Stop Getting Hacked: 8 WordPress Security Tips To Keep Hackers At Bay

by Mehdi KaramAli  November 12, 2013

Is WordPress unsafe? Experts believe that not just the WordPress core is well built and secure, but every major update brings in many security features to the platform. Yet, the figures of WordPress sites getting hacked speak for otherwise. Running a quick search on Google for “WordPress hacked” showed that WordPress powered websites are getting hacked on almost daily basis.

A Glance On WordPress Security Statistics

Last year saw 170,000 WordPress sites getting hacked—many of them were compromised in the famous “I am getting paid” attack. This April, a super botnet attack using more than 90,000 IP addresses stormed the platform. It was termed as the largest botnet attack ever.

In October, InformationWeek reported a fresh wave of DDoS (distributed denial of service) attack that took down an MIT (Massachusetts Institute of Technology) blog and websites of Pennsylvania State University and Stevens Institute of Technology. All of these websites were using WordPress.

How Do Protect Your WordPress Site From Hackers?

Of course, the first question that pops into the mind after reading the above stats is: “Why so many WordPress sites are getting attacked out there?” or more importantly “What should I do to secure my site from getting compromised?”

Worry not, this blog post will tell you the ways to harden your WordPress security and what we, at Cloudways, recommend as WordPress security best practices to our customers.

The Big 3 Steps To Strengthen WordPress Security

1. Update, update, update:

Always use the updated version; be it WordPress software, theme, or plugins. Newer versions of WordPress come with security fixes and this automatically solves many of the security issues. For e.g., the latest WordPress 3.7 has the ability to measure the effectiveness of your admin panel and it prompts you if your password is weak. [Read: How does WordPress Auto Update Feature Work?]

2. Choose a secure hosting platform:

Your WordPress site contains all your efforts. For some, it might be the revenue engine. If a business site gets hacked, not only it results in the loss of valuable data, but it also brings irreplaceable damage to the company’s reputation. Yet many businesses do not give the due importance to the topmost reason for getting hacked is: WordPress hosting.

If we look at the facts, 44% of WordPress websites are hacked due to poor hosting and PC malware. The solution lies in investing in a secure hosting platform and getting a complete security analysis done after every few months.

Cloudways provides this service as an add-on which includes testing for SQL injections, cross-site scripting, file path traversal, and many other kinds of vulnerabilities. Click here to find more.

3. Install themes and plugins carefully:

Hackers find attacking a website through themes and plugins very easy. This is the reason why 29% of WordPress sites are compromised due to poorly developed themes, while bad plugins constitutes a share of 22% for WordPress sites getting hacked.

While installing themes, make sure it is from a trustable source. Hackers usually make duplicates of an original theme with a hidden malicious code in it. Usually it is after several months that the users find out that their site information was getting leaked the whole time.

Similarly, never install a plugin that is not maintained for more than 10 months. If you already have a plugin that is not properly maintained, look for an alternative.

The Smaller 5 Steps To Harden Your WordPress Security

Following the abovementioned guidelines will protect your WordPress site in most cases. If you wish to make your site intensively secure, here are five more tips to it.

(P.S: Some of these are technical steps. Don’t do them by yourself if you are not into coding. Ask your developer to help you out with it.)

1. Use two-factor authentication:

Also known as multi-factor authentication, it helps your WordPress sites from login attacks. And, even if your password gets compromised, a verification code will be required to get into your database.

Today, all the WordPress security experts highly recommend the usage of two-factor authentication process to keep your sites locked from hackers. There is a WordPress plugin known as Rublon to establish a multi-factor authentication on your site.

2. Limit Login Attempts:

By default, WordPress allows you unlimited login attempts. This can be highly dangerous if the hacker attempts to guess your password or has a script for this purpose. To protect your site from these brute-force attacks, it is essential to limit login attempts from a user along with having a strong username and password.

The WordPress plugin Limit Login Attempt makes these brute-force attacks almost impossible by setting a limit to login attempts.

3. Disable Theme and Plugin Editors:

By default, WordPress dashboard allows administrators to edit themes and plugins. If there are many admins to your site, this can result into a problem. Tweaking the wp-config.php file will disable this. Similarly, with little changes, you can also disable the admin rights to install plugins and themes.

4. Change your admin URL:

By default, all WordPress sites have their admin URL as website/wp-admin or website/wp-admin.php. Most of the attacks and hacking attempts are usually on this URL. Create a custom admin URL that hackers cannot guess. For e.g., website/banana.

