WordPress is the world’s most influential and widely used content management system (CMS). It currently has roughly 63% of the market share for all CMS websites and is used to power nearly 43% of all websites.
With over 800 million websites using WordPress, it pays to keep them secure, and it’s even more critical if you have an eCommerce site. My name’s Seb, and I’m a WordPress developer at Fhoke, a London-based web design agency, so I deal with WordPress and website security daily. Part of my responsibilities includes ensuring all our client sites are kept up to date, perform well, and, most importantly, are secure.
Knowing where to start regarding security is hard, especially if you’re not involved in the tech industry. So over the next few months, I’ll assemble a five-part series of articles around WordPress security. In my first instalment, I’ll take you through some essential tips you can use right now to help keep your WordPress site safe. If you’re an existing client and you’re reading this, we’ve got you covered but feel free to call; we love a chat and would be happy to answer any of your questions.
Understanding the Importance of WordPress Security
WordPress security is not something to be taken lightly. With the increasing number of cyberattacks and data breaches, it is essential to prioritize the security of your WordPress site. Many people underestimate the importance of WordPress security and assume that their website is safe from potential threats. However, this is far from the truth.
WordPress is the most popular content management system in the world, which makes it a prime target for hackers and malicious attackers. They exploit vulnerabilities in poorly secured websites to gain unauthorized access and compromise sensitive information. Everything can be at risk, from personal data to financial transactions, if your WordPress site is not adequately secured.
According to an analysis by CyberNews, the average time it takes to detect a website hack is 86 days, giving hackers ample time to wreak havoc on your site and potentially spread malware to your visitors.
One of the most critical aspects of WordPress security is the choice of a hosting provider. Opting for reliable and secure WordPress hosting can significantly reduce the risk of security breaches. A good hosting provider will have robust security measures, such as firewalls, regular backups, and malware scanning. They will also offer automatic updates to protect your site against the latest security threats.
Understanding the importance of WordPress security is the first step towards protecting your website and its users. By implementing the necessary security measures, you can ensure your site’s confidentiality, integrity, and availability. So, let’s dive into the ten tips for securing your WordPress site and keeping it safe.
1 Don’t Use WordPress Plugins with Low Ratings
There are a vast number of WordPress plugins available from the WordPress plugins directory. However, there’s a small problem, most of them are free. So why is that a problem, you might be asking? Well, not everything that comes free will have the same level of care and attention that a good, paid-for product gets. The WordPress development community’s passion for everything it does is fantastic, but sometimes a few bad apples get through.
A study conducted by WP White Security found that outdated plugins are the leading cause of WordPress website hacks, with 54% of hacked sites having outdated plugins.
We’re not suggesting all free WordPress plugins will be of poor quality; we use many for our client sites. Before you even download one, the best tip we can offer is to take your time to look at the reviews and be dubious about newer WordPress plugins that are yet to be rated. It pays to be cautious in the long run rather than losing your entire site because you didn’t want to spend five minutes looking at what others had to say.
2 Don’t Use Admin as Your Username
The default username for WordPress is “admin”, which is an easy target for hackers trying to gain access. Considering that around 43% of all websites are hosted on WordPress, it’s not hard to imagine people trying to hack the one account that most sites will have.
We do this on all our website builds, and something you should always do when setting up a new WordPress site. However, some WordPress plugins can help you do this after setting up your site.
One of those WordPress plugins is Username Changer, and it does exactly what it says on the box.
Research by GoDaddy shows that using weak passwords is one of the main reasons behind hacked WordPress websites; 52% of users don’t change their default username or password.
3 Use Secure WordPress Hosting
Hosting is something that plays a massive role in the security of your website. A study found that 40% of hacked WordPress sites were down to the hosting company, not WordPress itself.
It doesn’t have to cost you an arm and a leg, as you can get very good web hosting at reasonable prices. Investing in your hosting should always be a top priority, no matter what.
