Keeping up with WordPress Security is a part of maintaining your website, not a one-time task. Running regular backups, updating WordPress versions, managing passwords, and checking plugins or themes sounds like an awful chore, but trust me – it’s all worth it. Hacking is pretty much like the Spanish Inquisition – nobody expects it. Luckily, there are steps that you can take to make it way less likely to happen!
Why You Should Care About WordPress Security
Mama always told you to stay safe while surfing the Web. To be aware of the Big Bad Wolf who’s out there somewhere. Over the years, you’ve probably grown accustomed to the constant thought in the back of your head that using the Net is not entirely safe. You know that you should be careful while shopping or banking online, typing your credit card or Social Security number, and so on (oh, and following the link sent by the infamous African prince who selected you to be his only heir). Hackers may make good use out of these personal details. I mean – good for them, but, very, very bad for you.
But does it have to do anything with WordPress security? Why would “bad guys” want to hack your humble, innocent website that doesn’t bother anyone and doesn’t even have any “valuable” data waiting to be stolen? Why would someone even care to attack it?
The truth is, hacking is a matter of opportunity rather than anything else. If your website isn’t air-tight, don’t wonder if there’s anything worth hacking there. Act straight away. In over half of the cases, hackers don’t even plan to steal data. 55% of the attacks aim either to send spam or to perform a malicious redirect. They may also use your website for SEO spam (or so-called black-hat SEO used to artificially boost someone else’s Google ranking, e.g., by overwriting your content or links). All of these actions can be very effective if performed on thousands of small websites with relatively little protection. So, if a hacker finds a way to get into WordPress, they may access tons of pages at the same time. Including yours.
Wait, Is WordPress Even Secure?!
Statistics show that WordPress suffers from almost 100 000 attacks per minute, and more than 70% of websites using WordPress are prone to hacking. Big numbers, right? Then why do we even use the term “WordPress Security” if the platform doesn’t sound secure at all?
First of all, no website is entirely hack-proof. But this doesn’t mean you can’t significantly decrease the chance of being compromised.
Second of all, the main reason behind these statistics is that tons of websites don’t update their security measures regularly. Some of them still use WordPress 2.0. WordPress security team continually improves the platform by releasing new versions and patches that are as close to air-tightness as they can get. Some of the vulnerabilities were fixed in just 40 minutes after discovery, and with over 2,500 risks patched since the first release, it really shouldn’t be said that WordPress isn’t safe to work with.
Paying little attention to your platform’s version is pretty much like playing with fire. It’s been proven that 36.7% of hacked WordPress sites were compromised because they weren’t up-to-date. Updating WordPress is the #1 thing you can do to prevent hackers from gaining access to your website. All the extra effort you take won’t make any change if you don’t start with this step.
What else can you do to keep your WordPress secure?
WordPress Security May Not Sound Sexy, But Trust Me – It Is
According to WPTemplate.com, most common WordPress entry points for hackers are hosting vulnerabilities, themes, plugins, and weak passwords. WordFence states that plugins are the reason for nearly 60% of all attacks. That’s why it’s a good practice to keep your plugins updated and stay away from abandoned ones. Always pay attention to details when looking for a new plugin or a theme for your website; if anything looks even a bit shady for you, it’s probably wiser to step back and look for something else. If a plugin hasn’t been updated for more than six months, consider changing it as well. WordPress releases new versions three to four times a year, so if the plugin you’re after hasn’t been updated to meet the latest security standards, there’s a good chance it’s an open door for hackers.
Luckily, WordPress 5.5 enables auto-updates for plugins & themes. Constant lookout for outdated software has now been reduced to a single click – officially overthrowing any excuse you may have not to keep up with your updates.
What’s more, you should update WordPress as soon as the new version is released (this is now way easier thanks to automated WordPress updates introduced in version 5.6). A report by Sucuri shows that after releasing a specific security patch, over one million sites got hacked just because they didn’t update immediately. A new release from the WordPress team is basically like an open invitation for hackers to see who was too lazy or too busy to act straight away.
Also, consider changing your password for a more complex one (especially if it’s been [YourName]123 since 2008) and upgrading your username to something less obvious than Admin or [YourNameAndSurnameThat’s BasicallyEverywhereOnYourSite]. By taking these measures, you’ll prevent your website from brute force attacks that involve a script inputting random passwords and usernames until it finds one that works. So, if you think 1qaz2wsx or 123456 are good passwords, think again. Also, if your website offers user accounts, introduce a strong password policy for everyone. Consider adding a two-step authentication plugin for maximum security.
