In this WordPress Security Guide, we’re going to cover some of the steps you can take to ensure that your WordPress installation remains safe and secure and reduce the chances of your website becoming unavailable due to being hacked or overrun by malware.
To most people who have their own Business, their website is their bread and butter, delivering information to prospective customers and bridging the gap between browsers and sales.
With that being said, if your website goes down for any reason, the potential loss of income can be catastrophic for a small business. For that reason, it’s imperative that you take remedial action and put plans in place to ensure your site is as safe as possible.
No matter what you do though, there’s no guarantee that a hacker won’t find their way into your site.
What you can do, is minimize the risk and have backups in place so that you can get back up and running as quickly as possible with minimal interruption if something should go wrong.
The first two things you should consider, is the quality of the hosting provider you choose and second is the theme and related plugins that you choose. These two things alone hold potential risk for your website if they’re not patched and updated often.
Let’s start of looking at the symptoms of a hacked site so that you can figure out if you’ve been hacked or not.
Symptoms of a WordPress Security Breach (Hacked Site)
- You can’t log in – One of the main ways that hackers remove your account access is by cracking your login password. If you’ve used the generic login URL (/wp-admin)and the standard “admin” username, these two things make it easy for hackers to break into your site.
- Unknown Content, Theme Change or Unknown Links – If new articles appear on your site, if you see you have a new theme or if you notice links in your content that you didn’t place there, then it’s a sign that your website security has been compromised.
- Your Domain Name takes visitors to another website – Hackers will sometimes redirect your site to another spammy looking one. This is a sure sign that your site is hacked.
- A Browser warning let’s you know that your site is insecure – A couple of different things can cause this to happen. First, it could be your SSL certificate that expired, but you can work with your host to fix this. A plugin may be conflicting with other code on your site, causing the error. Lastly, your sitemap may have been hacked.
When a security breach happens, and it probably will, no matter how hard you try to prevent it, you should have measures in place to be alerted ASAP. One of the simplest ways is using a plugin to alert you if your site is up or down.
Speak to your webhost; they should be able to alert you too. They may even have a specific service to alert you. The key is to be alerted ASAP so that you can get to work fixing your site and getting it back online.
Let’s look at some of the Methods Hackers use to take control of your website
The vast majority of WordPress security breaches are from automated systems. The worst part is, they can easily be prevented with easy to implement Website Hardening practices.
The problem is, most website owners either don’t know how to do these things, or don’t think to secure their sites before they start building them.
Just like anything in life, you need an insurance policy in place, to make sure you can continue to survive if something drastic happens. Your insurance policy for your website is security.
So, let’s look at the common ways that hackers take over sites:
- Backdoors – These are simply hidden files or scripts. They’re often present in plugins, themes or media that you upload to your site. Once these plugins, themes or media items are added to your site and activated, the backdoor is released and injects malicious code into your website to redirect your domain to another site (where you wouldn’t want to send your visitors), or to send data to an undisclosed location.
- Brute force login – decryption tools are used to crack your login details.
- Cross-scripting – This happens when hackers inject browser scripts within plugins that you use.
- Denial of Service (DoS) – bugs or errors are added into a website’s code so that the site no longer works properly.
- Pharma hacks – this is when unknown code is entered into outdated versions of WordPress.
These things can be pretty devastating to your website, but luckily, it isn’t so serious. With a little knowledge and some work, you can easily prevent these things from happening to your website.
What Do I Mean By WordPress Hardening?
Hardening your WordPress website includes some of the following activities to build an impenetrable shield against hackers:
- Change your login URL to something other than /wp-admin
- Hide the version of your WordPress installation
- Use strong passwords and insist that all users have strong passwords too
- Password-protect your admin directory
- Disable file editing in the Dashboard
- Disable PHP file execution in certain WordPress files and folders
- Implement 2 step authorization on login screen.
- Limit login attempts
- Disable login hints
- Limit login access to certain IP addresses
- Disable user enumeration
- Disable XML-RPC
There’s a lot you can do to make your WordPress Security stronger and protect your website from hackers, but you shouldn’t try do everything yourself.
Speak to your webhost. Most of them have the tools to monitor your site and let you know if something goes wrong.
Many of them will deal with breaches before you even know about it, but, choose a good host and find out how they can help you before to sign up for their services.
For the rest of this post, we’re going to talk about the things you should do, and things you should get someone to do for you. We recommend you look for security professionals for some of the tasks listed here. Some you CAN do on your own.
