Is your WordPress website secure?

WordPressWebsite Security
Written By David McElligott

A question frequently linked with WordPress is its security.

There's a common misconception that WordPress is not secure, which simply isn't correct. WordPress itself is a solid and secure platform, but being the most widely used CMS platform across the globe naturally makes it a more popular target for attacks.

The biggest risks and vulnerabilities affecting WordPress often stem from poor practices and a lack of understanding of website security in general. Due to its ease of use and flexibility, WordPress is often used as a 'DIY solution', which can leave the website open to attacks if the appropriate security steps aren't in place.

There are many ways in which a potential attacker could exploit a website's vulnerabilities. Below are some of the most important ways to help protect your WordPress website.

Updates

When updates become available, this is usually because a group of bug fixes and/or improvements have been approved and added to the official code base. These updates are essential to keeping your WordPress website secure. Outdated code is one of the most common vulnerabilities in WordPress security, and by not keeping WordPress up to date, you run the risk of being exploited. Reports show that 6% of infected WordPress sites are out of date.

Hosting

Hosting is the server on which your website is located, and plays the most important role in the security of your website, so ensure you are using a highly recommended host. 20i, WPEngine, Bluehost and Fasthosts are some of the most stable and secure solutions available. To remain secure, it must be constantly checked for problems and protected from harmful activities. A high-quality host will not only protect your website from remote attackers, but also other websites on the same server, if you are using a shared hosting package.

SSL certificates and HTTPS

SSL (Secure Sockets Layer) is a security protocol that encrypts data transferred between the server and the browser, symbolised by the padlock next to your website's URL in the address bar. Initially an essential requirement for e-commerce stores only, SSL certificates are now being used more broadly across all websites. Most quality hosting providers will now offer SSL certificates as part of certain hosting packages.

Security plugins

Alongside keeping WordPress up to date, adding an additional layer of protection with a security plugin will give an extra peace of mind. Attackers will use various techniques, besides targeting code vulnerabilities, to gain access to your website. One of the most common is brute force attacks. An example of this would be attempting hundreds or thousands of passwords in succession until the correct one is found.

A high quality security plugin, such as Sucuri or Wordfence, will protect against this (and many other techniques), by limiting the number of login attempts in quick succession. They also provide built-in virus scanners that monitor the website for any unusual or malicious code.

Admin access and secure passwords

Your admin account provides full, unrestricted access to your website, and should therefore be reserved only for those who need that level of access. Any other user who needs access to the website, for example to update content, should be given a lower-level account, such as a "editor" role. It's also good practice to ensure your admin account username is not "admin".

As with any service with user accounts, this can lead to potential vulnerabilities. Weak passwords are the number one reason why so many accounts get hacked. You can have all the best security measures in place, but having a weak password puts your website at huge risk, regardless of the platform.

Amazingly, the most commonly hacked passwords are still '123456', '123456789' and '12345', according to NordPass. Attackers use sophisticated algorithms to hack passwords, which make simple passwords incredibly easy to crack (the passwords listed above take less than 1 second). Once an attacker gains access to an admin account, they will have full access to your website.

Plugins

Plugins play a significant part in WordPress websites, particularly when built from the DIY perspective. While plugins are a quick and easy way to add functionality to your website, it's important to try and keep them to a minimum, where possible, and only use well established plugins that have positive reviews and are updated regularly.

The more plugins you have, the higher the risk of compromising the security of your website. According to a 2020 report by WPScan, 52% of WordPress vulnerabilities came from WordPress plugins.

Another vulnerability to be aware of is using any plugins that require direct access to your site/database or files. Several management plugins, such as ManageWP, do this to make maintaining your website easier, but they also create a major security risk to your site and database.

If you need help with making your website more secure, get in touch.

David McElligott
Previous

Is your website mobile friendly?
Next

What is WordPress?