.
Pros and cons of the open source code
WordPress is an open source code system, which is developed by a community, and anyone can access its codes. This has its advantages and disadvantages.
Disadvantage because the hackers can also access the source codes, and if they find an error in security, then they can launch a major attack on WordPress sites. It is also an advantage, because the community quickly reacts and fixes errors.
Why do they hack websites?
Hackers have many different motivations. Sometimes they only hack a website for the challenge it gives, for pure fun. More commonly it’s for information (e.g.: email addresses, passwords, bank card details), to send spam, or to get to the server and other websites through hacking a certain site.
Why did they hack my website?
According to the WordFence statistics, there are 90,978 attacks per minute against WordPress sites, regardless if the site has many or no visitors at all. The hackers mainly choose their target based on the website or server’s vulnerability and the website’s popularity.
The bigger websites become target because they provide plenty of valuable information, and the smaller, not maintained websites are targeted because they are easily hacked, and they can make way towards the server, and the other websites on that specific server.
Many times these attacks are automated, so a hacking attack doesn’t mean someone who has it out for you, hired a professional to hack your website.
What are the most common hacking methods?
On of the most common method is the Brute Force Attack. During this attack, they are trying to “automatically” get into the WordPress admin interface. The constant login attempts can slow down the website, and if it gets overwhelmed the provider might turn off the website.
Another common method is the file insertion, where a .js or .php file that contains harmful code is updated to the storage, and when it’s ran it provides access to the site’s content.
The hackers also like to target the database. The SQL Injection is a hacking method, where during the attack they run a strange SQL command, and through this they delete or add a download or a new user to the database. Through the newly added user they can freely roam on the website.
The badly written, vulnerable plugins offer a great opportunity to run harmful codes (Cross-Site Scripting XSS), therefore it is important that you only use trustworthy and regularly updated extensions.
The malware (password stealing) attack is also very common, so much so, that Google blacklist 20.000 websites weekly for being malware, and an additional 50.000 for using it. During a malware attack, they are in possession of the passwords and they can insert harmful codes in the website.
What kind of damages an attack does?
Your websites popularity might decline, which in the case where it is your means of income, will result in your income decreasing.
Until you fix your website, and the Google doesn’t examine it, the visitors will see a message that warns them of the unsecure website. This will give a bad impression, just like the website that is modified by hackers.
Stealing private information might cause abuse, and the owner who runs the website might lose his credibility in a situation like this.
If they use your website to send spam emails, the unwanted messages not only bother people, they might even get your email sending server blocked.
The security of your website doesn’t only benefit you!
As I’ve mentioned earlier, a hacked website makes way for the server, and other websites as well, it is basically a stepping stone. I believe you understand now, that your website’s security doesn’t only benefit you, but your community as well.
Furthermore, if they use your website for a major attack, it might even get the authorities involved.
If you consider all the above mentioned, I don’t think I have to talk more about how important it is to keep your WordPress site secure, and do everything to avoid a hacking incident.
I named this section “Is WordPress secure?”, therefore I must pick an answer. I tried to explain why are WordPress sites commonly targeted, and I summed up the motivation behind these attacks, what kind of damages can your website being hacked cause.
Reading through all of it, I wouldn’t be surprised if you would think, that WordPress isn’t a secure system.
WordPress can be secure, but you have to work for it.
A WordPress website once created, then left alone for many years without regular maintenance makes the perfect target for hackers.
There are no such a thing as 100% security, however, creating a website while keeping an eye on certain security measures and then keeping it maintained makes a website a hard job for hackers.
However, my conclusion was that with the right security steps and with a bit of attentions, this is a secure system.
In the next section I will show you these steps towards security. I will explain in detail what can you do to make the threat of your website being hacked minimal.
Secure Website in 15 Steps
The base of a secure website starts as soon as you install the WordPress. To install you have to create a database, for which you will need a username and a password.
1. Database password, Database user password
I can’t emphasize enough, how important it is to have a unique and hard password. Avoid the admin, admin1, 1234 and similar passwords! Use capital and small letters, numbers and special characters (gylphs, @, #, etc), and make a long password.
2. Database table prefix
During installation you have to add a database table prefix. The default is: wp_ table prefix. You can edit this, for example wpcb56_ (I created this from the shortcut of a domain name and a number for this example).
