SSL

4 Most Common WordPress Security Issues (and How to Fix Them)

4 Most Common WordPress Security Issues (and How to Fix Them)

News flash! …If you have a WordPress site, there’s a chance you could get hacked, especially if you don’t update regularly. In fact, more than 90,000 attacks against WordPress sites happen every minute.

Whatever your reason, if you’re one of the site owners running outdated WordPress software, you’re vulnerable to potential attacks. And once a cyber criminal gets access to your site, your reputation can be damaged, your SEO work can be undermined, and it may cost you money to get your site up and running again.

To stay safe, you need to know what vulnerabilities are out there. You will also need to know what steps (in addition to updating) to take to protect yourself. In this post we will discuss best practices to improve the security of your WordPress site.

1. Brute Force Attacks and Injections

WordPress doesn’t automatically limit the number of times a user can attempt to log in to your website. This makes the platform inherently vulnerable to brute force attacks. A brute force attack is where a person or a bot continually enters passwords and usernames until the right combination is found.

There are two dangers to this form of attack. The direct danger is that a hacker might stumble across the right username and password combination and gain entry to your site. Even if they can’t get access to your site, your server might preemptively suspend your account if they notice a brute force attack underway. This means that your website will be down for a period of time, damaging your reputation, and possibly dinging your pocketbook.

Good passwords are key to protecting your site from brute force attacks. There are a number of automatic password generators that can make your site more secure. WordPress even comes equipped with a password strength meter.

Don’t use common or easy to guess words like admin as your username. Avoid using your real name, your company name, short passwords, words from the dictionary regardless of the language, and purely alphabetic or purely numeric passwords.

Recommendation

Another excellent idea is to limit login attempts from a single person or domain. Three seems like a good number. There are plenty of plugins such as WP Limit Login Attempts that make this an easy task to accomplish.

Chances are you already are using Jetpack as a WordPress plugin. Luckily, Jetpack added a Protect module to defend against Brute Force attacks. All you have to do is enable it. After three wrong login guesses from a bot or hacker, they are barred from further guessing.

2. Accessing Sensitive Files

Hackers frequently target the PHP code of WordPress sites to gain access to files. They may gain access to these files via corrupted or updated themes and plug-ins.

If a hacker manages to gain entrance to the backend of your website, there is no limit to the damage that can be done, up to and including encrypting your files so you can’t see them unless you pay a fee. If this sounds familiar, it’s a popular malware known as ransomware.

Avoid cheap or “free” hosting

Hackers love people who use ultra-cheap or free web hosting (also be wary of unlimited hosting plans – there is no such thing). These companies tend to have weak security in place and might even collect and sell your data themselves, not to mention that what they lack in upfront price is made up by charging extra for everything else.

It could be $80 for an SSL certificate, $30 for basic privacy protection, or even almost twice the going rate of $30 for domain registration. Add up the damage and you end up paying $140 extra annually for services/products a legitimate service throws in free.

Hosting companies often occupy the low-end of the shared hosting spectrum, which simply means they host a lot of websites on the same server, where they compete for computing resources. The bottom line is you end up in a poor IP neighbourhood along with a bunch of spammers who tarnish your site by association, are looked on with disdain by Google, and make it difficult to implement an SEO strategy.

Having said all that, if money is a big deal, there are a handful of inexpensive web hosts worth checking out. Don’t expect all the bells and whistles but you’ll be able to secure a legitimate online presence and get your foot in the door with a functional website. You can look to upgrade to one of the best web hosts as time goes on and traffic and sales increase.

Recommendation

The best way to safeguard against a hacker accessing sensitive files no matter your host is to backup your database every time a change is made. This can be done with the help of a plugin. The second best way to prevent being hacked is to always have the most updated version of the WordPress core code. Most patches sent out by the WordPress team are security patches.

Look for the reminders in the dashboard area. You can’t miss them.

3. Malware

Another security issue you may face is malware. Malware allows hackers to gain unauthorized access to your WordPress site, thereby infecting your system. WordPress is susceptible to malicious redirects, backdoors, drive-by downloads, and Pharma hacks.

