Everything you want to know about how to keep your WordPress website secure!
Do you know that WordPress accounted for over 90% of all hacked CMS websites in the year 2018?
Powering 33% of all websites, WordPress is the most popular CMS platform with a market share of almost 60%, as reported by W3Techs. As a website owner, you would be glad to have selected WordPress as a platform for hosting your website. But, at the same time, the growing number of hacks on WordPress websites is bound to keep thousands of WordPress website owners like you worried about your website’s security.
“Is my WordPress website secure?” or “why do hackers attack a small-time business website like mine?” These are some of the questions that constantly worry website owners. So, before we get into the details of how to keep your WordPress secure, let’s try and answer these basic questions.
Is my WordPress website secure?
With over 90,000 hacks happening per minute on WordPress websites, you might wonder if WordPress inherently has security issues. To answer your question, no, it doesn't. If you take a closer look at what lies behind any WordPress website, you will find the following three main components:
- Core WordPress
- WordPress plugins
- WordPress themes
As the name suggests, Core WordPress comprises of all its core features and is maintained by a known team of WordPress developers and contributors. They are the ones who are responsible for adding new functionality to WordPress and also to keep them safe for use. To achieve this, they release an updated version of WordPress once every 152 days on an average. So far, they have released a total of 98 WordPress versions including the latest version 4.9 that is already being used by 9.1% of all websites.
Due to its timely updates and security fixes, hackers are unable to find vulnerabilities in the Core WordPress files.
Next in line comes the WordPress plugins and themes. Are they safe? You might be surprised to know that WordPress maintains a repository of over 50,000 trusted WordPress plugins! These plugins are free and can be safely downloaded to be used on your website. This includes popular plugins like Akismet, Jetpack, and WooCommerce that have recorded over 1 billion downloads so far.
So, essentially, WordPress itself is secure as core WordPress and WordPress plugins are both secure.
The real reason for WordPress security is often compromised is due to the presence of outdated plugins and themes. In other words, components that have not been updated to their latest released versions! Industry statistics reveal that only around 27% of the users are currently using the latest released version of WordPress. The presence of outdated plugins and themes pose a major security concern in WordPress installations.
As a website owner, you must ensure that you are using the latest WordPress version for your website, and also check if all your installed plugins and themes are downloaded from trusted sources. This basic step can go a long way in improving the overall security score of your website.
However, if you own multiple WordPress websites, containing hundreds of plugins and themes, then updating each of these components to their latest version can be a cumbersome task. You can simplify this task with the MalCare WordPress security plugin. Rated among the industry’s leading security plugins for WordPress websites, MalCare offers 24x7 protection from malware attacks along with a one-click malware removal process. Using MalCare’s website management feature, you can apply the latest updates to all the installed plugins and themes across multiple websites with a single click.
Why do hackers target small business websites?
Most small business owners think that their business website is too small or unimportant for hackers to target. Well, if you have a similar mindset, then here’s news for you. The 2018 State of Cybersecurity study on small-to-medium business (SMB) reports that 67% of the respondents have experienced a cyber-attack while 58% of them have reported a data breach in the past 12 months.
Hackers do not distinguish between large or small websites and target both with equal intensity. That being said, smaller websites are at a larger risk as small business owners often don’t prioritize website security measures.
How to improve WordPress website security
Now that we have answered some of the basic questions regarding WordPress security, let’s see how a layered approach can work for website security. What is a layered approach? Let’s understand it with a simple example. How would you go about safeguarding your hard-earned money from robbers and burglars? Yes, you would implement multiple ways for protecting your money like keeping it in a bank’s savings account, or keeping your cash in a safe locker, or by investing it into various valuable assets, right?
This approach makes it hard for robbers or fraudsters to lay their hands on your hard-earned money. A similar approach is necessary for protecting your WordPress website. Here are ten measures you can implement to improve the security of your website.
Choose the right web host
A web host acts as the foundation for your website. It’s like selecting the building material that goes into building your house. Surely, you wouldn’t compromise on the quality of the building material just to save on costs. Opting for low-cost material may reduce the initial costs of building your house but can increase your house maintenance costs in the long run.
In a similar vein, when it comes to selecting the right web host for your WordPress website, there are two options, namely the more affordable Shared web hosting or the more secure Managed web hosting.
Why is managed hosting better than shared hosting when it comes to security? Well, shared hosting services only provide a basic level of malware scanning that cannot detect new malware threats.
On the other hand, managed hosting provides a range of security measures, including firewall protection, better malware scanning tools, and restricted access to critical website files.
If your website is on a shared web host, it’s probably a good idea to migrate to a more secure managed web host. Are you worried about the hassles of website migration? Leave it to the efficient Migrate Guru tool that can perform the complete migration without any adverse impact on your live website. This free-to-download WordPress plugin can seamlessly migrate websites with up to 200GB of data.
Remove all abandoned plugins and themes
As WordPress users, we all have downloaded and installed several third-party plugins and themes on our website, haven't we? Thanks to their popularity and ease of use, there has been a major surge in the development of both free and paid plugins and themes. Do you know that the WordPress Plugin directory currently contains over 44,600 plugins that have been downloaded over 1.3 billion times? Many of these WordPress plugins and themes continue to be maintained by third-party developers. However, there are loads of abandoned plugins and themes which are no longer updated by their respective developers.
Keeping such plugins and themes on your WordPress website can slow down its performance and can also be a major security risk. Security plugins like MalCare can help in identifying and removing all such plugins or themes installed on your website.