If you are using Softaculous help to install WordPress, you have an easier job, as it will automatically generate a unique table prefix.
Other than for the security, this is useful when you are managing more than one databases, so you can know straight away which database is connected to which website.
I would like to note, that you can install more than one WordPress in one database, if you are changing the table prefixes, but I prefer to use one website per one database.
3. WordPress username and password
The information I wrote about a secure password goes for the WordPress login details as well. Select a unique username and a difficult password! During the Brute Force attack, the hackers test the possible username and password combinations.
Make their job harder! I will write more about what you can do to avoid these attacks, but the hard username and password should be the base of this!
After the installation of WordPress
4. Install and setup Shield firewall plugin
The Shield is a very complex plugin, with many setting options, and detailed information. This extension will be useful to you in the following security procedures:
- it helps you hide the wp-admin and wp-login pages, you can create a unique login link as well
- you can set it, that during the login a little box have to be ticked, to prove that a real user is trying to go to the admin interface
- it can automatically block people through the IP address, who are trying to hack in various ways
- you can turn off the XML-RPC system (another way to do this is to go to Settings, in the Interactions menu untick the “Try to notify of this entry all the referred blogs” and the “Allow link notifications from other blogs” and delete the xmlrpc.php file in the storage.
- it checks, if any of the WordPress file have been modified and if so, it can fix it
- it checks, if any strange or dangerous file has been uploaded to the WordPress library, and if so it deletes it
- it replaces the Akismet spam filter plugin, and can protect the comment section from spam
- it send you and email of the automatic check ups, and the completed actions, blocks
This is a considerable list, and I didn’t even include everything, as even from this you can see, how helpful can this firewall plugin be, and can replace both Loginizer and Akismet, which is what normally is recommended.
5. Install and setup Sucuri Scanner
The other security extension I use, is Sucuri Security, which I primarily use for the Malware Scanner function and Blacklist function (it checks and signals whether the website is on a blacklist).
Similar to Shield, it checks the WordPress files as well, and as a very useful function, it blocks the WordPress version too. You get a message about everything that happens on the site, from login, to posting, or the modification of a theme. You can customize, what is it that you would like to be notified of.
On the following page, you can find Sucuri’s free examiner system; https://sitecheck.sucuri.net/. The check up is free, but if it finds an issue and you would like to delete it, that costs money. Despite this, it is a useful and simple plugin, so save it for yourself!
6. .htacces and wp-config.php permission settings
After the firewall plugins I continue with the Cache. You might find it strange, that this is the next step. The cache can edit the .htaccess file’s contents, therefore before I remove the written permission from the .htaccess and the wp-config.php files, I set this caching, and I only continue with my work afterwards.
The permissions of .htaccess and wp-config.php I normally change from the default 644, to 444, which means the files are only readable and not editable. On the cPanel you can quickly do this setting. On the Permission coloum, by clicking on the number, you can simply rewrite it.
If you don’t have cPanel, and you are using FTP, the FTP client gives you and option to do this as well.
7. Making a backup
The hosting provider will make a backup from time to time as well, but you can easily save your storage and your database’s information.
You can do the first save as soon as you are done with the previous security procedures, but as soon as you are done with the website’s design, functions, definitely make a save. Let this be your base that you can go back to, in case something fails.
You can make a backup many different ways:
- on the cPanel with the Backup Wizard, complete security backup function
- through ftp saving the storage’s contents, through phpMyAdmin by exporting and downloading the database
- through Softaculous backup function, if WordPress’s installation happened with Softaculous’s help
- with the help of WordPress plugins (eg. UpdraftPlus)
It is important, that you do backups in the future as well, especially if you update your websites content often, or if you are making larger changes!
8. Only use themes and plugins from trustworthy places!
While making your website and in the future, it is important what kind of functions you add to your websites, and what sort of themes and plugins you use.
Only download themes and plugins from trustworthy places, and do not even think about downloading for themes and plugins that are from a “suspicious” website. The files can contain harmful codes. It doesn’t worth it saving money on these!
9. Work with trustworthy and constantly updated plugins!
For your website only use plugins, that are rated by lot of people and well, the developers are active, and reply in the support forums to any potential issues, and they are constantly updating and refreshing their plugin.
