Do you think securing your WordPress site is all about installing plugins and setting articulated passwords? Or, even worse, that security is only important for online sellers and bank websites? Then we suggest you keep reading because by the end of this article you will have changed your mind.
Protecting WordPress sites is a much more complex issue than you might imagine and those who have never been the victim of attacks have taken it too lightly.
Being an open-source software, WordPress offers both advantages and disadvantages when it comes to security. If, on the one hand, the source code is constantly controlled by a community of hundreds of developers active in the constant improvement of the program, on the other hand, it should be noted that, by nature, the same code is accessible to attackers who can study its weaknesses.
There’s no denying it: like any other CRM, WordPress is vulnerable to malicious operations that can compromise your site with the purpose of stealing data, distributing malware, or directing your users to third-party pages. That doesn’t mean WordPress is untrustworthy, but it is important to take security seriously by following tested best practices to protect your work and your visitors.
That’s why we created the guide you’re reading right now. Is WordPress reliable? Yes, if used in the right way. In this guide we’re going to explain what it means to protect a WordPress site from malicious attacks in 2022.
Let’s look at your website
Our free video audit will take a look at your website and the UX-design of your website. We will send you a short video with an analysis from one of our talented team-members.
Is WordPress safe?
The question that so many of our customers ask us is whether WordPress is actually safe. Our general answer is undoubtedly yes. However, a look at the statistics regarding the presence of malware and hacker attacks might show otherwise.
Take this data from Sucuri, a company that specializes in website security plans and products. In 2019, 94% of the “cleaning” operations they carried out involved WordPress pages. A trend that continues to grow (in 2018 they were 90%, in 2017 83%), which coincides with the increasing popularity of the CMS.
455 million sites are currently built with WordPress. This figure attracts the interests of hackers, who know they can get the best results by focusing their efforts on the most popular management platform in the world.
To avoid exposing yourself to risks, a great starting point is to follow the maintenance routine you’ll find in this article.
WordPress is an open-source software, so it’s public and accessible to everyone; this often turns errors and faulty scripts into dangerous entry channels to your site. Securing the WordPress CMS you have installed on your webspace is, in a way, equivalent to installing a powerful burglar alarm near the access doors to your digital content. That’s why reinforcing WordPress’ defenses is not an option but a necessity, as well as an unavoidable duty you have towards your users.
How does a WordPress site get hacked in 2022?
Before we begin: hacking is not just a WordPress problem. All sites are vulnerable, but we often hear about attacks on WordPress because it’s on this CRM that over a third of the sites in the world are built.
The most common way to access a site without having credentials is by finding weaknesses in the code.
Your site’s code hides a number of access doors to your data: imagine someone automatically trying to open them, looking for an unlocked one. This is what automated scripts and hackers do with penetration testing operations done through the so-called “live distro” of backtrack, a Linux distribution made to test the vulnerability of servers.
Even in the event that your site’s code turns out to be impenetrable, there are methods to get in. The easiest way is to log in with your permission. You heard that right: it’s not necessarily a brute force operation that causes hacking, often it’s the voluntary installation of a plugin or a theme by the admin that allows third parties to infiltrate.
The developers of plugins or themes are not necessarily security experts and it may happen that vulnerabilities in this type of software compromise the site. In fact, most attacks happen this way: according to Patchstack, between 95% and 98% of attacks on WordPress sites happen because of plugin vulnerabilities.
WordPress is regularly updated precisely to detect these flaws and prevent unwanted access, but many users prefer not to install these updates, thinking that they may damage their site, and remain exposed to attacks.
What are the main dangers on WordPress?
Securing WordPress is a constantly evolving process, not a one-time operation. That’s because, when it comes to online security, managing a website is a bit like the game “guards and thieves”: for every step forward done by the guards, the thieves devise a new attack strategy.
The programmers of the most famous CMS in the world continuously release new updates to improve WordPress and better manage the main threats. The latter are periodically reported by OWASP, an open-source project that was created to increase the security of applications in view of the latest developments in terms of cyberattacks.
