WordPress Security: What You Need to Know
The famed bank robber Willie Sutton was asked why he robbed banks. Simple, he answered. “That’s where the money is.”
The same logic applies to hackers and WordPress, the content management system that hosts about a third of all websites on the web…possibly even yours. Why do hackers go after WordPress? Simple, that’s where the users are.
A recent study revealed that around 70% of all WP websites are vulnerable to some kind of hacking, And it’s not just the Goliaths like Robinhood that are being targeted. Roughly 40% of all attacks have been directed at small and medium websites.
But there are measures you can take to turn the odds in your favor. In this fight, you don’t have to cower in fear that a nefarious (and possibly state-sponsored) hacker will ruin the business you’ve spent years building. With some planning, some caution, and some common sense, you can reduce your risk and rest a bit easier.
In the olden days, hackers used neat tricks like toy whistles to breach the networks of powerful corporations. Then came viruses, worms, and Trojans (remember LoveLetter?) Today we will live in a far different world, one where malware just doesn’t wreck your hard drive in cyber vandalism but also can drain your bank account via vicious ransomware attacks (aka cybercrime).
Malware and ransomware can infiltrate websites in numerous ways, such as corrupt links put into LiveChat or in comments sections (which has happened on WordPress sites).
In a brute force hack, the power of modern computing can generate billions of passwords and usernames in minutes to break into websites. A more recent hack involves a point of sale (PoS) “rat” called Moker that can elude detection and is difficult to remove.
Once inside, hackers can access private information, compromise files, and steal valuable data that can damage your brand and people’s livelihoods. Getting rid of malware or a virus can be expensive and time-consuming unless you confront the threat head-on.
Update, Update, Update
This should be the first step and is the easiest to take, but sadly not all WP users heed this advice. A recent survey in Kinsta found that 55% of hacked websites had outdated versions of plug-ins, themes, or CMS. If you’re on a managed host, these updates will come automatically, but if you’re not, you’ll need to get into your admin panel and follow the update prompts (this also works for plug-ins and themes).
The latest version of WP is v5.7, but before you do a “core” update, you’ll need to do a backup of your site or you could experience some functionality issues.
While you’re at it, you need to make sure that you’re also running the latest version of PHP, the software language that powers WP. Half of all WP websites are using versions of PHP that do not have patches to fix known security issues. The latest version of PHP is 7.3 and you should make sure you have it.
Clean Up, Clean Up
Barney the Dinosaur was right: everyone needs to clean up, and in this case, you need to make sure you toss out (i.e. delete) any WP plugins that you’re not using anymore. Just because they’re currently dormant doesn’t mean hackers can’t penetrate your site through the embedded code in these plugins. If you aren’t using a plugin anymore, out it goes! This is easily done on the admin board.
Speaking of Plugins
Out with the old (literally), and in with the new. So goes an adage that will tighten your WP security. WP has a plethora of security-related plugins that will off-load much of the vigilance you need these days to avoid malware etc. Here are some to consider:
Sucuri: a cloud-based security platform that keeps out the bad traffic before it can infect your site, and it also protects against a brute force attack and offers a DNS firewall to keep end-users away from malicious sites. There is a free version as well as a paid version.
Wordfence: a free WP plugin that constantly scans your website for malware signatures, while blocking requests from malicious code. There is a paid version, too, that offers more enhanced security features.
WPScan: relies on its database of 21.000 known threats to scan your website for any potential issues. You can get an email notification if the system finds anything. It also scans for weak passwords and backup files.
”Password” Is Not a Password
When it comes to user names and passwords, whatever you come up with is probably not going to cut the mustard. It’s best to follow best practices and let a password manager handle this task. Brute force attacks can easily thwart a password that isn’t a long string of numbers, letters, and symbols. You’ll never remember 24 odd characters strung together, and you don’t have to. The most secure systems demand frequent updates to passwords, and you can find yourself drowning in unintelligible gibberish.
While you’re at it, limit the number of times a user can try to log in. WP has a plugin called Limit Login Attempts and caps the errors at three and blocks the user for twenty minutes.
Every open form on your WP site is a potential hole that a hacker can crawl through, and they don’t need much space. If you want to monitor comments before they are entered onto your site, the job can get overwhelming. But spam-laden comments are one of the hallmarks of WP, and you want to purge them from your world. A plugin like Askimet can do this onerous job for you and keep suspicious links and phishers out of your site.
Doing nothing isn’t an option, not with malware attacks becoming integral to national security concerns. Being a small or mid-sized company doesn’t give you a hall pass. Hackers don’t care, they just want in. We’ll be glad to help you devise a strategy to keep them out and keep your WP site operating at peak performance.