With a market share of over 60% and 500+ new websites being hosted each day on the WordPress platform, there is no debate on the dominance of WordPress for content management. Yet despite being easy to use and having unparalleled functionality, WordPress comes with security risks.
Did you know WordPress accounted for a whopping 90% of hacked websites in the year 2018? Harmful backdoor files were found in over 65% of all hacked websites, and SEO spam messages in more than 50% of the them!
Poor WordPress security can severely impact your business. Here’s how:
- Customers or visitors may be unable to access your site, resulting in the loss of valuable traffic.
- Company sales and revenue could be affected.
- SEO rankings can drop, and your website could be blacklisted by Google and other search engines.
- And finally, your site could lose its reputation and hard-earned brand value.
For the WordPress site owner, it is critical to implement security measures and fix common vulnerabilities.
But how do you know what could put your website at risk?
To make your life easier, we’ve put together this list of the 5 most common issues affecting WordPress websites and their security. Let’s take a look.
WordPress Security Mistake #1:
Use of Outdated core WordPress & Plugins/Themes
Hackers look for security-related vulnerabilities in outdated versions of WordPress core, as well as outdated plugins and themes.
For this reason, there is a core WordPress upgrade once in every 152 days. But updating WordPress core is not enough. You need to keep your plugins and themes up-to-date, too. A majority of third-party plugin/theme developers release timely updates containing security fixes.
Unfortunately, most WordPress users do not keep these website components updated. An estimated 52% of WordPress-related vulnerabilities are the result of outdated plugins.
How to fix it:
- Install the latest WordPress released version.
- Review installed plugins and themes regularly and keep them updated. You can do this from your WordPress dashboard (as shown in the sample screen below).
- If you are managing multiple WordPress websites, updating each installed plugin or theme can be cumbersome and time-consuming. You can use plugins with wordpress management features to simplify your task. Using WP-CLI can make this process easier, too.
- Follow the practice of downloading your plugins/themes from the official WordPress repository or trusted websites.
- Get rid of all abandoned or unused plugins/themes that have not been updated recently by their developers.
WordPress Security Mistake #2:
Using a Vulnerable Web Host
Your web host server can determine the overall safety of your website to a large degree. Let’s look at the two primary types of web hosts and how they impact security:
- Shared hosting
Shared hosting comprises multiple websites hosted on the same server. The hosted websites share various server resources, including disk space, server bandwidth, and database tables. Shared hosting is cheaper and popular with budget-conscious WordPress owners.
However, shared hosting can compromise your website security. For example, hackers can host their websites on shared hosts to gain easier access to the other hosted websites.
Additionally, poor security measures by one user on a shared host can potentially lead to risks for other users. If a site on a shared host is hacked, it can lead to the compromise of all the other sites.
- Managed hosting
Although more expensive than shared hosting, managed hosting is a safer option because the entire hosting server is dedicated to your website. All the server resources are available for your website. Some of the security features that managed hosting offers include firewall protection, malware scanning tools, and access management.
How to fix it:
- Check with your web host provider regarding the security-related services that they provide.
- If you use shared hosting, switch to a more secure managed hosting platform.
- Migrate your site to a secure provider. If you want to perform website migration with minimum impact on your live site, use a migration tool like Migrate Guru.
WordPress Security Mistake #3:
Weak Login Credentials
Even in 2020, online users continue to use weak passwords such as “123456” and “password” for logins. Many WordPress users choose “admin” as the username for their administrator account. This practice is one of the key bad habits of site management. It makes it easier for hackers to gain illegal access to your WordPress account and access your critical website files.
Among the primary means for exploiting login page vulnerabilities, brute force attacks top the list and are growing stronger by the day. A brute force attack deploys automated bots to try and gain access to login pages by guessing the user credentials. If they gain access, they can damage your website by:
- Stealing confidential data, such as user details and financial records.
- Leaving behind backdoors for re-entry at a later stage even after a complete cleanup.
- Redirecting the web pages to other unsolicited sites.
- Adversely impacting the overall website speed and performance.
How to fix it:
- Always choose a strong login password with a combination of special and alphanumeric characters.
- Use a unique username specific to each user instead of generic usernames like “admin” or “user1.”
- Follow a practice of changing the passwords of all your users regularly.
- Deploy the effective CAPTCHA tool for your login. It restricts the number of failed login attempts to thwart brute force attacks. It is also useful in distinguishing between a human user and an automated bot.
- Block all login requests from bad or suspicious IP addresses that are generally used by hackers worldwide.
You can use Word-Based password plugins to create strong passwords.
WordPress Security Mistake #4:
Improper User Management
In addition to brute force attacks, hackers try to gain access to WordPress by using your WordPress admin credentials. Why? Because with admin access, they can inflict maximum damage. For example, they can corrupt crucial website backend files that are not accessible to other users.
To avoid this issue, WordPress allows you to create 6 different user roles with their own set of privileges. These include:
- Super Admin user who has the complete set of admin privileges on multiple websites owned by the business.
- Admin user who has complete “admin” privileges but is restricted to one website.
- Editor who has no “admin” rights and can only publish and manage user posts on the website.
- Author who has the rights to publish and manage their submitted posts on the website.
- Contributor who can write their website posts but does not have any “publishing” privileges.
- Subscriber who has the least level of user rights and can only create or update their user account or profile on the website.
Assigning “super admin” or “admin” rights on multiple WordPress users can seriously endanger the overall security of your website. The key is to assign user roles and privileges based on careful evaluation of each user’s role and tasks. Through proper user management, even if hackers gain access to user accounts of a “contributor” or “subscriber,” they gain limited permissions and can inflict minimal damage on the website.
How to fix it:
- Assign the “Super Admin” role only to website owners (particularly if they are managing multiple websites).
- Restrict the total number of users with “admin” rights. Only assign this role to trusted and experienced users who have prior experience as a WordPress administrator. Enforce strong password policies for these users.
- Assign user roles and privileges based on the scope of their responsibilities and work.
WordPress Security Mistake #5:
Lack of SSL Certification
Secure Socket Layer (or SSL) is a standard used to encrypt website data and safeguard the website. An SSL-certified website can secure the communication between the website server and the user’s device or browser.
With the growth of online transactions, users often share sensitive information details over the Internet that can be highly risky. These include information like bank account number, credit card number, or bank details. An SSL certificate encrypts this information, ensuring that the data is only shared with the intended user.
How to fix it:
- Most hosts will, at minimum, provide you a free SSL certificate. (There are better options in paid certificates, but you need a basic level of SSL at minimum.) After installing an SSL security certificate, the website URL will be preceded by “https://” and a padlock symbol is shown in the browser address bar.
- Ensure that all your “http” webpages are redirected to “https” domain. You can use automated tools like Really Simple SSL to easily configure your website for the “https” domain.
Despite security measures, things can still go wrong with your website. It is imperative to use reliable backup solution which acts as a safety net in this case. We highly recommend investing in an automated backup plugin like Updraftplus or BlogVault so you have something to fall back on in case of a security attack.
A quick recap:
In this article we looked at 5 of the most common issues with WordPress Security and how to deal. Let’s quickly look at what we have learnt.
- Keep the WordPress Core, Themes and Plugin updated.
- Employ a secure managed web hosting provider.
- Use strong user credentials.
- Evaluate and assign User roles carefully.
- Use an SSL certificate to secure your site and keep the website data encrypted.
By resolving these 5 common WordPress issues, you can significantly improve the overall security rating of your WordPress website. While there is never 100% guaranteed security against hackers, we’re all better off safe rather than sorry.