WordPress is quite simply the most widely used content management system for website owners today. There are over 75 million active websites using the self managed version of WordPress with countless more bloggers relying on the WordPress.com platform which allows users to use a managed version of WordPress. There are well over 30,000 unique official WordPress plugins available for site owners to customise their websites with added functionality and 48% of the Technorati Top 100 blogs use WordPress to manage and display the content that we read every day.
With these statistics it is not surprising that WordPress is also a target for malicious attackers looking to compromise the websites using WordPress in some way. This is not to say that websites not using WordPress don’t get the same attention from hackers. Sadly WordPress hosted websites are a great target specifically because of the fact that the scripting language that it runs on can easily be used for both good and bad uses. While it can often be quite easy for hackers to crack the security of WordPress websites, it can also be quite a secure system if a few simple things are done to tighten up the standard features that are configured during a standard installation.
Here at Webpire Marketing we offer hosting services to our web development and SEO clients. We see first hand every single day the number of attempts that are made to hack into websites and have heard many stories of hosting companies struggling under the load of people looking to exploit websites for malicious purposes. It can be well worth the effort for hackers to attempt to crack security for many reasons. If you know what you are doing, it is possible to inject scripts into the code of an existing website and essentially be invisible to the majority of website owners. It is possible to steal customer account information. If a website is storing credit card details or any other sort of personal information, this can be extremely valuable to the criminal elements who are often behind the hacking attempts. A website can easily be turned into a spam-bot by utilising the root email accounts with some simple code injection. It is possible to inject links into pages for black hat SEO purposes, control redirections and essentially stealing traffic from highly visited web pages. There are also people out there who do this sort of thing just for fun. I could go on all day about the potential reasons hackers would have to gain access to a WordPress based website.
So I want to share a few basic tips on securing websites that are run on the self hosted WordPress platform. These are just basics and essentials that any website owner should and could very easily implement within a very small timeframe.
Strong SQL Database User Password
Before any WordPress server files are installed or any accounts are created within the WordPress installation, a SQL database needs to be created on the server platform of your choice. This database hosts all of the content that will be shown within the pages of your WordPress site. The WordPress installation uses the scripting language PHP to extract the correct information and then display it in the format you see on any web enabled devices you are using. If this database is not secure to start with, you are leaving a gaping hole for people to be able to get direct access to the raw information used to display content within your website.
Do not under any circumstances set the passwords used to access this database to be an easy dictionary based keyword. Never use a commonly used word for this password. You must set this password to be unique from any login details used to actually access the WordPress admin panel. Believe me, this is one of the easiest and most common ways for people to maliciously access a WordPress installation. There are commonly available hacker tools on the market which will target this exact method over and over again with lists of websites that are known to be based on WordPress.
Strong Admin / User Passwords
We all know that we should not be using easily guessed passwords for any form of online accounts. Sadly though there is a very large percentage of people who use simple passwords like “password”, “1234” or other commonly guessed passwords to secure the online accounts that are so important to their every day lives. If I was to tell you that there are tool on the market that will repeatedly access a login form and use techniques we like to call “brute force” over and over again to attempt every possible combinations of letters numbers and characters would this surprise you? If you are making it easy for these automated tools to do their job by using common or easily guessed passwords you will eventually get your website hacked.
Every WordPress installation has a login panel. It is a common page amongst all WordPress websites. If you are then using administrator usernames like “admin”, “administrator” or similar usernames, and matching this with easily guessed (remember, easily guessed can mean “easy” for a bot that is programmed to do nothing but this) passwords you will find it very hard to keep hackers out of your website.
Do not set up your WordPress installation with the default administrator username to be anything like “admin”, administrator” or “root”. Ensure that you are using hard to guess passwords which include combinations of capital letters, numbers and other characters. And implement a process for regularly changing all passwords for anybody who has an account on your WordPress based website. The same goes for any passwords for any form of access including FTP and email access. Yes, users always want simple passwords that they can remember easily. But you need to be placing a high level of importance on the overall integrity of your WordPress installation. Do not use the same passwords in multiple places for any user across any of the WordPress admin panel passwords, FTP, email or database passwords.
There are many plugins available for WordPress that provide extra functionality and security features which are designed to prevent and log any attempts by hackers or other people who should not be accessing the admin panel of your website. One of my personal favourites is Wordfence Security but there are many others out there that offer very similar functionality. Any decent security plugin for WordPress will allow you to scan the files within your installation for changes or malicious code injection, prevent or allow access to the admin panel based on IP addresses / number of login attempts. You can also find plugins that will prevent external scanning from unknown people looking for specific known vulnerabilities within a WordPress installation. The better plugins on the market can provide 2 factor authentication meaning any login attempts will need a second form of access verification such as a mobile phone before the system will allow a user to access the system.
There are plenty of free plugins available on the market to help secure and protect your WordPress installation and there really is no excuse for not implementing at least one of them.
Remove Unused Theme Files
When you install a fresh version of WordPress you will have access to a few of the standard themes that come with every installation. A great feature of WordPress is the ability to have multiple themes installed and to be able to switch between them quite easily. Sadly though this is also a great way to be hosting unnecessary files on your server. Whenever we build a new website one of the very first things we do is remove any of the existing themes that will not be used for any particular project we may be implementing. There have been several occasions where upon auditing a WordPress installation for vulnerabilities, we have actually found unused themes that have been compromised or hacked versions of themes which have been installed by hackers. If the files are not needed on the server, do not leave them there. The themes that are installed can be easily viewed by looking in the ‘/wp-content/themes/’ directory. Delete any of the themes you know you will not be using.
