Address Wordpress Security Issues With These Top 7 Pro Tips
The most popular blogging platform and content management system today is without a doubt, WordPress. The application powers around 59% of all websites around the world from small bedroom-based personal blogs to some of the busiest and most popular sites in the world. It's a favourite amongst major players in virtually any industry along with some of the world's biggest universities such as Harvard and commercial brands such as Forbes. However, as no CMS is 100% secure, WordPress is no different. The fact is, it is even more vulnerable given its open-source nature and freedom in terms of plugins and themes. Not to mention the fact that it is so widely used thus painting a virtual target on its back.
The WordPress admin panel runs on the same domain and uses the same permissions and codebase as the main, front-end application which means that if a hacker is able to exploit any one part of the system, the whole install can become compromised. Another major flaw is all of the administration settings (including passwords) are located in the same public directories as the core application files.
But with all that said, a few security threats here and there do nothing to dilute the popularity of such a powerful easy to use system. If you know the issues and know how to address them there is no reason not to use WordPress as your chosen platform. Below we've put together 7 top tips from the experts. Follow these and you'll go and long way to securing the platform and ultimately, your website.
1 – Update WordPress Themes and Plugins to The Latest Versions
As a general rule, you should always update your WordPress Themes and Plugins to the latest versions. Software is constantly getting patched in response to security issues and your plugins and themes are no different. Even having an old plugin uploaded to your FTP space but not actually in use can provide an easy way in for a would be hacker if it's not secured. Of course not all plugins are maintained, the same goes for themes. If you're using a plugin or theme that hasn't had an update in a couple of years you'd be wise to delete it completely from your FTP space and use an alternative. If this wasn't enough, hackers often find an exploit in a theme or plugin and actively seek out other blogs that have it installed or even in the FTP space. Your blog may not have been an intended target but will be hacked regardless just because you happened to be running a particular plugin or theme.
2 – Always Use Trusted Sources
This is one of the most important points when it comes to securing your WordPress site. When downloading plugins and themes, always get them from a reputable source. Whilst you might find a fantastic plugin or theme on a third party site, what is hidden in the source code can often do more harm than good. Some free themes for example come with additional code hidden via base64 encoding so it's performing a function but you can't actually see what it's doing. It could be inserting links into your site, it could be opening back doors for an attacker. By using a theme or plugin like this you're automatically uploading malware into your install and you probably won't even know you're doing it. As a blanket rule, try and use themes and plugins offered on the WordPress site directly, this way you'll have a much better chance of security. As mentioned above, also avoid themes and plugins which haven't been updated in a while. Whilst the developer may not have inserted something malicious in there personally, that doesn't mean that it doesn't have a bug or hole that can't be exploited.
3 – Choose A Credible Web Hosting
The vast majority of WordPress hacks occur because of a poor hosting choice. Incorrectly secured web hosts can lead to no end of problems. Even if the steps you've taken to secure your own install are perfectly adequate. Hosting companies who don't detect malware across their hosted accounts should be avoided. The last thing you want is a third party running a vulnerable blog that the hosting company didn't pick up on which in turn puts your own install at risk. Use trusted, recommended companies who offer WordPress hosting as a package option. 99% of the time these are geared up to specifically handle WordPress installs and the administrators will have the knowledge to deal with the common issues as discussed in this article.
4 – Use Strong Access Credentials (username/password)
The biggest mistake people use is retaining "admin" as the default username for their WP administrator account. This gives a would be hacker 50% of the info they need to break into your installation right off the bat. The same goes for passwords. Don't use common words, choose something obscure, you can tick to remember it so it's not as if you're going to have to type it in each time. Choose a password with both uppercase and lowercase letters, numbers and for added measure, symbols. You can also enabled two-factor authentication via a range of plugins available from third parties.
5 – Take Regular Backups
Whilst taking backups will not secure your site, if something does go wrong at least you can always revert back to how it was previously. Too many people wait until they've lost their data before setting up a backup routine. This is a mistake, act preemptively and should the worst happen, you can be safe in the knowledge that your data is safe and secure.
6 – Secure The Login Area
Just like with the default admin username, you're giving a hacker a head start by retaining the default WordPress login page/file name. There are so many blogs who keep the default login page, default username and choose an extremely simple password. All of this is a mistake. You can secure your login page by completely renaming it or using WordPress to limit the number of login attempts from a single source thus thwarting any potential brute-force attack.
7 – Modify Your Directory/Folder Permissions
One of the most important file permission modes to remember here is 644. The files with 644 permissions set can be read and written by the owner but are read only to all other parties. You should apply this permission to all WordPress files on your FTP space. Never, however tempting set all permissions to 777. This is an open-invite for attackers to cause damage as they can be modified by anyone who desires.
If you follow all of the above you'll be protected from most hack attempts right off the bat but of course the situation changes if any of the plugins or themes your website relies on become exploitable. If you keep on top of the situation you'll be as protected as you possibly can be.