Updated 12/10/18. Please note: this article contains affiliate links for businesses I use and love.
But when it comes to popularity on the internet, there are often consequences. Because of its widespread use, WordPress has become a favorite target for hackers and attackers.
Did you know:
Many of these hackers use bots to automate the process of sniffing out vulnerabilities from your site. With this in mind, an attack isn’t necessarily personal, which is why even the smallest, under-the-radar websites get hacked. Once their bots find a viable entry point, hackers jump in and take advantage. If you’d like to learn more about ways cybersecurity works and how websites can be hacked, consider taking cybersecurity courses to gain a deeper knowledge on the subject.
Before going through the comprehensive WordPress security checklist I’ve put together to help you safeguard your website from the worst possibilities, let’s take a deeper look into some common WordPress security issues.
Jump Ahead to a Specific Section:
What Hackers Can Do to your WordPress Website
According to the 2017 Cybersecurity Report by ISACA, 53% of enterprises experienced more attacks this year than the year prior. This is supported by research from Symantec, who found that ransomware attacks increased by 37% in 2017.
Here are some of the most popular reasons (and resulting impacts) for hacker activity on a website:
WordPress Security Checklist: How to Protect Against WordPress Security Issues
Some of the weakest points of a website include passwords, input fields (like forms), comments, and payment gateways; WordPress database, core, themes and plugins, and even your WordPress hosting server.
This WordPress security checklist will help you to build protection for these weak points.
#1: Use a WordPress Security Plugin
If you aren’t terribly techy, you may want to outsource your major WordPress security needs to a security plugin.
73.2% of the most popular WordPress installations that are vulnerable can be detected using free automated tools. There are several plugins — like Wordfence, Sucuri, and Defender — that offer functionality that includes scanning for vulnerabilities, blocking security threats and malicious networks, implementing a firewall, and monitoring DNS changes.
Upon discovering these vulnerabilities, cleaning the website is the next task. Although some of the aforementioned security services offer cleaning services, the wait for external security personnel to clean your website can certainly be excruciating. MalCare Security Plugin is an automatic cleaner that allows website owners to clean a hacked site with a simple click of a button.
While we’re talking about WordPress plugins, it’s worth mentioning that 52% of WordPress security vulnerabilities reported related to WordPress plugins.
#2: Create Backups Regularly (& Automatically)
Creating backups is a good way to ensure that you have access to your website’s important files in case anything happens to your live website. Most web hosts will do this automatically in the background but make sure to double check with them before relying on this safeguard!
I recommend Kinsta for their performance WordPress hosting but the fact that they let you create multiple automatic/manual backups is just another reason to check them out.
There are several plugins that you can use to automatically create backups, but one of the most recommended options is VaultPress, which is owned by the same company that created WordPress (and is part of the Jetpack plugin). UpDraftPlus is another great option — the only WordPress plugin with a free version that you can use to schedule automatic backups.
Don’t just rely on the efforts of one plugin when it comes to your backup strategy. Create multiple copies of your backup files and store them in different places (cloud, hard drive, etc.).
#3: Update WordPress Regularly
Updating your WordPress website is the single easiest and most effective way to prevent hacker attacks because WordPress updates are meant to fix whatever was broken with the previous version.
You must also ensure that along with timely WordPress core updates, your plugins and theme files are updated in a timely manner. According to Wordfence, if you can protect yourself from plugin vulnerabilities and brute force attacks, you are already saving yourself from 70% of hacking problems.
Speaking of Wordfence, you should sign up for their email updates. They send out timely and detailed warnings about the latest WordPress security issues.
Here’s one of their latest alerts:
According to a report by wpscan.org, of the 3,972 known WordPress vulnerabilities, 52% are from WordPress plugins, 37% are from the WordPress core, and 11% from WordPress themes. Finally, 65.6% of WordPress websites are using the latest WordPress version (4.9), but only 6% are using the latest PHP version (7.2), and 0.9% are using the latest MySQL version (10.2).
The major takeaway here regarding WordPress security issues? You need to proactively update to the most recent version of important files (core, themes, plugins, PHP, database) in order to best protect yourself from hackers.
A WordPress maintenance service, like WP Buffs, can take care of this process for you automatically, in the background, while managing any potential conflicts between these moving pieces.
When making major updates, there are rare occasions when you might get stuck in WordPress maintenance mode — but it’s not too difficult to get back on track.
#4: Keep Passwords Secure
Keeping your WordPress password secure is a given preventative security measure, but you’d be surprised at the number of people that are unable to adequately protect themselves from related attacks. According to Panda Security, 81% of attacks happen mainly because of insecure or stolen passwords.
A lot of attackers gain entry to your WordPress site via brute force — the repeated entry of username and password combinations until they get the right one. An easy way to prevent this possibility is by limiting attacks by limiting login attempts.
