WordPress often gets a bad rep, and we regularly get asked the question, is WordPress secure?
Being open source and one of the most popular CMS platforms out there, it’s a target for hackers. And it can get hacked. No system is 100% hack-proof. But there are a lot of steps you can take to minimise the chances of it happening to you.
Over the years we’ve come across many WordPress sites which have been compromised. More often than not the hack takes the form of a malware infestation, or sometimes it’s a code injection designed to take the site offline and block out site admins.
With WordPress, there are usually 3 or 4 avenues these pesky hackers take to try and get into your site. So let’s look at them in more detail and look at how you can try and keep them out.
1. Logging in
As default, all WordPress sites have the same login URL. Usually, the site domain is followed by /wp-login.php. So right away the hackers know where to try and log in.
Tip #1 – change the login URL
Once at the login page, bots are created that try and log in with thousands of username/password combinations within a short space of time. This can be known as a Brute Force Attack. Many moons ago, WordPress set up a default admin user with the user name ‘admin’. So that’s half the puzzle solved for the hackers.
I’m saying the word hackers a lot so let’s give them a name. How about Neil?
Tip #2 – don’t use admin as your username
So our friend Neil now knows the username, and there are lists available with thousands of common passwords which they will try. You’d be surprised how many people have really weak passwords. If Neil tries enough times, he might get the combo right.
Tip #3 – use a randomly generated ‘strong’ password.
There is another way to scupper their brute force login attempts, by means of imposing a login attempt limit. There are plugins available to help set this up, which leads me to…
Tip #4 – install Wordfence to limit logins
You can set limits to something like 5 login attempts, after which the user is blocked for a set amount of time. This will put Neil off. Good work. Take a look at Wordfence, we highly recommend it.
There is another thing you can do to lock down admin access to the site dashboard.
Tip #5 – activate 2FA
Wordfence also comes with the ability to set up 2FA (2 Factor Authentication) on your website. This usually takes the form of installing an authentication app on your phone which generates a unique code each time you need to log in.
If you follow these tips for login security, you’ll be making life very difficult for Neil to gain access by logging in.
Remember even if you have a safe password, keep it safe! Don’t leave it pasted on a publicly accessible spreadsheet.
2. Keep things updated
WordPress regularly has updates and patches made available. Sometimes they are adding new functionality, fixing bugs or improving security.
Tip #6 – keep WordPress core up-to-date
Running old versions of WordPress can leave vulnerabilities open that our friend Neil may know how to exploit.
Along with WordPress core, there are plugins. Plugins are developed to add extra functionality to a website. Usually coded by contributors the world over, they also are regularly updated to fix the same issues.
Tip #7 – update your plugins
A badly developed WordPress site will have an over-dependence on plugins to provide the functionality that’s needed. We’ve seen sites with as many as 75 active plugins!
Keeping that many up to date can be a chore and prevent other issues such as code conflicts and affecting site performance.
Regularly audit your plugins and remove any that you don’t need. These are key to helping make sure WordPress is secure.
Tip #8 – update your theme
Depending on how the site was built, your theme or framework may also need updating for the same reasons. Neil will very much be aware of commonly found vulnerabilities in popular themes. He’ll be able to see which version of the theme your site is running.
This can get a bit techy, so we have maintenance packages available to keep all of these updates in place.
3. Hosting security
From a hosting point of view, you will need to make sure that you are running the most recent version of PHP too for enhanced security.
Tip #9 – keep php up-to-date
FTP is one-way developers use to transfer files to and from your hosting server during development. Like anything which can be accessed with credentials, that mischievous meddler Neil will try and gain access via FTP.
Tip #10 – lock ftp
Locking FTP can help keep him from accessing your site using this method. You can lock FTP to allow access only via whitelisted IP addresses, or you can unlock it for set time periods.
Again always set a safe random password for your FTP access.
If you follow the above steps, you’re not making your website 100% secure, but with these basics, you will be making Neil’s job a difficult one to do.
What to do if my site is hacked?
If you suspect your website might have been hacked, there are steps you should take to firstly clean the site, and secondly prevent it from happening again.
The plugin we mentioned earlier, Wordfence, can be set to automatic play and run malware scans at set intervals.
When it scans it looks for several red flags, let’s look at some of the main ones.
New code files on the server which aren’t part of WordPress
When a hacker like Neil gets access to the site, he tends to install malicious files throughout the operating system. These files can easily be found by Wordfence, as it constantly checks against what files should or shouldn’t be in a WordPress installation.
If Wordfence finds such a file, it will let you know and give you the option of quarantining or deleting the file.
Sometimes rather than new files, he’ll add sneaky snippets of code to existing files. Again, Wordfence can spot these. Just don’t delete the whole file or you might break the site. Just remove the dodgy code.
So once your scan is complete and you have found some malicious code, fix/remove it as required.
Then repeat the top steps to fix your security.
New admin accounts created
In some instances we have seen the hacked create a new admin account in the background, thus providing them with constant access. So keep an eye on all the admin accounts regularly.
Spammy links appearing
Malware infections can inject links into the pages, they tend to be spammy links to things like pharmaceutical sites, betting sites or something of an adult nature. So again Wordfence can pick up on things like this.
If you have a blog and allow comments, check here for spammy links too. You can set a robust policy for allowing comments to try and keep that secure.
Is WordPress Secure? Conclusion
It’s often tricky to isolate how the sites are infiltrated. You can try checking errors or access logs, but it’s usually hard to spot.
Sometimes if a plugin has become vulnerable and you follow the WordPress community, you might become aware of potential issues (hopefully before it happens to you) but this can often help shed some light on what’s happened.
So is WordPress secure? Yes if you follow strict procedures for ensuring everything is up to date and for protecting access. You are giving yourself a really good chance of keeping Neil at bay.
If you don’t run your updates, are relaxed about password policies and don’t use a very reliable host, chances are sooner or later your site will have some sort of security issue.
Don’t forget if you need help, we have a range of WordPress maintenance tips available.
Do what you can to frustrate Neil and make his life as difficult as possible. He’ll move on to another less secure site.