Once an open-source software becomes the most widely used content management system on the internet, it will undoubtedly also become a target for hackers. WordPress powers over 18.9% of all websites, which is over 74 million sites total. WordPress has gotten quite a bit of negative attention recently for its security vulnerabilities but, if the proper steps are taken, it can be just as safe as other CMS systems.
Have You Already Been Hacked?
The first step to securing a WordPress website is to make sure that it hasn’t already been compromised. Many business owners never visit their own website and may be unaware that their site has been hacked in a very discreet way. Sucuri, a website security and malware protection site, provides a site check utility that scans your site to ensure it doesn’t have any publicly visible signs of malicious activity. Also, set your site up on Google Webmaster tools as they will notify site owners that their website has been breached. You can visit their information site here to learn more about their process for marking sites as malicious. Once you know whether your site has been hacked, there are many steps to ensure it is as secure as possible.
Update, Update, Update
In my experience, the number one reason most WordPress sites are hacked is due to a lapse in regular updates. WordPress is open source software, which means it is developed and worked on by a large community around the world. This also means bugs and security vulnerabilities are found quite often. Once a vulnerability is discovered and fixed, it is posted publicly and all users are advised to update. This also means that those who seek to do malicious hacking have access to detailed information on brand new vulnerability which can be used to exploit all the outdated installations of WordPress. WordPress updates actually take on three different forms: core, plugins, and theme updates.
WordPress knows that regular updates are extremely important; Version 3.7 introduced automatic background updates for minor security releases. This feature doesn’t fix a major upgrade from version 3.7 to 3.8, but it does at least ensure that security fixes are patched across most sites regularly. The bigger problem is that many people are still using versions older than 3.7. To check which version you are running, visit http://your-site.com/readme.html to see your WordPress version or visit your dashboard, and look at the “Right Now” or “At a Glance” widgets to see your version. The current version of WordPress is 4.2.3; if you are still running a version 3.9, you should definitely upgrade as soon as possible.
Themes & Plugin Updates
Plugins can be another major security risk for WordPress installs. A first step is to ensure that the plugins you install on your site are regularly updated and are compatible with your version of WordPress. Many plugins utilize other libraries or scripts that can become outdated and vulnerable to hacks. This also applies to themes, as many will bundle their template files with a variety of plugins or frameworks. There have been a few high profile vulnerabilities as result of gallery and image plugins that were popular with theme makers. Once your WordPress install is updated, you can visit the “Updates” page or “Themes” page to see if your theme is due for an update. In addition to updates, removing unused themes and plugins will increase both speed and security on your site.
Hardening Your Hosting Server Protects WordPress and Your Files
Whether your site is using WordPress or another CMS, server security is necessary to make sure hackers don’t get access to your system files. If you installed WordPress through your hosting company’s site, you are probably pretty safe when it comes to file permissions. However, if you or someone else installed WordPress manually, you may want to review WordPress suggestions on file permissions to make sure you aren’t leaving your site open to malicious activity.
Shared vs Private Hosting
If your business runs off of WordPress, it is highly suggested to avoid using low cost hosting servers that rely on shared servers. This means that your website is stored on the same server as thousands of other users. Although hosting companies try their best to wall off customers’ accounts for each other, a skilled hacker can get access to other accounts through a single vulnerable account. Even if you invest time and money into protecting your site from hackers, someone else’s vulnerability could give them access to your site. Although they may cost more, your investment in security will ultimately save you time and money. Hosting companies that are dedicated to hosting WordPress sites, like WP Engine and Pantheon, are specially designed for WordPress security. Many of these hosting companies will even guarantee to keep your WordPress core and plugins updated on a regular basis.
Usernames & Passwords
Having secure usernames and passwords can make your site safer from hackers, but these steps are often overlooked by many site owners. Instead of using the default “admin” user account, create a new user with admin privileges and delete the old account. Make sure to attribute all posts and content to the new account so that no data is lost when you delete the old account . Also, use a unique password that you don’t utilize for other sites. If your generic and widely used password is discovered, hackers will have access to your website as well.
What Else Can You Do to Actively Avoid Being Hacked?
Even if you regularly update WordPress and use secure server and password practices, it is helpful to have something actively working to ensure you are secure all the time.
Wordfence or Bulletproof Security, two free plugins with premium upgrade options, will actively scan your WordPress installation and plugins to discover any sign of malicious activity. They also protect your WordPress installation from a variety of commonly known attacks. They can limit login attempts, block users from questionable IPs, or from outside of the country, and enforce strong and unique passwords.
Even with all the available protection in place, breaches may still happen. Keeping a regularly updated copy of your site’s files and database will ensure that even if you are hacked, your sites files are easily accessible to be restored to an older version. BackupBuddy is a plugin that will not only perform regularly scheduled backups, but it can also connect to other popular file storage systems like DropBox and Google Drive.
Monitoring And Repair Services
For more mission critical sites, you can enlist 3rd party services like Sucuri or VaultPress to constantly monitor your site and, in the event it has been hacked, they will automatically address the issue on your behalf. Both services charge either a regular monthly or yearly fee, and provide services to monitor issues and to help fix or clean any files affected by malicious activity.
If your business depends on your website, a hack could mean dollars lost. Investing in site security by making these fixes, as well as paying for quality server hosting and security monitoring, will ultimately provide you peace of mind and a safer site. For power users looking to expand on these basic recommendations, check out WordPress’s page on “hardening” their site to protect users.