Ensure WordPress / plugins / themes are updated
WordPress is constantly in development and upgrades and improvements to the base server files are always being released. It is extremely easy to stay up to date with the latest versions of WordPress but unfortunately many people do not do so. I see updates to the main version of WordPress happening almost weekly and even though it takes some time and resources to maintain these updates, it is well worth the effort when securing any WordPress website. The same goes for the 3rd party plugins many websites use to extend the functionality of WordPress. With the updates to the main WordPress server files typically comes updates for any plugins that are well maintained and widely used. Most plugins provide a simple automated method of updating them through the WordPress administrator panels. The plugins provide an easily visible notification to say that there is a new version and within a couple of clicks can be easily updated.
Unfortunately the one piece of the WordPress security puzzle that I commonly see is the themes that people are using for their websites often are not updated regularly. So while the WordPress platform itself is always being updated and checked for common vulnerabilities, the framework for the themes themselves which sit on the server are more often as not the last link in the chain to see any updates. Unfortunately there is not a lot that can be done about this and is something that needs to be considered in mission critical WordPress installations.
Download plugins only from reputable sources
One of the big reasons WordPress is so popular is due to the plugins we can easily add to the installations to extend and offer specific functionality. For example, Woocommerce is a plugin which can be installed for free and offers a great e-commerce system. This and many thousands more plugins can be installed at the press of a button. If you are using the actual WordPress.org repository to source your plugins you can generally feel safe about what you are installing. But WordPress plugins are available from many sources and quite often include malicious code which the creator has embedded to provide some form of remote access of other functionality which they can exploit whenever the want. Just like any form of software, obtaining the files through trusted sources is very important for maintaining system integrity, especially if you do not have the knowledge to be able to debug any possible issues. I do not recommend obtaining WordPress plugins from any underground forums or downloading them from freely available file sharing platforms unless you really know what you are doing.
Perform regular backups!
I cannot begin to tell you how many times I have personally experienced a problem where a WordPress based website or websites running on other platforms needs to be recovered from a previous backup. This is great and very easy to do if you actually perform backups. Now while this may sound like a complex process, just as all of the other tips listed in this article are very simple to perform, a plugin such as WP-Clone By WP-Academy and many other freely available options will perform this function for you at the click of a button. Finding the right plugin for your purpose is as easy as searching the WordPress plugin depository. Remember to always store the most recent copy of your site backup in a remote place, not just on the server where your website is hosted.
If you do not follow this particular tip, you will eventually suffer a huge loss especially if you are running a website for commercial purposes. Implement a backup process and ensure you are performing this task either manually or automatically before each and every upgrade to the main WordPress installation, plugins or themes. You never know when those backups might need to be used. Backup both your main site files as well as the database itself.
Hide Author tags on posts / pages
When you are posting content to WordPress, one of the fields contained within the database lists the user who created that content. This particular piece of information is more often that not seen on the page of content. Unfortunately this is quite often also a very easy way for people to see a user name which could be exploited and used within the brute force methods. Once a user name is known, attempts to repeatedly guess the passwords via the tools I have already mentioned above will increase. There are a lot of websites that like to publish the authors names next to any content they have created. And while this information is great for the readers viewing that content, it is also great for anybody with more malicious intent who knows what they are doing. There are readily available plugins which can hide this valuable piece of information and also mask the actual username with the full name of the author instead of the username used to create the content. Setting a “nickname” (or using the author’s real name) within the user WordPress admin panel is a great place to start here. If you do not need to display the name of the author who contributed the content install a plugin such as Show Hide Author or any of the many similar plugins that perform this exact function.
Guard against brute force attacks
Above I have listed options for securing users, the database, the WordPress files themselves and a few other suggestions for securing readily available security information. There is a saying that goes “prevention is better than cure” and this is so true and relevant to your WordPress installation. We know that most attempts to hack a WordPress site are going to come via the WordPress admin login panel itself, so why not secure this entry point as much as possible? There are great plugins available such as the already mentioned Wordfence Security which provide a huge number of customisable security rules and options which can be used to lock down the WordPress admin login. Others such as Limit Login Attempts provide just this specific function. If a user has entered the wrong username / password combination too many times, they will be prevented from accessing the login panel for a set period of time based on either their IP address or the username being used. If somebody is trying to access the admin login panel with usernames which are not in use by the system, they can be prevented from trying again. You can also prevent people from attempting the password recovery process which will add another preventative measure to the overall system security. Locking down this method of entry will prevent a huge percentage off hacking attempts. So while I have listed this as the last thing in my list of basic WordPress security tips, I wanted to leave this as the last thing on your mind and possibly the first thing to act on.
While I have listed some very basic things any user can do to help protect the security and integrity of their WordPress installation, there are many, many more options including effective use of the “.htaccess” file, file permissions and a lot more options available to WordPress users. The things I have listed above will be options any WordPress user can implement within a matter of minutes. In a a future post I will break down some more advanced methods and tips for securing your WordPress website & server installation.
Webpire Marketing are the leading digital marketing & SEO agency located in Hobart, Tasmania. We offer web design & online marketing services such as SEO, social media marketing & PPC to businesses of all sizes.