5. Hide WordPress under the bonnet:

Hiding the details of the application you are using can add an extra layer of protection. Hackers through simple tools can reveal not just the application running but also the version of it.

The easiest way to know if a website is using WordPress is through the header. Most websites serve content through URLs like http://createmyid.net/wp-content/uploads/2013/07/content-bg.png. The wp-content clearly shows that it is a WordPress based website.

BONUS: Best WordPress Security Plugins To Use This Year (& In 2014)

As the online security concerns are building up every single day and hackers are looking for loopholes to get in your WordPress site and smack you down on the floor, there is a dire need that we become an iron wall in front of them. To protect our integrity, we need fists (WordPress security plugins) to protect us.

Here are some experts recommended plugins for WordPress security to go with:

1. Wordfence Security: I personally prefer Wordfence Security. Not just the developers make sure to regularly update the plugin, it provides all that a website needs. The best thing: it is absolutely free. Its features include anti-virus scanning, cell phone sign-in (two-factor authentication), malicious URL scanning, and real-time view of traffic.

2. Better WP Security: It is one of the most trusted plugins for WordPress security with over 1 million downloads. It is an all-in-one security plugin that removes vulnerabilities, protects your site from attacks, and allows you to create automated database backups.

3. BulletProof Security: With a ranking of 4.8 out of 5, BulletProof Security is the complete solution to prevent hack attempts. It provides protection against XSS, RFI, CRLF, CSRF, Base64, code injection and SQL injection, and other types of intrusions.

WordPress Security: The Cloudways Methodology:

At Cloudways, we have kept a close-eye on WordPress and its related security issues. With hundreds of customers on board for almost half a decade, there are no major reports of our customers’ online presence getting compromised.

This is the reason our customers trust us with their websites and have shown 94% satisfaction rate for our services. Find out more about how Cloudways provide industry-standard management for WordPress sites.

Free Consultation from Cloudways


 

 

Make Your WordPress Website 100% Faster.

Host it now on Cloudways WordPress Hosting Platform.

About Mehdi KaramAli

Mehdi KaramAli worked as a Digital Content Producer for Cloudways. Apart from exploring new trends in the cloud, he keenly follows startups and is passionate about mountaineering.

Stay Connected:

You Might Also Like...

  • Mehdi, great post! Keeping website owners aware of the security threats they face every day from all over the globe helps everybody to prevent attacks before they happen. Thank you very much for this.

    As the inventor of Rublon, I’d like to emphasize the importance of two-factor authentication. Password theft, phishing and brute force attacks are a common way of getting unauthorized access to administrator accounts. These loopholes disappear if you make the password just one part that is needed for a successful login. Protecting your account with Rublon also allows you to use a simpler password that you can remember.

    • Saad Durrani

      Well, I hate two-factor honestly. However, you raised a very valid point, Michal. Two-factor indeed paves way for more ‘rememerable’ passwords and it kills something I hate too: stuffing numbers in my password. I guess, two-factor is the way to go. Thanks for developing Rublon!

      • People who stated that they hate 2FA said that they really like Rublon because after setting up a trusted device once, all you have to do is just enter your password, across all(!) websites that use Rublon. There is no more need to use your mobile phone each time you want to log in. The Rublon mobile app is a central place from which you can manage all your trusted devices.

        Check out the review by Windows Phone Central:
        http://www.youtube.com/watch?v=JNorW7vvMR0

        • Saad Durrani

          This really looks awesome. Thanks!

    • Mehdi KaramAli

      Thanks @michalwww:disqus for stopping by and appreciating this post. Plugins like that of yours truly make it easier for businesses to secure their WordPress websites. While two-factor authentication is highly important, do share with us any other security tip that you feel can help in creating a secure WordPress environment.

  • Mark Stanislav

    Nice post! If your visitors are looking for an enterprise-level solution (many CMS deployments are powering F500 companies these days), Duo Security can protect WordPress and also has pre-packaged support for everything from VPNs to RDP to SSH. It’s great to protect a single application like WordPress but taking a comprehensive approach to two-factor is where you really begin to see the benefit.

    Good note about themes needing to be updated. It’s common for users to not even realize that a large number of compromised WordPress installs come from themes. Everyone always thinks plugins are the only failure of security!

  • Pingback: New PowerCloud Add-on: Recurring Upgrades Keep Your Site Updated Always()