When finding a good host, try to stick with reputable, well-known companies as they have a higher level of expectation around their services. We like to suggest Flywheel or WP Engine to our clients. As managed hosting Their support teams are always around and more than happy to help with any questions you might have.
4 Avoid Using Free WordPress Themes
You can download free themes from most places, but don’t be sucked in by every offer. Please make sure you look into the site you’re getting it from and make sure they are reputable. Free themes can come back and bite you in the ass if you don’t.
Firstly, free themes tend to be slapped together quickly and generally lack the good, well-tested code you need for a CMS-powered site. This can lead to security issues, styles not looking right or generally not working correctly and breaking your site.
Lastly, these “free” themes can occasionally be free versions of paid themes and are usually a way for hackers to gain access to your site. The idea is that they get a paid theme, inject malicious code into it and give it away for free. The problem is that people who don’t understand code will grab these free themes as they’re unwilling to pay for them. You’re essentially uploading a backdoor so the hacker can access your server.
5 Use a Strong WordPress Password
We’ve lost count of the number of times we’ve been asked to look into the security or functionality of a WordPress site, only to be told the password is barely more secure than “123”. If you’re getting serious about security, updating your password, especially the passwords of others who have access to your site, is where you should start.
A good password will usually contain a mixture of numbers, letters and symbols. This makes it much harder for anyone trying to guess your password, eventually leading to them giving up. Whereas if your password is easy, like the “123” example above, then a few tries, and they’ll be logged in to your account.
Rubbish at remembering strange passwords? We recommend you look at 1Password. It’s perfect for storing all your site logins and website hosting details. We use it here at Fhoke, and it’s an invaluable tool for our day-to-day work.
6 Delete Unused WordPress Themes and WordPress Plugins
When you first install WordPress, it comes with a bunch of pre-made themes and WordPress plugins for you to use right off the bat. This is great when you first set up your site, but it can be an issue on some web hosts when there are another five or six pre-made themes or plugins.
If you don’t keep on top of those themes and WordPress plugins, it can lead to security holes. This isn’t such a problem when you’re only using one or two and don’t activate the others, but if your site gets hacked and one of those themes or WordPress plugins is infected, it will stay infected without you knowing.
If you are hacked, you can clean up the ones you’re using, and your site will be fine, but you’ll likely forget those ten or more pre-added themes and those one or two pre-added WordPress plugins just sitting there. Fast-forward six months when you switch themes or activate a different plugin, and your entire site can be completely broken or worse.
While keeping pre-added themes and WordPress plugins on your server is not an immediate security problem, it can cause significant long-term problems. Ultimately, it’s all about minimising risk to prevent problems before they happen.
7 Keep Your WordPress Site Updated
Keeping your WordPress site updated is crucial for maintaining its security. WordPress regularly releases updates addressing any vulnerabilities or bugs in the system and introducing new features and improvements. Keeping your site updated ensures you use the latest WordPress version with all the necessary security patches.
Updating your WordPress site is a straightforward process. Log in to your WordPress dashboard, navigate to the Updates section, and click the “Update Now” button. Keeping your WordPress core updated and your themes and plugins is essential. Outdated themes and plugins can pose a security risk, as they may have vulnerabilities that hackers can exploit.
WordPress hosting providers often offer automatic updates as part of their service. This means that your WordPress core, themes, and plugins will be updated automatically without you lifting a finger. Maintaining reliable and secure managed WordPress hosting is highly recommended for updating your site.
In addition to regular updates, staying informed about any security issues or vulnerabilities that may affect your WordPress site is essential. Follow reputable security blogs and resources, and subscribe to security notifications from WordPress. By keeping your site updated and staying informed about security risks, you can stay one step ahead of potential threats and keep your WordPress site secure.