Among the most vulnerable elements to keep in mind when we take action to secure WordPress we remember:
- the WordPress authentication page, which is often a victim of “brute force” attacks;
- components and plugins made by third parties;
- temporary files containing CMS access data;
- vulnerable PHP scripts and portions of code;
- the SQL database, which contains all WordPress data;
- storage and management of sensitive data.
Not securing WordPress means welcoming viruses, malware and hackers to your site and giving them carte blanche, with serious and, in some cases, irreversible consequences.
How to secure WordPress
Security, by definition, is risk reduction. It’s very important to always keep this in mind, because securing your WordPress site actually means reducing the danger to an acceptable and therefore manageable level.
Just as it makes sense to install a satellite alarm on a valuable car but not on any average car that’s about to be scrapped, the choice to protect a WordPress site must follow the same principle. In a nutshell, it’s a matter of finding a trade-off between risk and investment.
There are a few basic steps that reduce the risk by 90% and we recommend anyone who really wants to secure their WordPress site to implement them. The basic steps to protect your website and secure WordPress are very simple and can be summarized in five key actions.
1. Make regular backups
The most effective way to protect your work is saving a copy of it at regular intervals on storage units external to your site. Backups can save you in catastrophic situations, allowing you to recover your site’s content even when they have been damaged beyond repair.
Many hosting services include backup services for their clients, but it’s not a good idea to rely completely on your host, as their backup is often only partial.
There are various plugins, free and paid, to automate the backup process. The most widely used is Updraft Plus, which can be programmed to perform periodic backups of your site.
2. Monitor WordPress with a security plugin
Installing a plugin is not enough to ensure the security of a site, but it remains an important action to monitor the status of your site and receive notifications whenever a file is modified by a third party.
The most popular WordPress security plugins are iThemes Security, Sucuri Security and WordFence, which have been developed to track down the presence of malware through regular file scans, block brute force attacks, and remove infected files when detected.
Installing a security plugin is strongly recommended, but it is important to remember that the vulnerability of a site does not depend only on WordPress – the cause could be the hosting service or the computer you work from.
3. Update WordPress and its components regularly
From time to time, themes, plugins, and WordPress itself need to be updated to new versions in order to ensure optimal performance. Updates are often released by developers to fix errors and bugs from previous versions and make WordPress more secure.
It’s common knowledge that automatic WordPress updates can cause some issues due to compatibility with existing elements, but the risks are much greater if you avoid installing the latest version. If you’ve made changes to a WordPress theme, for example, the update will overwrite your code and customizations will be lost. This, however, is not a good reason to ignore updates, which remain essential to keeping your site secure.
4. Add your site to Google Search Console
Google Search Console is a free platform to monitor how Google sees your site and optimize your presence on the search engine. This resource allows you to detect issues related to navigation or usability that may prevent your pages from being indexed.
Google Search Console also provides a complete report on the security status of your site, which includes all the elements that could penalize the positioning of your pages. Among the errors reported are the insertion of malicious URLs or code within the site, the use of misleading advertisements for the user, and the presence of downloadable files that could harm users.
5. Use the HTTPS secure protocol for all communications
When we talk about HyperText Transfer Protocol Secure (HTTPS), we’re referring to the encrypted version of HTTP, which uses SSL/TLS protocols to encrypt digital communications so data can’t be stolen.
As of today, using this kind of protocol is essential, not only to ensure that your customers’ information is kept safe, but also to show new visitors that you take security seriously. Also, since 2017, Google has been penalizing sites that don’t use the HTTPS protocol.
To switch to HTTPS, you must obtain an SSL certificate, which is a digital document issued by a Certificate Authority (CA). The certificate is deposited on the server and is recalled at each visit
Separate sites on different hosting accounts
If you run multiple websites, we recommend assigning them to different hosting accounts and avoiding shared servers. Web pages hosted on the same space are exposed to the same threats as their “neighbors”.