Use unique login page credentials
Remember the case of Iranian hackers who were behind the 2017 U.K parliament attack and the 2019 Australian parliament attacks? This was a classic example of a successful brute force attack, a method by which hackers deploy automated bots to guess the correct login page passwords to gain access to sensitive information.
To execute a successful brute force attack, hackers need to figure out your login page credentials, which comprise of username and passwords. Setting a weak or common username and passwords can make their jobs much easier.
Do you know that “admin” and “password” are among the most common and weakest usernames and passwords set respectively by WordPress account users?
How can you strengthen your login credentials? For a start, encourage the use of unique usernames or better still, to use the email address to log in to the WordPress account. Additionally, you can implement safety measures in passwords by using long passwords (comprising of at least 8-10 characters) or passwords that are a combination of uppercase and lowercase characters, along with alphanumeric and special characters. Regularly changing the password can also improve the security aspect of your login page.
Use CAPTCHA-based protection
Have you ever wondered why many login pages display the CAPTCHA screen after a few failed login attempts? Well, here’s the reason. During brute force attacks, automated bots try out various combinations of login page credentials (username and password) until they find the right match to crack the user account.
CAPTCHA protection can prevent such attacks through the following measures:
- Restricts the number of failed logins attempts to just 3 (after which the CAPTCHA screen is displayed).
- It helps in distinguishing between a human user or a bot (as bots are unable to read and process the displayed CAPTCHA text).
Want to enable the CAPTCHA-based feature for your website? Try the MalCare security plugin which provides CAPTCHA-based login protection thus limiting the number of failed login attempts on your WordPress account.
Set up firewall protection
Imagine a residential complex without a team of security guards at the front gate. Pretty scary right, particularly if you have precious valuables at your home? The presence of security guards can protect your home by not allowing unwelcome or unauthorized people to reach your residence. A website firewall does a similar task! Firewalls are among the first line of website defenses that checks each online request made to your website server and blocks requests made from suspicious IP addresses.
Based on their mode of functioning, there are three types of firewalls, namely:
- Plugin-based firewalls that are installed just like any other plugin on your WordPress website. It intercepts and validates every request made on your website.
- Cloud-based firewalls where requests are first directed to the cloud-hosted firewall and are sent to the target website only if they are deemed safe.
- In-built firewalls are provided by your web host provider and are extended to all its hosted websites.
Security plugins like MalCare provide a plugin-based firewall with features like 24x7 website protection, blocking of bad IP addresses, and live monitoring of web traffic.
Restrict user privileges
Hackers can gain access to critical backend files of your website by trying to get the user credentials of your WordPress website admin. They can misuse admin credentials to damage user accounts or even steal confidential user information. For instance, admin credentials can be used to:
- Create, modify, or even remove existing content.
- Change the code of existing WordPress plugins and themes.
- Take unauthorized control of all installed plugins and themes.
- Create, modify, or even delete existing user accounts.
How can you prevent this? Well, for starters, WordPress itself allows you to create and assign six different user roles with varying degrees of account-related rights and privileges. These are:
- Super admin
Only users with admin rights have the highest account-related privileges while the contributor has the least level of permissions. To improve your WordPress security, it’s best to assign admin rights to only a few users, while assigning the other roles based on the functions performed by each user.
If you’re looking for a way to manage all your user accounts and privileges easily, MalCare’s user management feature, which lets you easily add and manage all users and user roles, is an effective solution.
Use website hardening measures
To improve website protection, WordPress has recommended a list of website hardening measures that can fortify your website against any hacking attempts. These include measures such as:
- Disabling File Editing that prevents hackers from writing malicious codes in your installed plugins and themes.
- Disabling PHP File Execution that prevents hackers from uploading and executing malicious PHP code that can infect your website.
- Changing WordPress Database Prefix that involves changing the default prefix used in database tables, which are targeted by hackers.
- Disabling Directory Browsing that disables the browsing of selected directories (such as wp-includes) that can contain vulnerable files.
- Blocking Plugin and Theme installation that blocks users from installing new plugins and themes.
The above-mentioned points might sound technically intense but fret not! MalCare has simplified each of these hardening measures through its dashboard in just a few clicks.
Execute 2-factor authentication
Popular services like Gmail and Facebook regularly implement 2-factor authentication (or 2FA) even when regular users try to log into their user accounts. How does it work? In addition to entering their login credentials, users are required to enter a unique code that is sent to their phones or email to gain access to their account.
You can improve your login page security by implementing the 2-factor authentication on your WordPress website with the MalCare security plugin that supports this feature.
Use SSL security
Take a look at any secure website on any standard browser, and you will notice the green lock (next to the website URL address). This signifies that the website has an SSL certificate implying that it is safe and secure for use.
To improve Internet safety, all websites are now required to be SSL-certified, which can now be easily installed using free tools such as Let’s Encrypt.
Take regular backups of your website data
Even with all the above security measures, successful hacks can still happen, and you may end up losing valuable business data. To safeguard against this, ensure that you take regular backups of your data so that you can restore your website (with the backup data) in the event of a website compromise. Choose a backup tool that can perform smooth website restoration to minimize the downtime of your compromised website.
Opt for WordPress backup plugins such as BlogVault which offers convenient features like incremental backups (where your website data is backed up in smaller chunks), multiple backups (where multiple versions of the backup data are stored and maintained), and cloud-based offsite storage of backup data.
That’s all for now! We hope that you implement these measures to improve your website’s security. Remember that WordPress website security is not a one-time activity but must be done consistently.
You can make this process more convenient by using trusted WordPress plugins like MalCare (for malware detection and removal), BlogVault (to take regular website backups), and Migrate Guru (for smooth website migration). We would love to hear from you.