8 Limit Login Attempts
In cybersecurity, one of the most common ways hackers gain unauthorized access to a website is through brute force attacks on login pages. These attacks involve using automated scripts to try a multitude of different username and password combinations until they find the correct one. Fortunately, there is a simple solution to protect your WordPress site from these attacks: limit login attempts.
Limiting the number of login attempts allowed can effectively prevent hackers from guessing the correct credentials. This security measure works by blocking an IP address from making further login attempts for a set period after a certain number of failed attempts.
You can use a WordPress plugin like Wordfence to implement this security measure. This plugin allows you to set the maximum number of login attempts and the lockout period and even receive email notifications for suspicious activity. By configuring these settings to fit your needs, you can effectively deter hackers from gaining unauthorized access to your WordPress site.
Remember, hackers rely on the element of surprise and persistence to breach your website’s security. By implementing the limit login attempts feature, you add an extra layer of protection and ensure that only authorized users can access your WordPress site. So go ahead and install the plugin, set the limits, and sleep peacefully, knowing that you’ve made it significantly harder for hackers to crack your login credentials.
9 Install a WordPress Security Plugin
Now that we’ve covered some essential WordPress security measures, let’s dive into the following tip: installing a WordPress security plugin. A security plugin can provide your website with an extra layer of protection by actively monitoring and defending against potential threats.
With a wide range of security plugins, choosing one that suits your specific needs is essential. Look for plugins that offer malware scanning, firewall protection, brute force attack prevention, and security notifications. These features can help safeguard your website from common security risks.
One popular and highly recommended security plugin (and one we’ve already mentioned) is Wordfence. This plugin offers real-time threat defence, malware scanning, firewall protection, and login security features. It also provides detailed security reports and notifications, allowing you to stay informed about any suspicious activity on your website.
Another great option is Sucuri Security. This plugin offers malware scanning, blacklist monitoring, and security hardening features. It also has a robust website firewall that can help block malicious traffic and prevent attacks.
Installing a WordPress security plugin is a simple process. Log in to your WordPress dashboard, go to the Plugins section, click “Add New,” and search for your chosen security plugin. Once you’ve found it, click “Install Now” and “Activate” to enable the plugin’s features.
By installing a WordPress security plugin, you can enhance your website’s security and have peace of mind knowing that you have an extra layer of protection, alongside your managed hosting, against potential threats. So don’t wait any longer. Take the next step towards securing your WordPress site by installing a security plugin today.
10 Back Up Your Website Regularly
One of the most important steps you can take to ensure the security of your WordPress site is to back it up regularly. Backing up your website is like creating a safety net. It allows you to restore your site to a previous version if something goes wrong or your site is compromised.
Imagine this scenario: you wake up one morning and find that your website has been hacked or that an update has caused your site to crash. Without a recent backup, you would lose all your hard work, data, and customisations.
By regularly backing up your website, you can avoid this nightmare scenario. Backups allow you to restore your site to a previous state with minimal downtime and data loss. They provide peace of mind, knowing that you have a safety net in place to protect your website.
Several methods to back up your WordPress site include using backup plugins, hosting providers offering backup services, or manually downloading your site files and database. Choose a method that suits your needs and preferences, and schedule regular backups – daily, weekly, or monthly. Remember, the key to adequate backups is storing them securely from your website. This could be an external hard drive, a cloud storage service, or a separate server. By keeping your backups separate from your website, you can ensure that even if your site is compromised, you can still restore it to a clean state.
So, please don’t wait until it’s too late. Start backing up your WordPress site regularly today and protect yourself from the unexpected.
Your WordPress Website Has Been Hacked – Now What?
Has your WordPress site been compromised? Don’t panic, but it’s crucial to identify the signs of a hacked WordPress site. Watch for strange pop-ups, slow loading times, unexpected redirects, or unfamiliar content. If you notice any of these indicators, it’s time to take action to secure your hacked WordPress site and protect your valuable data.