When a virus hits a site and countermeasures are not taken immediately, it can propagate to the server level and damage other domains hosted on the same hosting account. In other cases, however, the infection starts right at the server and spreads to all the pages it contains.
To prevent your sites from infecting each other, create a new profile for one each of them and choose the best hosting according to your needs.
With these actions, you’ll raise a shield on your site, and you’ll be able to intervene in case of attacks. In the next paragraph we’ll see how to reinforce your login pages to avoid unauthorized intrusions.
Protect your WordPress login page
Most threats to WordPress sites originate in the login page: for hackers, in fact, penetrating sites with insecure credentials is child’s play.
Attempts to gain access to login pages are called “brute force” attacks in technical jargon, and consist of an endless series of login attempts with random combinations of name and password. There are more and less refined malware; some – like the botnet that began circulating in November 2020 – are able to attack your chosen site from a different IP address every second, so as to bypass security checks without being blocked.
That’s why you should take countermeasures to strengthen your site, starting with the ones we’re about to suggest. The first two points do not require advanced knowledge and can be implemented by any WordPress user, even novices, while for the others you may need the help of an expert.
1. Choose a username different than the standard “admin”
The first thing you need to do is change the default “admin” account that is created by WordPress at the time of installation. Varying this automatic setting is a simple but crucial first move: the standard username is the first one brute force attacks focus on.
Unfortunately, WordPress doesn’t allow you to change the username, but just install the Easy Username Updater plugin and you’ll be able to do so.
To rename the user, go to the “Users” section of your site’s control panel. Under “Username updater”, search for the admin user you want to edit and change their name.
To reduce the dangers, always assign the right role to your possible collaborators and keep their profiles active only for the necessary time. If you assign a person to work on your company blog, for example, an “author” role will be enough to allow them to write and publish articles. When collaboration ends, delete that user.
2. Use strong passwords
It should be a given rule by now, but we often find that our customers use passwords that are way too simple. The classic “123456” or “hello” can’t give you the right level of security. With a sufficiently complex entry code, however, it becomes much more difficult to force your site.
To be truly effective, a keyword must be ten letters or more and must have:
- at least one uppercase character;
- at least one lowercase character;
- one or more numbers;
- one or more special characters such as ?, ! or €.
If you set a password with these characteristics you have little to worry about. If you want to have different passwords, you can also use an automatic password generator to obtain random text and letter sequences quickly and easily.
Afraid you can’t remember your passwords? Do as we do: use the LastPass software that, even in the free version, allows you to manage your passwords in a simple and secure way.
3. Take advantage of two-factor authentication (2FA)
There are plugins (one of them is WordFence) that allow you to set a double control level to enter the management panel. After entering your login details you will receive a notification that someone is trying to enter the site. To continue, you’ll have to type in the disposable code you received on your smartphone or scan the QR code that appears in a special application, such as Google Authenticator.
With two-factor authentication, you’ll know when someone is using your credentials – a great way to prevent unwanted access.
4. Limit the number of login attempts
With basic WordPress settings, anyone can endlessly attempt to get into the back-end of your site. A brute force attack keeps trying different username and password combinations over and over again, without you even noticing.
5. Install CAPTCHAs
We know, CAPTCHAs are a big hassle, but they are useful as a protection system. The acronym stands for “Completely Automated Public Turing test to tell Computers and Humans Apart,” which is to say, “Completely automated public Turing test to tell machines and humans apart.” To pass the test you have to copy confusing and barely readable strings of text into a box, distinguishable only by the human eye and not by bots.
This is a great level of protection to neutralize malware, which you can enable with plugins like Captcha and Really Simple Captcha.
6. Allow access only to authorized URLs
To raise the guard level even more, make the login page visible only to a list of IPs you trust. A plugin like Restricted Site Access is enough to compile a list of authorized addresses and prevent malware from displaying the login screen to the control panel.