Pro Tip: Use the Login LockDown plugin, which records the IP address and timestamp of every failed login attempt and locks down the login function if the number of failed attempts from the same IP range is reached in a certain period of time.
Next, choose a password that’s more than 6 characters and is composed of a combination of both upper and lowercase letters, numbers, and symbols. For something uncrackable, 10-50 characters are sufficient. WordPress can also generate an almost-uncrackable password for you.
Pro Tip: Use a program like LastPass to help you remember passwords. LastPass can also help you generate a secure password.
On that note, change passwords often and don’t reuse passwords. It’s also advisable to use your email instead of username to log into WordPress because usernames are easier to predict than emails. According to WP Smackdown, the top usernames being attacked are: Admin, admin, administrator, test, root.
Pro Tip: If you defaulted to an “admin” username when you first created your WordPress installation, simply install the Username Changer plugin to create a more secure username.
#5: Protect Your Login Page
Apparently, I missed the new best practices claiming that renaming the URL of your WordPress login page is not helpful.
Or, so said the commenters on a related piece I wrote about WordPress security issues for WPKube:
Regardless, I’ll share a related resource for the sake of being comprehensive.
The Rename wp-login.php plugin makes the wp-admin directory and wp-login.php page inaccessible but does not change the files in the WordPress core whatsoever.
At any rate, security through “obscurity”, as commentator Luke Cavanagh put it, certainly isn’t the only way to lock down your WordPress login page.
Another option? Implementing two-factor authentication (2FA) for logging in. This method requires registering/activating another device to confirm the site owner’s identity.
There are a few two-factor authentication methods:
Many of my clients use some type of two-factor authentication to lock down access to the backend of their WordPress blogs — I’d say it’s worth following their lead.
While two-factor authentication can be a fairly fool-proof method for beating some of the top WordPress security issues, it can certainly be a hassle — especially if you don’t have your phone with you (/if you can’t use cellular data while you’re traveling) or if you forget the email you used to sign up with.
Furthermore, using the Authenticator app means that you’ve authorized the specific device where you’ve installed the app. If you get a new mobile device, you’ll have to redo this process — ideally before you delete the data on your old device!
The risk of the SMS method in 2FA is the fact that you’re giving away private information that companies could potentially use to send you spam. Also, if hackers get ahold of your phone number, they can use this to gain access to your account.
If this situation seems unlikely, don’t forget about recent data breaches (Experian, Cambridge Analytica, etc.) on seemingly secure platforms.
#6: Use a Secure Hosting Provider
It’s worth mentioning that your hosting provider plays a role in keeping your WordPress site secure. In fact, according to WP White Security, 41% of hacks happen because of a security vulnerability on their hosting platform.
Depending on what you’re willing to spend, there are different types of web servers you’ll have access to through the average web host. Typical budget options usually revolve around the use of a shared web server. This means that you’re sharing the server resource with other users, making your website susceptible to cross-site contamination, where hackers can access your website through a neighbor on the same server.
Use web hosts that follow WordPress security best practices, such as Siteground (for budget needs) and Kinsta (for high performance). Both include access to SSL certificates that encrypt user’s personal data. Since HTTPS is now an official ranking factor, ideally, you’ll make sure that this security fix has been implemented ASAP (if you haven’t already).
Pro Tip: If you’re still using HTTP, follow along with my guide for switching to HTTPS for Pathfinder SEO.
When choosing a hosting provider, WPMU DEV suggests looking for features such as:
A WordPress security best practice is to use managed WordPress hosting, which costs a little more than budget options, but takes care of everything for you including backups, updates, uptime, security, and speed.
#7: Use a Web Application Firewall (WAF)
When a plugin or theme is breached, there is a lag time between when the vulnerability is discovered and when a fix is made. This is called the “window of vulnerability”, and you’ll need to use a web application firewall to avoid this.
There are different levels of firewalls that can block different kinds of traffic. You can get a firewall through the use of security plugins, a website security company, or through a WordPress maintenance company.
I’ve been testing out SiteLock recently and it offers a unique and useful feature: the ability to differentiate between good and bad bots, restricting the bad ones from accessing your site. This proactively prevents cyber attacks from compromising your site.
Here’s my in-depth SiteLock review, if you’re curious about learning more.
#8: Protect Input Fields
Fields like comments and contact forms are an obvious target for hackers to take advantage of. They can steal data being entered to those fields by force or by stealth (like by monitoring keystrokes).
On a similar note, beware of cross-site scripting (XSS), where attackers inject client-side scripts into web pages viewed by other users. 84% of security vulnerabilities are a result of XSS attacks.
Pro Tip: Some websites receive tons of spam comments, which is why they choose to disable comments. However, comments are a great way of communicating and getting feedback from readers and visitors. To moderate comments and proactively battle spam, install the Akismet plugin, also offered by the team behind WordPress.
Visual learner? You’ll appreciate this WordPress security checklist infographic summarizing the major points of this post: