Is WordPress unsafe? Experts believe that not just the WordPress core is well built and secure, but every major update brings in many security features to the platform. Yet, the figures of WordPress sites getting hacked speak for otherwise. Running a quick search on Google for “WordPress hacked” showed that WordPress powered websites are getting hacked on almost daily basis.
A Glance On WordPress Security Statistics
Last year saw 170,000 WordPress sites getting hacked—many of them were compromised in the famous “I am getting paid” attack. This April, a super botnet attack using more than 90,000 IP addresses stormed the platform. It was termed as the largest botnet attack ever.
In October, InformationWeek reported a fresh wave of DDoS (distributed denial of service) attack that took down an MIT (Massachusetts Institute of Technology) blog and websites of Pennsylvania State University and Stevens Institute of Technology. All of these websites were using WordPress.
How Do Protect Your WordPress Site From Hackers?
Of course, the first question that pops into the mind after reading the above stats is: “Why so many WordPress sites are getting attacked out there?” or more importantly “What should I do to secure my site from getting compromised?”
Worry not, this blog post will tell you the ways to harden your WordPress security and what we, at Cloudways, recommend as WordPress security best practices to our customers.
The Big 3 Steps To Strengthen WordPress Security
1. Update, update, update:
Always use the updated version; be it WordPress software, theme, or plugins. Newer versions of WordPress come with security fixes and this automatically solves many of the security issues. For e.g., the latest WordPress 3.7 has the ability to measure the effectiveness of your admin panel and it prompts you if your password is weak. [Read: How does WordPress Auto Update Feature Work?]
2. Choose a secure hosting platform:
Your WordPress site contains all your efforts. For some, it might be the revenue engine. If a business site gets hacked, not only it results in the loss of valuable data, but it also brings irreplaceable damage to the company’s reputation. Yet many businesses do not give the due importance to the topmost reason for getting hacked is: WordPress hosting.
If we look at the facts, 44% of WordPress websites are hacked due to poor hosting and PC malware. The solution lies in investing in a secure hosting platform and getting a complete security analysis done after every few months.
Cloudways provides this service as an add-on which includes testing for SQL injections, cross-site scripting, file path traversal, and many other kinds of vulnerabilities. Click here to find more.
3. Install themes and plugins carefully:
Hackers find attacking a website through themes and plugins very easy. This is the reason why 29% of WordPress sites are compromised due to poorly developed themes, while bad plugins constitutes a share of 22% for WordPress sites getting hacked.
While installing themes, make sure it is from a trustable source. Hackers usually make duplicates of an original theme with a hidden malicious code in it. Usually it is after several months that the users find out that their site information was getting leaked the whole time.
Similarly, never install a plugin that is not maintained for more than 10 months. If you already have a plugin that is not properly maintained, look for an alternative.
The Smaller 5 Steps To Harden Your WordPress Security
Following the abovementioned guidelines will protect your WordPress site in most cases. If you wish to make your site intensively secure, here are five more tips to it.
(P.S: Some of these are technical steps. Don’t do them by yourself if you are not into coding. Ask your developer to help you out with it.)
1. Use two-factor authentication:
Also known as multi-factor authentication, it helps your WordPress sites from login attacks. And, even if your password gets compromised, a verification code will be required to get into your database.
Today, all the WordPress security experts highly recommend the usage of two-factor authentication process to keep your sites locked from hackers. There is a WordPress plugin known as Rublon to establish a multi-factor authentication on your site.
2. Limit Login Attempts:
By default, WordPress allows you unlimited login attempts. This can be highly dangerous if the hacker attempts to guess your password or has a script for this purpose. To protect your site from these brute-force attacks, it is essential to limit login attempts from a user along with having a strong username and password.
The WordPress plugin Limit Login Attempt makes these brute-force attacks almost impossible by setting a limit to login attempts.
3. Disable Theme and Plugin Editors:
By default, WordPress dashboard allows administrators to edit themes and plugins. If there are many admins to your site, this can result into a problem. Tweaking the wp-config.php file will disable this. Similarly, with little changes, you can also disable the admin rights to install plugins and themes.
4. Change your admin URL:
By default, all WordPress sites have their admin URL as website/wp-admin or website/wp-admin.php. Most of the attacks and hacking attempts are usually on this URL. Create a custom admin URL that hackers cannot guess. For e.g., website/banana.
5. Hide WordPress under the bonnet:
Hiding the details of the application you are using can add an extra layer of protection. Hackers through simple tools can reveal not just the application running but also the version of it.
The easiest way to know if a website is using WordPress is through the header. Most websites serve content through URLs like http://createmyid.net/wp-content/uploads/2013/07/content-bg.png. The wp-content clearly shows that it is a WordPress based website.
BONUS: Best WordPress Security Plugins To Use This Year (& In 2014)
As the online security concerns are building up every single day and hackers are looking for loopholes to get in your WordPress site and smack you down on the floor, there is a dire need that we become an iron wall in front of them. To protect our integrity, we need fists (WordPress security plugins) to protect us.
Here are some experts recommended plugins for WordPress security to go with:
1. Wordfence Security: I personally prefer Wordfence Security. Not just the developers make sure to regularly update the plugin, it provides all that a website needs. The best thing: it is absolutely free. Its features include anti-virus scanning, cell phone sign-in (two-factor authentication), malicious URL scanning, and real-time view of traffic.
2. Better WP Security: It is one of the most trusted plugins for WordPress security with over 1 million downloads. It is an all-in-one security plugin that removes vulnerabilities, protects your site from attacks, and allows you to create automated database backups.
3. BulletProof Security: With a ranking of 4.8 out of 5, BulletProof Security is the complete solution to prevent hack attempts. It provides protection against XSS, RFI, CRLF, CSRF, Base64, code injection and SQL injection, and other types of intrusions.
WordPress Security: The Cloudways Methodology:
At Cloudways, we have kept a close-eye on WordPress and its related security issues. With hundreds of customers on board for almost half a decade, there are no major reports of our customers’ online presence getting compromised.
This is the reason our customers trust us with their websites and have shown 94% satisfaction rate for our services. Find out more about how Cloudways provide industry-standard management for WordPress sites.
Make Your WordPress Website 100% Faster.
Host it now on Cloudways WordPress Hosting Platform.