It can be useful reading the reviews as well, to see has it caused any trouble with anybody. In the WordPress Plugin Directory you can find plenty of information about a given plugin, use these!
10. Using spam filters
If you have a comment section or any form of message section on your website, you definitely need a form of spam filter too. With the help of Shield you can protect the comment section easily. You can only add a comment after a certain amount of time, and you have to tick a box, to prove you aren’t a spammer.
There are more options to protect comment sections. For example the Google reCAPTCHA, or the Contact Form Honeypot, which you can easily place in the form. The latter protects you from spam, without being detected, the commenter does not have to click on anything, solve a picture quiz, or anything else.
Regular updates, maintenance
It’s not enough to complete the above mentioned steps, these are only for a strong foundation. Just like a house, you have to do maintenance so it doesn’t fall apart, and in the case of a website, to protect it from these attacks.
11. Regular WordPress updates
There are bigger and smaller updates for WordPress. During these bigger updates the main version updates (which is currently the 4.9), the developers make it whole with significant modifications, developments. The smaller updates are usually error corrections, updated security measures, and the current updated WordPress version is 4.9.8.
Always install these updates, when they come out. With the help of Shield you can set that it automatically updates either or both main and subversion. Softaculous offers the automatic updates while being installed.
I prefer to manually update the websites I handle. I believe it is important to check before updating what has changed, and follow the process of the update. Very rarely, there is an issue with the process, and then the website stays in maintenance mode.
You can fix this very quickly when you notice it (just delete the .maintenance file in the storage). If this happens while the website is being automatically updated, and you don’t check on it for days, the website will be unavailable for the visitors until you fix the issue.
12. Updating plugins
It is useful to update the plugins like I mentioned above. Check out what changed, what are the reviews saying, and only install it, if the new version is secure and stable. For example, the AMP extension 5.0 version’s update caused a “Fatal error” for many people, which you can see from the comments, therefore I never used this update for the pages I manage.
If you notice a plugin that was always regularly updated, suddenly not getting an update for months, it might worth your while to find an alternative extension.
13. Updating themes
Popular themes get updates as well from time to time, and it’s important that you know, that during these updates the changes that you made in the code will be overwritten. There are a few options to avoid this.
If you have made or planning to make many changes in the themes, it would worth your while to make and edit a Child theme.
If you only want to make changes in the style.css, the Siteorigin CSS plugin is a perfect solution for this. This contains your CSS edits, and it is very easy to adjust the websites various elements, and while doing so, you can see what it would look live.
The basic WordPress also got it’s unique CSS field, which you can find at Appearance–>Customization, and you can also insert here your individual CSS code.
If you have updated your theme, and you have created a foreign language translation before, you might have to upload this again in the theme languages library, so your website is written in that language again. After update, it is worth to empty the cache.
14. Backup of the update
It is important to make a new, updated backup of your website after all the updates, so you have a revised version in case something happens to your site.
15. Paying attention to the Shield and Sucuri Scanner notifications
As I have mentioned earlier, both of these plugins send notifications about any blocks, hacking attempts or changes within the website. For this it might be better if you have a separate email address, and check the spam folders as well, because sometimes these messages end up there.
There will be lots of messages, but don’t let this scare you. Most of these are only for information purposes, you don’t have to do anything with them, other then reading them. If you need to do something, it will tell you so in the email.
Maintaining the website
Maintaining your website includes the constant updates, the change of outdated plugins, the checking of emails, the issue fixing if any pops up and creating a revised backup.
For this list you can also add the maintenance of the database, which helps with the speed of the website, and following, testing new plugin functions, which can enrich or help your website’s performance.
It would worth your while to complete these maintenance steps every 1-2 weeks, or at least once a month. And always keep an eye on the email messages.
If you follow the above listed security steps, and you don’t neglect the regular maintenance, you have done a lot for the security of your website. All these steps might seem scary and too much at first, but they are easy to learn so you can do these by yourself.
If for you the only importance is to have a very stable website, but don’t want to spend your time on it (no time, no interest in WordPress), then it’s better to hire a professional who will do this instead of you. Don’t try to save money on this!
I trust that this article was helpful to you. If so, please share it with other too!