15 Things You Need To Do To Secure Your WordPress Website
There may be any number of reasons why your WordPress site may get hacked – and there are several ways to strengthen your site, too.
Let’s look at the main vulnerabilities that every agency, developer, and freelancer should know about, and then we’ll look at the things you need to do to protect your site from succumbing to them.
1. Update WordPress As Soon As Possible
WordPress releases new versions every so often. Make sure you update your website as soon as possible.
New WordPress versions often include security patches to fix problems that weren’t addressed in previous versions. If you don’t update to the latest release, you could be leaving your site vulnerable to attack.
Regularly updating to the latest version of WordPress closes any security loopholes that hackers can potentially exploit to hack your site.
The simplest option is to setup automatic updates that happen without you having to login and manually update.
NB: Make sure that for every update you make on your site, you have a complete backup of your site saved. Good Quality hosts will automatically update your site to the latest version of WordPress so that you don’t have to.
2. Use Strong Passwords
If your WordPress website isn’t as secure as possible, then you make it easy for hackers to get access to your admin area. Once they have access, they can do whatever they like with your website.
In order to get into your WordPress site, hackers use tools to crack your password. Once they break the code, they can login and do as they please.
One of the biggest weaknesses, but also the easiest to fix is your password. Apart from creating a long, secure password, and changing it regularly, you should also ensure that all services and other accounts associated with your website have strong passwords.
The Best Format for Strong Passwords
Here are some things to consider in order for you to create strong passwords:
- Do not use any variation of your personal, username, brand or website names
- Do not use words from a dictionary (Whether English or not)
- Never create short passwords – it should be a minimum of 8 characters
- Make sure your password contains letters, numbers and symbols.
There are many security plugins that you can use on your WordPress website. Our favorite happens to be WordFence. We use it because it does a lot of the hard work for you.
The main feature we use is setting 2 Factor Authentication in order for admins to login. We also use it to send reminders to users to update their passwords. This can be set to 30, 60 or 90 day intervals.
Simply implementing this will make it even harder for hackers to get into your site, but we’re only just getting started.
3.Limit Login Attempts
By default, WordPress allows site visitors to create accounts and have unlimited attempts at guessing their passwords if they forget them. This is a problem, because it allows hacker software to do the same.
The solution to this problem is limiting the number of login attempts. Wordfence does this for you and can easily be setup.
4. Limit Access
The more people you have on your team, the harder it is to limit who has access to your website. The fewer people that have admin access, the better, because you lower the risk of security breaches.
Check your list of admin accounts (To do this, go to Users in the left menu within WordPress) to see if there are any admin users no longer working as part of your team.
If they don’t need access to WordPress, remove them. Note any other users that you don’t recognize and remove them too.
Before you begin removing admins and users you don’t recognize, check with all of them to see if they have recently updated their details – it may be possible that a user is an actual admin, but they made changes that you don’t recognize.
While you’re busy getting rid of admins and users, consider cleaning your user/subscriber list to remove anyone who isn’t part of your website and/or shouldn’t have access.
To do this, click the checkbox next to any user you want to remove, then change the Bulk Actions dropdown to Delete. Or, to remove a single user, click the Delete link under their username.
5. Logout Idle Users
If there are many users coming to your site, having them logged in and not using your website can slow things down a bit. Consider using a plugin to log them out if they’re idle.
If you’ve got admins that happen to step away from their computer while logged in, anyone can access their PC and make changes to your site, so it’s best to log people out if they’re not busy doing something.
Some of the plugins allow you to send a notification in the form of a popup, letting the user know they’re about to be logged out and ask them if they prefer to stay logged in.
6. Use Server-Side Protection
Adding SSL Certificates to your site is a pre-requisite for having an online business these days. Make sure that your webhost can provide SSL Certificates to protect your Login Screen, Admin area and files.
With this added layer of protection, it’s even harder for hackers to gain access.
7. Use a Firewall
The best way to keep your WordPress website secure is using a web application firewall (WAF).
A WAF blocks malicious traffic from accessing your site.
There are two options:
- DNS-level firewall: This type of firewall sends web traffic through cloud proxy servers. Filters within the Firewall ensure that only quality, non-malicious traffic makes its way to your site.
- Application-level firewall: When using a plugin to serve as your WAF, all web traffic will arrive on your server, but the plugin will check the quality of traffic before loading any scripts.
While application-level firewalls might be better than nothing, a DNS-level firewall is a much safer and more robust option of the two.
