We’re living in a dangerous online world, where hackers, vulnerabilities, malware, and phishing alike scary words keep flooding us.
According to the October 2017 WordPress Attack Report released by Wordfence, a total of 123,277 IPs were added to the blacklist during October; among the top 25 attacking IPs, brute force attacks made up 95 percent of total attacks.
Fortunately, there are numerous ways available to help WordPress site owners to stay vigilant about their site security and keep their sites safe.
A Brief Look At WordPress Security Situation
People tend to put the cause of so many online threats and cyberattacks down to the inherent security weakness of WordPrss itself.
However, it’s unfair. The security team behind WordPress keep working hard to eliminate any vulnerability discovered within the WordPress core and consistently release core updates that includes security patches. It is estimated that more than two thousand security vulnerabilities have been patched since the initial WordPress version.
In order to apply all security patches available, you’re recommended to update WordPress core as soon as possible, automatically or manually.
When your WordPress site is targeted?
Typically, hackers attack a site for either money or hacktivism. It doesn’t mean that your fresh WordPress site is not a target for hackers. The fact is, all websites, regardless of the rich content or nothing on it, high traffic or little, are at risk of cyberattacks.
With WordPress itself remaining increasing to the most popular content management platform on the web, it is naturally a large bullseye on the back of the CMS and becoming a favorite target for hackers.
How hackers compromise your WordPress site?
According to statistics offered by WP Template, 41% of WordPress websites get hacked via vulnerabilities in their hosting platform, 29% by means of an insecure theme, 22% through a vulnerable plugin, and 8% result from a weak passwords.
Among so many hacking attacks each year, almost all are done automatically. And this is why hackers are found not to differentiate between WordPress sites of different sizes.
By using bots or hackbots to automatically and systematically sniff out known vulnerabilities, hackers attack hundreds of thousands of sites simultaneously. So, if your WordPress site gets hacked, it’s probably because of the security hole of the site that popped up on the radar of an automated script.
Some most commonly exploited and potential WordPress vulnerabilities including:
- Cross Site Scripting (XSS)
- SQL Injection (SQLI)
- Cross-site Request Forgery (CSRF)
- Brute Force
- Distributed Denial of Service (DDoS)
- Authentication Bypass
- Local File Inclusion (LFI)
Besides the above, there are many other causes to a hacked WordPress site, such as human error. And often, multiple vulnerabilities are exploited at the same time.
Best WordPress Security Practices
As you can see there are probably a lot more security holes than you ever thought. They are constantly popping up which means you are always at risk of being attacked or hacked. You can never prevent things from happening 100% of the time, the best thing you can do is implement the best security practices to protect yourself.
1.Keep WordPress, Themes and Plugins Up to Date
Always ensure you’re running the latest version of WordPress as well as all of your themes and plugins. Developers regularly launch updates along with patches included for the web applications. In order to avoid opening yourself up to potential vulnerabilities, because hackers always tend to target older versions, you should keep everything updated. For unused themes and plugins that could be potential backdoors, deactivate and remove them as soon as possible.
You might don’t want to update your WordPress, themes and plugins manually by yourself, you can consider leveraging an automated tool from a hosting provider. For example, Bisend includes the most popular Plesk Onyx in every hosting plan, enabling customers to easily switch on or off automatic integration of new WordPress installations, including updating themes and plugins in simple clicks.
There are also additional and recommended edits you can make to your WordPress installations to improve your WordPress site’s security. For example, hide the WordPress version number by adding the following line to your theme’s functions.php file:
and, remove WordPress references from your theme files like this:
2.Back Up Your WordPress Site Regularly
No matter how secure your WordPress site is, there is always room for improvements. Making regular backups of the site, including the data and files, is always recommended and necessary.
Additionally, you’d better schedule backups to prevent a lapse in archives that are available in case you need to restore your WordPress site. You can manually backup your WordPress site, or, you can do it with the help of a backup plugin. There are some great WordPress plugins can let you have a full working copy of your site so that you can roll back to after experiencing any issues.
Also, don’t forget to test where your backups work well and include everything that was meant to be backed up.
3.Use SSL to Encrypt Data
Since Google started labeling all HTTP pages as non-secure in January of 2017, many WordPress site owners were considering acquiring the necessary SSL/TLS certificates and setup HTTPS on their WordPress Hosting servers for improving security and privacy on the web.
Unfortunately, there are still a number of people refusing to run over an HTTPS connection for the reason that they’re running a blog or informational site and there is nothing need to be secured. Apparently, they ignore the importance of their login credentials. And if a WordPress site has more than one authors logging in from all sorts of different networks, running over a secured connection is the best way to harden the WordPress security. By the way, even for the sake of SEO advantages of HTTPS and performance benefits of HTTP/2, switching from HTTP to HTTPS is worth trying.
If you’re worrying about the cost of a premium SSL certificate, you can start from a free option, which can offer equivalent protection to paid domain validated solutions and be trusted by 99.9% of browsers and devices. In the case of Bisend web hosting, every customer can enable a free Let’s Encrypt SSL Certificate for their WordPress site in seconds using Plesk Onyx. As needs grows, they can upgrade to a high level OV or EV SSL Certificate by purchasing it at SSL Certificate store with cost-effective price.