Here are some ideas to combat malware.

Update every aspect of your site whenever possible. We mentioned this already. This includes WordPress itself as well as any themes or plug-ins you have installed. The older the version of your site’s software, the more likely it is that you will fall victim to malware.

You have likely seen WordPress offer of security updates. In the majority of cases, the security updates are designed to protect against the latest malware attacks. Thankfully, it is easy and simple to update your site.

Create regular backups of your WordPress site. A backup is a copy of the files and setting associated with your site. In the event of a hack, you can use that copy to restore your site to an uninfected state. If your site gets infected with ransomware, for example, and you have no backup, you will have lost your data completely unless you give in to the demands of the hackers and pay the ransom.

With a backup, you can simply restore to the saved version and continue on with business. Even if you lose a little bit of data because of your backup is a day or two old, it is definitely nowhere as bad as starting over from square one.

Install security plug-ins: These nifty doo-dads do everything from scan for malware to create automatic backups and secure your site with a firewall. In short – a good idea. A VERY good idea.

Three of the best Security Plug-ins

  1. Sucuri Security – The free version of Sucuri has a built in firewall, file integrated monitoring, blacklist monitoring, security notifications, and security hardening. The paid version offers more frequent scans.
  2. iThemes Security – iThemes Security is probably the simplest security plugin while still offering over 30 ways to secure and protect your website.
  3. Wordfence Security – Another great plugin is Wordfence which comes with a ready made firewall, security scanner, and live traffic monitoring among other tools. This plugin comes with a nifty management tool that allows monitoring of multiple sites in one place.

Get rid of insecure content: Without a green lock in your browser address bar, you are sending a signal to hackers that there is insecure or mixed content on your webpage. Browsers with built in security features will also worn website visitors that the site is not safe. This occurs when HTML is loaded over https and some resources load over http.

Use SSL: SSL stands for Secure Sockets Layer and is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. Every site should use SSL.

4. DDOS Attack

Distributed Denial of Service is an attack where a large volume of requests are made to your server to slow it down and to crash it. This is an organized attack by multiple machines across the globe. Every year businesses lose millions of dollars to downtime and lost sales due to this style of attack.

Protecting your WordPress site from a DDOS attack is difficult. Much of it relies on your hosting company being proactive about protecting the server by flagging suspicious activity before it can damage websites.

Choose and install live traffic monitoring plugins such as Wordfence to help prevent a DDOS attack after it starts. With WordPress, the most common way for a hacker to launch an attack is repeated login attempts. Swapping your site to a new URL temporarily can stop a DDOS attack in its tracks and allow time to block the IP address responsible.

Final Thoughts

Protecting your site from WordPress security vulnerabilities is not something to take lightly. While the software itself provides a solid, proven foundation, it is up to you to handle updates, choose a secure host, and create strong passwords.

Since the flat-out, 100% secure website platform has yet to be invented, and likely never will, you’re going to have to roll up your sleeves and administer the “oil change” and “tuneup” that keeps your site purring along for years to come.

Sam Bocetta is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.

Related Articles

  • Really Simple SSL and Gutenberg

    Gutenberg In the WordPress community a lot is being said about the upcoming release, which includes the new Gutenberg editor. Not all of it very enthusiastic. It is understandable, because...
  • Really Simple SSL 3.0

    Shortly after reaching the 1 million active installations milestone, version 3.0 of Really Simple SSL has been released. This new version includes a number of tweaks and additions which further...
  • Complianz GDPR free WordPress plugin

    The last months we have been working hard on our full service GDPR plugin for WordPress, and yesterday we have released the free version of the Complianz GDPR WordPress plugin....
  • Improved support for NGINX, CloudFront and CloudFlare, 2.5.0 imminent!

    As the 2.5.0 release date is getting closer (no, no date, that keeps me flexible but it’s days, not weeks) tension peaks. Testing has been finished on NGINX, Apache, and...