Let’s get straight to it. If you are not aware, WordPress Security is a big deal if you have a WordPress site. Whether you are run a personal blog to a big corporation (yes WordPress powers some of the top websites in the world, .i.e The New York Post, USA TODAY, Spotify to name three). Protecting your website and its data is an essential part of website development today. In this article we look at why WordPress security is important and some of the best ways to protect your WordPress website.
Why is WordPress Security important
Well let’s look at the facts. WordPress has been named the fastest growing content management system every year since 2010. WordPress holds over 60% of the CMS Market share and it runs approximately 30% of the worlds websites so it is no wonder it is a big target for hackers and security issues. There is also approximately 500+ WordPress websites being built every day with 17 posts published every second on WordPress sites around the world.
As a result of this popularity, WordPress is also the most hacked CMS in the world says Sucuri. Why is this ? Alongside the fact it is so widely used, there are plenty of vulnerabilities in WordPress sites, from weak passwords to out of date plugins and themes. In a study, it was found 61% of infected Websites were running on out of date software. WPScan also reported that 52% of vulnerabilities are caused by WordPress Plugins.
Loss of revenue and bad reputation
From the above information we can say WordPress Security is a problem for a lot of websites and its a very important issue. A WordPress site that has been hacked causes serious damage to your profit margin and your brand. User information, passwords, are stolen, malicious software might be inserted into your site for distribution to your users. Who would want to visit your site after an attack ?
Google quarantines around 10,000 suspicious websites every day and puts them on a “Google blacklist”. This blacklist means your site is removed from the search index where you will lose up to 95% of your organic traffic. This causes massive losses if you rely on your website for business revenue.
Fortunately, prevention is better than cure and there are many options to secure your WordPress website. If you run a physical store as well as a website, I bet you would make sure you lock up every night and put on your alarm, check your CCTV is working and protect it against potential threats. Why would you not do the same with your website especially if you run your business through it.?
Improve your WordPress Security
Update your sites core software, themes and plugins. This is absolutely essential in protecting your websites data and your WordPress security. This is one of the easiest ways for hackers to gain entry to your website. Out of date software from plugins or themes and not updating your WordPress core software causes vulnerabilities. As a result, hackers then exploit these vulnerabilities and gain access prior to the security fix. Signs that you have been hacked are usually shown by:
- Unable to login.
- Your website has changes that you haven’t done.
- Your website menu links redirect to different sites like gambling/porn sites.
- The Browser warns you before you enter your website.
- Your Host provider warns you of unusual activity on your site.
Updating your themes, plugins and core software is one of the primary ways of protecting your website. This is an absolute MUST in WordPress security and it is so easy. Right in your WordPress dashboard area you are notified when there is a WordPress, theme and plugin update available. There are no excuses for not updating. Bright Spark media provide all updates, backups and security solutions all in one WP Care Plan.
Strong passwords and User Permissions
Another excellent way of keeping out unwanted traffic is to create strong passwords and restrict user permissions. What is classified as a strong password ? Anywhere from 12 characters and upwards which includes a mix of uppercase, lowercase, special characters and numbers. By default WordPress used to set admin as the login username which now they have changed. Create an original username with more than 12 characters, again mixing numbers and letters.
To give you an idea of how fast a password can be cracked, according to Betterbuys – where you can test how fast your password can be cracked. Consider the following:
- A username “Admin” with Capital A can be cracked in 19 seconds
- A username “George” can be cracked in 20 minutes
- “JohnSmith with capitals J and S would take 5 years
- “John#Smith2k19” would take over 6 centuries
The accuracy of this software is not verified however what is clear is to establish a unique password or username for each login with a minimum of 12 characters and you increase your WordPress Security by a lot . if using a hard to remember password is difficult for you, then consider using a password manager like LastPass or 1Password. They remember your passwords in a secure format so you don’t have to.
If you are running a WordPress website with many contributors or a membership site with a large number of users, you might want to think about restricting user permissions. WordPress user roles and permissions allows you to control what level of access each user has. You don’t want to give a subscriber or blog contributor access to your plugins etc. For tighter security limit how many users have the administrator role if any at all.
Keeping backups of your WordPress website is another essential ‘must do’. Bright Spark Media keep a daily backup of all our WordPress client sites in case of any problems. We can just rollback to the previous day and restore the website if anything goes wrong. So even if there is a server failure or crash, or you discovered your site was full of malware, it is very easy to restore your website and data from a previous date. We store the backup offsite so even if your host server went down, we have you covered. There are many excellent backup solutions like UpDraft Plus, BackupBuddy or VaultPress. Even your host server probably offers a backup solution but its also very important to keep a separate backup in case your host server crashes.
Having a HTTPS instead of a HTTP means that your site is viewed as being trustworthy and server to client communication is protected in transit. Basically you have a SSL Certificate installed on your website which means that sensitive data such as IDs, passwords, credit card numbers, etc is encrypted so no one else can see it. This is critical for online shopping sites or where you sell goods or services online.
Google now insist on ALL websites to have SSL Certificates installed. If you don’t then your visitors will see a “Not Secure” warning on visiting your site. Even text inputs in the form of login panels, contact forms, search bars, etc are on your website then you need an SSL Certificate. Many Host providers like Siteground offer them for free with their LETS Encrypt Certificates. If your website collects data or you sell goods and services online or even if you have a contact form, for security sake, get an SSL certificate.
LIMIT LOGIN ATTEMPTS
By default with WordPress there is no limit to how many times you can try and gain access via the login to a WordPress website . This is one of the most common ways human or bot hackers try to force their way through your login page by trying various combinations of usernames and passwords until something works.
Using the limit login attempts plugin, you can limit the number of attempts made to login. This is a well recommended plugin with 4.8 stars and we recommend you use it. It is simple to configure. Just put in the number of login attempts you need, specify the lockout time if someone enters it wrong too many times and you are good to go. You can even blacklist certain IP addresses. Overall this is a great plugin to help keep your WordPress website secure.
Use a plugin to intercept any attacks on your website, one of the most popular and free plugins is Wordfence. Described as a WordPress security plugin with a built-in website application firewall. It monitors your WordPress site for malware, file changes, SQL injections, and more. Wordfence also protects your website against DDoS and brute force attacks. It efficiently blocks attacks before they hit your site. Bad traffic is blocked after it reaches your server but before loading your website. There is a paid version of this plugin but the free version works excellently.
Two factor Authentication
Two factor authentication is a great way of securing your WordPress login. When it’s enabled it will require a one time code in order to log in. A well recommended Free plugin is the Two factor Authentication plugin.
If you are serious about your WordPress website then you need to be serious about its security. Its especially important if you are selling goods and services online as you don’t want sensitive data stolen. You also don’t want to risk your site being injected with malware or someone hacking your site and redirecting all your links to somewhere else. To protect your data and your website, use all or many of the WordPress security measures mentioned above. If not, then why not let Bright Spark media keep an eye on your website for you. We provide daily backups, security monitoring, 1 click restore, 24/7 support and regular updates so your site is safe and secure. Visit our plans page for more details.