Popular plugins like Wordfence, services like Cloudflare, and secure hosts like Convesio offer this service. So be sure to check what services a host offers, before signing up for their services.
If they can’t or won’t offer the highest level of security for your business, do you really want to work with them as a client?
8. Only Use Updated, Highly Reviewed Plugins and Themes
As we’ve already mentioned, WordPress is always releasing new versions of their CMS. It’s because they understand that hackers are coming up with new techniques and adding new types of attack software to the web every day.
If WordPress doesn’t stay updated, then they may become a victim of a large scale attack.
In the same way, any theme or plugin that you add to your site should also be regularly updated in order to stay secure and not become a loophole through which attackers can gain entry to your site and cause trouble.
Never use “nulled” (Cloned Premium Themes, Being Given Away For FREE) themes from sites you’ve never been to before. A FREE theme from any source, other than WordPress themselves is a huge risk that you’re taking.
What hackers do is find a nice looking theme, then clone it and inject malicious code. They then find sites looking for FREE stuff to give away and offer it to these sites.
When you come along and grab this freebie, you open yourself up to risk. They do the same thing with plugins.
9. Delete Unused Themes and Plugins
If you’ve got files and folders of any kind on your WordPress installation, or on the server where your WordPress site is hosted, then get rid of them.
If you leave any themes or Plugins (Files & Folders) idle and without updates on your server because they’re not being used, then you’re opening a loophole for hackers to get into your server by exploiting security vulnerabilities.
Delete all unused databases, themes, plugins, files and folders that you no longer need. Having them there is just causing bloat and cleaning up your server can also help increase your site speed.
10. Delete Unnecessary Files
Data slows down your site. The more files and folders there are making up the back end workings of your site, the slower it becomes.
Luckily you don’t have to manually sift through each and every folder to find unnecessary files and folders that you don’t need.
3 Plugins we recommend for this task are Wordfence, Defender, and MalCare. Use these plugins to scan your site and find all the unnecessary bloat.
Some hosts do this as part of the hosting service so that you don’t have to. Pretty neat huh? I will re-iterate again, when considering hosts, make sure you find one that provides all the necessary bells and security whistles.
11. Run Regular Backups and Scans
You know that you should run security, virus and malware scanning regularly on your computer. Well, a website is hosted on a computer too and any infection on your computer (For instance Keyloggers) can render your website insecure.
Get into the habit of regularly running security scans and backups of your site. Run scans daily or more often if possible.
With each backup, be sure to include:
- Database files
- Theme Files
- Plugin Files
- Media Files
You can run malware scans of your website daily or weekly, no less. The process can be automated, but just remember, a scan only shows you what’s present, but you still have to manually remove any intrusions.
There are a number of plugins that you can use for this purpose, but you can probably get the same service from your host if you’ve chosen a good one.
12. Monitor Your Files For Any Changes
Every action that happens on a computer is logged and stored. Should a hacker make it into your site and make any changes, there will be evidence.
All you need to do is get absolutely familiar with all the content on your site. If you spot any changes that you did not authorize, then ask your host to help you find the log files for your site and look for evidence of the intrusion.
When you find the tell-tale signs if the intrusion, work with your host to find out what’s the best remedial action to take.
There are also many plugins you can use to monitor your website files and folders and get instant notifications of any changes.
You must monitor all your files all the time. Use the Defender Plugin mentioned earlier. When alerted of a problem, you can swiftly jump into action and fix potential errors before they become a major disaster.
13. Regularly Declutter Your Database Installation
Decluttering your database of old:
- Comments
- Trash
- Spam
- Plugin Files
- Theme Settings
Can help increase the performance of your website. Removing these extra items can also remove any potential risk for attacks.
If you’ve been alerted of a hack, then clearing out your database installation is a necessity anyway. Luckily you won’t have to labor over the task for hours. There are a number of plugins that can automate the process, or at least, make it a simple task.
Plugins to mention include WP-Sweep, WP Optimize and Advanced Database Cleaner. Your host may even have this service as part of your hosting.
Whether you do it yourself, or have someone do it for you, the key is to get it done routinely and stick to the schedule.
14. Choose An Established, Secure Webhosting Company
If you choose the wrong webhosting Company to host your website, you run the risk of having endless problems like unreliable uptime, security breaches and slow rendering of your site, all leading to loss of rankings, not to mention wasted time and possible loss of income.
Some newer hosts are unreliable, you’ll have a hard time growing your business because their services don’t adjust to your growing business needs.