This system is very reliable, however, we don’t feel like recommending it too much because it severely limits your ability to receive third-party support. Imagine that you are on vacation, your site gives an error and neither you nor others can log in to fix the problem.
“Nulled” and unused plugins: a WordPress security risk
WordPress is a completely free software, but improving a site’s performance often requires plugins that are sold separately. Whether it’s to increase sales, improve search engine rankings, or add special features to a theme, premium plugins offer a quick way to boost your site.
For complex sites, such as ecommerce websites offering a large range of products, it can become necessary to install several plugins that work simultaneously. Adding plugins, which are often sold as a monthly or annual subscription, can quickly drive up the cost of running a site. Therefore, you may be tempted to install “nulled” plugins, i.e. pirated copies of official plugins.
Nulled plugins have been circulating for a long time and although they promise to save you hundreds of dollars, we strongly advise you not to use them on your WordPress site. Oftentimes, these plugins are the reason a site gets hacked.
In addition to not being able to be updated, these plugins can contain malware inserted on purpose to steal sensitive data from your site. It’s not possible to know in advance whether a nulled plugin is safe or not, and by the time you realize the damage, it’s too late.
In addition to avoiding the installation of unauthorized plugins, we recommend removing all unused plugins installed on your site. Reducing the number of possible access ports means increasing security (and also the speed of your site, because plugins tend to slow down pages!).
So we suggest to:
- Deactivate plugins you don’t need;
- Remove plugins and themes that are deactivated, because they too can be targets of attacks.
Myths and legends about WordPress security
Among WordPress experts, additional measures to increase security are often discussed. In some cases, these are solutions whose usefulness is not yet clear. More often, however, we are faced with real misconceptions that we want to dispel once and for all.
Does changing URLs to the login page do any good?
Some WordPress professionals believe that changing the web address of the login page could increase a site’s level of protection.
You can, in fact, change the default login page of your WordPress site, (www.yoursite.com/wp-login.php), to a custom link (www.yoursite.com/customname) to hide it from hackers.
With the Rename wp-login.php plugin you can set up a new URL in minutes. Just install the extension and activate it, go to the “Permalink” section under “Settings” in the general menu of the control panel, and:
- select Rename wp-login.php;
- choose a new custom login address, avoiding too generic names such as login, admin or backend, which do not guarantee a good protection;
- click “Apply Changes”.
From this moment on, your login screen will be reachable only from the new address you have configured.
A clarification: at the time of writing, no new versions of the plugin have been released for about two years. Reading reviews, it would seem to still work without problems with newer versions of WordPress, but we always recommend avoiding plugins that haven’t been updated for more than six months.
Alternatively, you can change the login URL by intervening via FTP directly on the functions.php, wp-config.php and .htaccess files, but our advice is to do it only if you think you have the necessary skills.
Another solution is to download the Protect Your Admin extension: it has fewer installations and a lower average review than Rename wp-login.php, but more recent updates.
It is still unclear whether hiding the login page within a custom web address actually leads to an increase in site protection. It’s not a mistake, but it doesn’t represent the ultimate web burglar alarm, either!
Is an SSL certificate sufficient for security?
Adhering to the HTTPS protocol consolidates public trust, but it doesn’t serve to protect you from cyber attacks. The SSL certificate is not a defense system for your data, it only allows you to protect the transmission of information between your site and visitors through encryption.
As you can see, there are several measures to protect your WordPress site effectively. To be safe, however, you should never neglect its proper management.
Get maximum security for your site
As we’ve seen, securing a WordPress site isn’t just a matter of relying on a few plugins and following a couple of YouTube tutorials.
What reduces malware is constant monitoring of your site by experts who can analyze anomalies and alert messages and intervene before it’s too late. Don’t forget that it’s not just you and your online content that’s at risk, but also your users’ sensitive data.
If you are looking for support in managing your WordPress security, let us help you. Get in touch today to discuss how we can help protect your data and make sure your WordPress site is up to date.