If you think a more complex password should look like ht%#428f*a, then you’ll actually love me to break your bubble. Using numbers and special characters instead of letters was indeed a good practice, but that was twenty years ago. In the olden Internet days, when computers were slow and hackers had fewer tools, brute-force attacks were tough to perform. Instead, they tried a somewhat old school automated tools that tried popular words until one fit. It could have been a bit similar to what you’ve seen in the movies: what could this guy’s password be? Well, he has a banner on his website stating that he loves Manchester United, so let’s try that. Didn’t work? Okay, how about AlexFerguson? Are we in? Yay!
In 2020, it’s better to strengthen your password by adding in a word or two (or five, if you fancy). Yup, a word. An actual word. If your password is as long as 30 characters, it’ll make modern-day hackers cry for help as it generates more possible combinations of characters that their computers can handle. If you’re feeling extra sneaky, consider using two lines of a song you like. The chorus line of What Does The Fox Say may not do the job here, but isthisthereallifeisthisjustfantasycaughtinthelandslidenoescapefromreality is a whopping 74 characters! (Just don’t use it now, okay?)
To take your WordPress security even further, make sure you backup your website regularly. I know – it’s a pain in the you-know-what. But it can also save your you-know-what in many ways. So put a recurring event into your calendar, set notifications on your phone, stick a post-it to your monitor, whatever works for you. Make sure to run an extra backup before upgrading to the newest WordPress version as well (you still remember it’s essential, right?).
Other measures you should take to ensure WordPress security is choosing a reputable hosting provider and performing regular scans for malware. You can also consider extra steps to seal your website shut, like moving your login page to a non-standard address, adding SALTs to wp-config.php, or hiding the number of WordPress’s version you’re using.
Still Doubting If It All Makes Sense?
If you still doubt if it’s all worth it, then consider this: a snarky hacker may compromise your website’s reputation by putting up content you definitely don’t wanna see there. Think weight loss miracle pills on a body-positive website or, even worse, porn ads on a kids-friendly blog. Even if you manage to get back control over your site, the results may stick with you forever. Remember: not everyone will recognize that it wasn’t you who put the content there.
If you’d rather see an example – Jess at TheTravelista, an award-winning travel blog set up on WordPress, shared her experience of discovering her blog had been hacked. She admits it was one of the most stressful things that ever happened to her. And the worst part was that Jess had no idea about the risk at all, as web safety isn’t a widely-discussed topic in the blogosphere. Fixing the website has cost her over £250 and resulted in the lowest traffic she’d witnessed in months. On top of that, Jess got into another problem when she discovered that both her hosting provider AND her initial choice of web security company were the wrong choice. Today, her website is safe and sound, but the vision of her five years of work burning into ashes was terrifying and stressful.
Whoa, WordPress Security Sounds Like a Nightmare!
I can guess what you’re thinking right now. Your website may be a huge part of your life, perhaps even an essential one, but there’s no way you can do all that on top of your usual tasks. Keeping up with WordPress security measures sounds like you should literally work around the clock and never even wink an eye because you may miss something important.
That’s where we step in. WP Kraken can run security performance audits for all kinds of websites. We take a close look at the site in various aspects to make sure we’ve covered all potential code holes. Starting with updating WordPress and PHP, SSL certificate details, and checking for injected spam, we then move on to more detailed aspects such as security headers, outdated plugins, and themes. Finally, we recommend extra measures to take that would elevate your website’s security and user experience.
As a result, you receive an up-to-date, fully secured WordPress website complete with over twenty different features. They all act like armor that shields you against present and future risks and does the hard work for you.
Before You Freak Out…
WordPress security is a serious matter and should never be underestimated. Sure, building a fortress around your website is complicated and will take a lot of time (and money), but there are steps you can take literally this second and entirely for free.
If you’re using an old, outdated version of WordPress, install plugins or themes without giving it a thought or implement unsupported ones, and your password is “password”, you’re asking for it. So think twice, purge your plugins and double-check everything you’re installing. In short: think ahead & act before, not after the disaster happens.
Then head to WP Kraken to see what else you can do to keep your WordPress secure.