1 How Did My WordPress Website Get Hacked?
If you find yourself with a hacked WordPress site, you may be wondering how it happened in the first place. Unfortunately, there are several ways a WordPress site can be compromised. Weak passwords, outdated plugins or themes, insecure hosting environments, and even human error can leave your site vulnerable to attacks. Understanding how your WordPress site got hacked is essential in preventing future incidents and safeguarding your valuable data. Let’s dive deeper into how a WordPress site can be hacked and how you can protect yourself moving forward.
2 Immediate Actions You Need to Take After Discovering The Hack
Discovering that your WordPress site has been hacked can be a shocking and overwhelming experience. However, acting quickly to minimise damage and protect your site is essential. After discovering the hack, the immediate actions you need to take include isolating your site, notifying your hosting provider, scanning for malware, and changing all passwords.
3 Speak To Your WordPress Hosting Provider
When dealing with a hacked WordPress website, contacting your hosting provider or web design agency is key. They are experts in website security and can provide valuable guidance and assistance in resolving the issue. They can help identify the source of the hack, provide insight into any vulnerabilities in your hosting environment, and offer recommendations to prevent future attacks. They are there to support you in getting your website back up and running securely. Remember, you’re not alone.
4 Turn On Maintenance Mode On Your Website
When your WordPress site gets hacked, the first step is to turn on maintenance mode on your website. This helps to notify visitors that your site is currently under maintenance due to security concerns. By activating this mode, you can protect your users from any potential harm or further hacking attempts. It’s an important precautionary measure to ensure your website’s safety and maintain your visitors’ trust.
5 Reset Access And Permissions
After discovering that your WordPress site has been hacked, it’s crucial to reset access and permissions to ensure that no unauthorised users can gain entry again. By taking this step, you regain control over who can access your site and prevent further damage or security breaches. Remember to update all login credentials and review user permissions to strengthen your website’s security measures and protect it from future hacking attempts.
6 Reinstall A Backup, Themes And Plugins
Now that you’ve taken the necessary steps to recover your hacked WordPress website, it’s time to reinstall your backup, themes and plugins. This is an integral part of the recovery process as it restores your website’s functionality and ensures everything runs smoothly again. Use the latest versions of your backup, themes, and plugins to ensure you have the most up-to-date and secure versions. With everything reinstalled, your website will be back up and running quickly!
7 Change Your WordPress CMS Passwords Again
After recovering from a WordPress hack, changing your site passwords again is crucial. This extra step helps prevent further unauthorised access to your website. Make sure to update passwords for all accounts associated with your site, including your admin. By taking this proactive step, you can further safeguard your WordPress website and protect your valuable data.
8 Check That Google Hasn’t Blacklisted Your Website
To ensure your WordPress website is fully recovered from a hack, it’s important to check that Google hasn’t blacklisted it. Being blacklisted can harm your search rankings and online reputation. Use Google’s Search Console to check your site’s status. If you discover that your site is blacklisted, take immediate action to resolve any security issues, remove malware, and request a review from Google to get your website back in good standing.
In 2020, Google blacklisted over 55,000 hacked websites every week for containing harmful content or being involved in phishing schemes.
Prevent Future Attacks on Your WordPress Website
Protecting your WordPress website from future attacks is crucial. Stay updated with the latest security plugins, regularly back up your site, and keep all themes and plugins up to date. Be cautious when choosing passwords, and consider implementing two-factor authentication for added security. Stay vigilant, monitor your website regularly for any suspicious activity, and educate yourself on common hacking techniques to prevent future attacks. Remember, staying proactive is key to keeping your WordPress website safe and secure.
What’s Next with WordPress?
After implementing these WordPress tips and techniques, your website security will be improved. There’s more to it than that; you can secure your files from being searched by hackers, disable file editing, hide your WordPress version number and more, which we’ll cover in future articles in this series.
If you’d like help with anything from this article or advice on going further with your security, please don’t hesitate to contact us!