If you’re with an unreliable host, you could face the challenge of your website crashing because it can’t manage the traffic volume. If they don’t keep up to date with patching their servers and any assets loaded on them, you run the risk of your site being hacked.
Smaller, newer hosts often try save money by clumping many websites onto one cluster of a server. This is a bad practice because if any one of the other sites is compromised, yours will also be affected.
It’s therefore safe to say – never look for cheap, low-quality shared hosting packages if you’re serious about your business. (It will only lead to a bad experience in any number of ways)
The other problem with low cost hosting on shared hosting packages is that the webhosting company probably will not be in a position to monitor your site and let you know if there are any attacks on it.
Most of the webhosting Companies I’ve come across do offer some kind of security packages that you can add to your hosting package. Just remember, where the limit of their protection ends, your responsibility begins.
If however, you have no idea how to secure your site yourself, you could be leaving your website open and vulnerable to attack, that’s why we suggest you choose a host that gives you the best protection service possible if you’re serious about your business.
Choose a host that offers multiple security services, plus 24/7 monitoring and management.
Any host you choose should also:
- Be willing to answer any questions related to website security, including explaining how their products and services work and benefit you.
- Supply the latest stable version of any software and regularly update it
- Regularly run backups of your website and offer recovery services should something go wrong
Two standard security applications that absolutely every website should have as a minimum starting point are a firewall and SSL Certificate.
Most webhosts these days provide a free SSL certificate that is automatically added to your hosting package and is activated as soon as you sign up. Some hosts make it optional. If it is optional, definitely add it to your hosting service when you sign up.
For the Firewall – we recommend WordFence once again. WordFence is very easy to setup, and offers all the services you need to secure your website in one plugin.
Here are two other considerations to keep in mind when you select a Webhosting Company:
- Avoid shared hosting packages – Never choose a hosting package that will clump your website together with hundreds of other sites on one server.
If one website gets hacked, yours could be next. (The Risk Is Not Worth It)
- Use SFTP Encryption – SFTP encryption shields your data when you log into your website. Every interaction between your device and the server hosting your website is encrypted.
Even if a hacker has access to some sections of your website, they won’t be able to detect your login credentials.
15. Automate Your Website Security
WordFence can automate most of the security work you need done on your website. You can be notified of suspicious activity and regular scans can be scheduled to run automatically at the interval you set.
Within WordFence you can set login limits and be notified if someone is locked out of your site.
Daily, weekly or monthly reports can show you what’s been happening in the background of your site while you weren’t watching.
Security plugins have their advantages, because they perform many of the tasks that would take lots of your time to do.
Whenever you do get notifications about potential risks or threats, you should act as swiftly as possible to ensure that a small problem doesn’t become a huge headache later on.
Alternatively, you can find website security service providers that will monitor your website and fix it if problems occur.
This may be too costly of an option for you, but, security should never be left as an option – it is a must have service if you want to keep WordPress site safe. (It’s Your Business After All)
Quality WordPress hosting providers should provide 24/7 website monitoring as part of all their hosting packages by default so that you don’t have to fork out more money to hire someone to do it for you.
Prioritize WordPress Security With Your Hosting Company
When choosing a host for your WordPress Website it’s always best to partner with someone that will provide the best security services.
One example, Patchman is a server-level security service that detects and fixes vulnerabilities and malware.
This all happens while it runs behind the scenes – you won’t have to install or configure anything. You won’t even need to check it.
When the Patchman Service detects a security fix within any new software release, it will backdate the applicable fix to apply to all earlier versions.
Another example: Human Presence has a behavior analysis engine that detects and eliminates 99% bot spam.
Website visitors will never know that it’s working in the background, but it continues to protect analytics, comments, forms and reviews.
It also prevents copyright theft from your site.
These are just a few examples of software that’s available to make your site as secure as possible. There are many plugins that can do the same. You just need the right host that can provide the majority of the services you need.
Wrapping Up
Secure websites are merely websites that take the time to implement strategies to ensure that their sites are as secure as possible and they have backups in place. (In the event that something does go wrong).
Just because a site is secure – it doesn’t mean it can never be hacked, it definitely can. The difference between a secure and insecure site, is the ease and frequency at which attacks can occur and the time it takes to re-establish the site once a “fix” has taken place.
The more of the risk reducing strategies you choose to implement from this article, the stronger your website becomes and reduces the likelihood of an attack.
Some things are easy to do yourself, while others are more difficult. The best option is to choose a good quality webhost that provides most of these services and are available to help and guide you if things go wrong.