4.Protect the wp-config.php File
All your key configuration information of your site are saved in the wp-config.php file. No wonder it’s of significant importance to protect it from hackers as much as possible. To secure this file, there are a few steps you need to go through:
1)Generate new secret keys.
After the installation of WordPress, system will write four secret keys to your wp-config.php file which are used to encrypt the information stored in cookies to make the password hard to be cracked.
As long as you reset your passwords and make sure your WordPress site is clean of any backdoor exploits and the like, your site can be safe from hackers once again.
You can generate a new set of security keys using the WordPress Security Key Generator . Go with this URL and copy the entire output and paste it straight into your wp-config.php file, replacing the old keys.
The wp-config.php file by default sits inside the root folder of your WordPress site. In other words, it can be easily found inside your public HTML folder and accessible to crackers via a browser. The good news is, WordPress allows you to move the wp-config.php file away from its default location to make it difficult to be located.
Generally, there are two ways to move the wp-config.php file. If you rest assured that your WordPress site is located in the root rather than a sub-directory, you can choose to move it one directory up on condition that there is no file already there with the same name. Another way is to move it anywhere you want, but you need to create a new file with the same name and with the code below in its original location:
Also, change /path/to/wp-config.php to the actual path of your wp-config.php file, where you ever move it.
5.Use Strong Password
Believe it or not, weak passwords has become one of the most common causes to WordPress site security issues. So, choosing a complex password that consists of letters, numbers and characters is always recommended.
There are some rules you’d better keep in mind when creating a password:
- Avoid using a password that’s similar to your site name or username
- Change your password regularly
- Don’t reuse passwords;
- Use 2-factor authentication
- Limit login attempts
- Only update your site from trusted networks
6.Secure Your WordPress Database
All of your WordPress site’s data and information is stored in the database. Taking care of it is just crucial.
First and foremost, use a different table prefix. WordPress uses wp- table prefix by default, which is prone to SQL injection attacks. You can prevent your WordPress site by changing wp- to something like x3sdf- so that intruders will be less possible to guess it. Even when you have installed WordPress site with the default prefix, you can change it in the help of a WordPress plugin as iThemes Security.
Secondly, set strong names and passwords for your database. Don’t worry about too complex to remember since you can check the details in wp-config.php file if you forgest them.
Thirdly, segregate your WordPress databases. This is especially useful when you have multiple WordPress sites on the same hosting server account. You’re prone to create all sites in the same database for convenience, but that could create a WordPress security risk too. Think the case that when one of your WordPress site get hacked, then all others are at severe risks of hacking. If you plan to build multiple WordPress sites under the same roof, don’t bother to create a new database with different name and password.
Fourthly, restrict file permissions. By default, WordPress grants administrators the right to edit PHP files. This, on the other side, leaves a security hole for hackers to login to your WordPress site and then edit the files to suit their malicious needs. Therefore, my recommendation is to disable file editing for WordPress administrators once you finish developing the site and get it online.
XML-RPC enables an application to remotely connect to WordPress via an API. Using a mobile application to update your site is a use case of XML-RPC. It gives hackers an opportunity to launch DDoS attacks alongside the great convenience it comes with.
You should disable XML-RPC if you are sure that you don’t have any WordPress plugins or other third-party applications using your WordPress site via XML-RPC.
8.Disable PHP Error Reporting
Error reporting plays the role of life-saver when you’re developing a WordPress site. Because of it, you can know exactly where an error is coming from and fix it immediately.
However, when your WordPress site gets live, error reporting can give hackers clues to your server path.
See? The above error displays the website’s username and this is crucial information for hackers who are looking to attack your hosting account.
To disable PHP error reporting, add the following code to your wp-config.php file:
9.Install A Firewall
A Web Application Firewall (WAF) can help keep hackers from getting near your WordPress site. You might feel perplexed about so many WAF firewalls available and lose your confidence to select the most reliable solution. According to may test, I strongly recommend CloudFlare, which is more than just a web application firewall, but also a content delivery network (CDN) that takes advantages of web server technology, network routing and hardware to protect and accelerate your WordPress site.
10.Migrate To A Secure Hosting Plan
When you have done all above measures to secure your WordPress site but disappointedly find that it is still in high risk level, it’s time to consider changing your hosting provider, after all security vulnerabilities on the hosting platform have caused nearly 41% of hacked sites.
Choosing a secure hosting plan is not as difficult as you think. Take special care to the following features you can find the best solution for your WordPress site:
- Support for the latest PHP and MySQL versions
- Daily backups
- Web Application Firewall
- Intrusion detecting system
- Proactive updates and patches
- Free SSL Certificate
- Regular server and network monitoring
Bisend, for instance, provides almost all of the security features and go further to include FTP over HTTPS, 301 URL rewrite, hotlink protection, SSD RAID 10 storage, and a set of standard security settings with the Plesk Onyx to protect your WordPress site from malicious attacks and prevent loss of sensitive data. Visit www.bisend.com to find more details.