Nine Steps to WordPress Security

It is estimated that 30,000 websites are hacked every day. Businesses of all sizes are affected, with small businesses targeted in over 40% of the attacks. Only 14% of these businesses are equipped to prevent website damage. The damage can be so devastating that it puts many organizations out of business.

WordPress is the most widely used content management system (CMS) in the world, with over 75 million websites using it. Thanks to its very large and active community of volunteers, it is constantly being updated and new features introduced. Updates often contain fixes for vulnerabilities in the core WordPress software. Attackers are always looking for ways to exploit any weakness in WordPress sites. Their automated attempts include searching for unprotected and vulnerable websites. This article looks at some of the best ways to secure your WordPress site using the latest available technology.

Use a Security Plugin

A security plugin is the first line of defense against attackers. There are many security plugins available for WordPress, and some of the best ones are Wordfence, iThemes Security, and Jetpack. My choice is Wordfence. It is one of the most popular security plugins, with over 4 million active installations. I prefer it because it’s a comprehensive security solution, offering real-time protection against malware, brute force attacks, and other threats.
Wordfence has a free version that includes firewall protection, login security, and malware scanning. The paid version adds two-factor authentication and real-time IP blocking. Installing Wordfence is easy, and it takes only a few minutes. Once you install it, you can add an email address for alerts and configure the settings according to your preferences. Wordfence will notify the chosen email when there are updates available for WordPress, plugins, and themes or call your attention to maintenance issues.

Keep Your Site Up-to-Date

WordPress, plugins, and themes are constantly being updated to address security vulnerabilities and add new features. It is important to keep your site up-to-date to ensure that you are protected against the latest threats. WordPress has made it easy to update your site automatically, so you don’t have to worry about doing it manually.

To enable automatic WordPress core updates, go to Dashboard > Updates. Under Current version: you have two options: Enable automatic updates for all new versions of WordPress. or Switch to automatic updates for maintenance and security releases only. The second option will not automatically update major releases, whereas the first option will automatically update all new versions.

Themes can be automatically updated by going to Dashboard > Appearance > Themes, select the active theme, and Click Enable auto-update. Automatic theme updating can be disabled by selecting the Disable auto-update link.

Plugins can be auto-updated by going to the Dashboard > Plugins > Installed Plugins and marking your choice in the Automatic Updates column for each plugin. Multiple auto-update changes can be made using the Bulk actions dropdown.

If you prefer to update your site manually, you should check for updates regularly and install them as soon as they are available. Outdated software, plugins, and themes are a major source of security vulnerabilities, so it is important to keep everything up-to-date.

Remove Unused Plugins and Themes

Other than leaving one default theme for testing purposes, unused plugins and themes should be removed as soon as possible. Disabled plugins and themes can still be attacked by hackers and can cause additional resource usage. If there is a reason to keep a disabled theme or plugin in WordPress, it should always be updated.

Use Strong Passwords

One of the simplest ways to protect your site is to use strong passwords. The most frequently used password this year is 123456. It has held the number one spot for many years, followed by 123456789, qwerty, and password. You can be assured that every automated password cracker checks for these and other commonly used passwords. Using one of them is like leaving your door unlocked.

A strong password should be at least 12 characters long and include a combination of uppercase and lowercase letters, numbers, and symbols. You should avoid using dictionary words, common phrases, or personal information in your password. WordPress has a built-in password strength meter that shows you how strong your password is. When you create a new password, WordPress will give you a rating from “Very Weak” to “Strong.” You should aim for a rating of “Strong” or higher.

If you have trouble coming up with strong passwords, you can use a password manager such as Bitwarden or 1Password. These tools not only generate passwords, but they also store them and automatically log you into your favorite sites. You only need to remember your master password. I use Bitwarden, a completely free, open-source program.

Credential Reuse and Leaked Passwords

Credential reuse and leaked passwords can pose a significant threat to website security. Once a user’s credentials are leaked, they can be used by attackers to gain unauthorized access to various online services, including websites. This can result in data breaches, financial losses, and reputational damage.

Using  the same “default” username and password for several sites is not a good policy. Using password managers will eliminate the need for reusing credentials. The Pwned Passwords website can be used to determine if your password has been exposed because of a data breach.

Email addresses and passwords are often stolen together. It’s a simple matter for automated login attempts to use lists of known emails and password pairs.

Regular Backups

No matter how secure your website is, there is always a chance that something could go wrong. In the event of a hack or other technical issue, having a backup of your website can be a lifesaver. It can mean the difference between being able to quickly restore your site or losing all your data and starting from scratch.

Most web hosts offer some kind of backup service, but it’s always a good idea to take matters into your own hands and create your own backups. You can use a plugin like UpdraftPlus or Jetpack to create regular backups of your website and store them on a remote server like Google Drive or Dropbox. UpdraftPlus will even email backups to be stored on your computer.

The frequency of backups depends on how often your website is updated. If you post content daily, you may want to create a daily backup. If you only update your site once a week, a weekly backup may be sufficient.

Use SSL Encryption

SSL (Secure Sockets Layer) is a protocol that encrypts data sent between a website and its users. It’s what gives the padlock in the browser bar and the “https” in the website’s URL. SSL encryption is essential for any website that collects sensitive information like credit card details or login credentials.

In addition to securing sensitive information, SSL encryption is also a ranking factor in Google’s search algorithm. This means that having an SSL certificate can improve your website’s visibility in search results. Free SSL certificates should be available from your web host or a third-party provider like Let’s Encrypt.

Limit Login Attempts

One of the most common ways hackers try to gain access to a website is through brute-force attacks. This is where they use software to try multiple combinations of usernames and passwords until they find one that works.

If you don’t use Wordfence or another security plugin with built-in brute-force protection, you can use a plugin to limit repetitive login attempts. This greatly increases the time required for hackers to guess your login credentials.

Use of Nulled Themes and Plugins

Nulled themes and plugins are pirated versions of commercial WordPress themes and plugins that are distributed without the permission of their developers. While nulled themes and plugins may be tempting to use because they are free, they come with significant security risks that can compromise the security of a website.

Nulled themes and plugins may contain malware, which can infect a website and cause damage to its functionality or steal sensitive data from users. Malware infections can occur due to vulnerabilities in the code of the nulled themes and plugins, or due to the presence of hidden backdoors that allow attackers to gain unauthorized access to a website.

If the threat of malware infection isn’t enough to stop the use of nulled software, distributing nulled software is stealing, it’s wrong, and it’s illegal. It’s theft of the hard work of one or more developers. Copying someone’s work without any effort to improve, maintain, or further develop it doesn’t add anything of value to the software and harms the whole WordPress community.

Wrap Up

Securing your WordPress website doesn’t have to be a daunting task. By taking a few simple steps like using a security plugin, keeping your software up to date, and using strong passwords, you can drastically reduce the risk of having your website damaged. And by regularly backing up your site, you can ensure that you’re prepared for most worst-case scenarios.

Remember, no website is 100% secure, but by taking these steps, you can make your website a much less attractive target for hackers. With a little bit of effort and some basic security measures, you can have a website that’s both secure and functional.

References:

PDF, “The Wordfence 2022 State of WordPress Security Report,” Publication Date: January 24, 2023 https://www.wordfence.com/wp-content/uploads/2023/01/Wordfence-2022-State-of-WordPress-Security-Report.pdf

CNBC “Cyberattacks now cost companies $200,000 on average, putting many out of business, ” Retrieved 4/26/2023, https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html