Securing a WordPress site and making it difficult for hackers and bots to get access does require some planning and plugins to assist in the job but isn’t that difficult. Security isn’t binary in the sense that you have or don’t have it. The best way to think of website security is in layers. The more layers of security you apply the harder target you make.
The number one weakness we often encounter in most security setups for WordPress is the website owner. Many times, owners take deliberate steps to weaken their own security and make themselves more vulnerable. They don’t see it this way, but their actions (or inaction) is the direct cause of these vulnerabilities. They choose to try and save money now with certain decisions potentially causing much more expensive costs later or make other decisions that create weaknesses. Please don’t make the mistake of thinking I am just a _________ type of small business, no hacker would want to waste their time on me. If you believe that read this. Here are just some of the most common WordPress security vulnerabilities we see from businesses:
Minimum WordPress Security Measures
- Weak Passwords: This is probably the single largest weakness we encounter. It isn’t just on WordPress sites, but on almost everything people use that requires a password. People don’t like having to remember complex passwords. So, by default most passwords end up being common words, phrases, and/or names. These types of passwords are easily defeated by brute force attacks and/or simple guesses. They aren’t secure and will create a vulnerability. We once came across a prospective client that used “sweet tea” as his password! We had another client that used their oldest child’s name as their network login. Again, both of these examples are very easy to defeat by even the most inept hackers and bots. Use strong passwords composed of at least 15 characters, upper and lower case letters, numbers and symbols.
- Admin as Admin: WordPress sites require 2 pieces of information to login. A user name and a password. By default, WordPress uses “admin” for the user name, which many people don’t change. If a hacker only needs two pieces of information and the user name is left on the default of “admin” you have just given a hacker 50% of what they need to breach your site and they didn’t even have to break a sweat to get it! Change the user name to something more difficult. Ideally, it is like the password of several characters and upper and lowercase, etc. That would at least present one more barrier to a hack.
- Infrequently Patched Software: WordPress, themes, and plugins are always being updated. Many of those updates are implemented to fix vulnerabilities. If you aren’t updating your software frequently, once per week, at a minimum, you are potentially leaving a vulnerability in place that a bad actor can exploit. If you don’t pay for a web developer to provide maintenance to keep up on these updates than you need to be doing them yourself. In our experience, that doesn’t happen, and vulnerabilities pile up allowing sites to get attacked and damaged. Unfortunately, some of these attacks are very devious that aren’t easily discovered, which makes them even harder to catch before causing you harm.
- Not Using Quality Hosting: Think of hosting for your website as one of your first lines of defense for the site. A managed hosting company runs servers that are being patched and updated and have network administrators watching over them and taking steps to limit vulnerabilities at the network level. This is typically one of those scenarios where the more you pay for your hosting and the better known the host the better the protection. Of course, this isn’t always the case, but buying discount hosting from some company located in China that sells hosting for a fraction of what everyone else is selling it for is probably a recipe for disaster. The discount could come with a much larger price down the road. These companies are generally not doing the maintenance and network security necessary. They are going for volume and at the expense of your security.
We once received a call from someone that said they were getting a lot fewer calls from their website than normal. After some investigation, we found a hacker had inserted malware that redirected all search engine traffic to a spam site overseas, but if you typed in the website address directly you went straight to the correct site. Since most business owners don’t go to their own site by using Google, they didn’t discover this malware for months. This attack had quietly siphoned off a ton of traffic and potential business over several months.
How many potential customers did they lose and how much revenue did it cost them because they didn’t keep up on simple maintenance and security? How much were those customers worth overtime in the repeat business that never happened? This enormous loss could have been avoided by implementing the security measures outlined here and a small monthly payment to a web designer to keep up the maintenance. That’s enough to make the most hardened business owner cry.
Another site we came across was a lead generation site and collected a lot of sensitive information on potential leads. That information was being siphoned off by the malware and sold on the dark web! When the malware was finally discovered this business had a lot of very angry customers who soon became former customers and then sued the business because they didn’t protect their information.
The 4 items detailed above are the bare minimum that a website owner should be doing, but this still isn’t enough. By doing the above items you will defeat a lot of the bots and inept hackers using off the shelf software, which hackers refer to as “script kiddies” from hacking your site, but it won’t stop more determined hackers. To further harden your site and apply next level security against attacks you should add the following measures:
Advanced WordPress Security Measures
- Use Security Software: There are plugins such as WordFence and iThemes security plugins that add a lot of behind the scenes protections into a website as well as providing many tools that your web developer can deploy to keep your site safe. These plugins are regularly updated against current trending attacks. In addition, the premium versions of these programs will provide regular malware scans so if a successful attack does occur it can be spotted quickly before a lot of damage can be done.
- Two-Factor Authentication: This is a large step up in security because it requires that you authenticate your login on two different devices. Typically, after putting in your user name and password (see above) it will ask you to input a second code that is texted, emailed, or uses an authentication app on your phone. This dramatically raises the security of your site because the likelihood of both your website and phone of being compromised is much less than a hacker only having to breach just your user name and password.
- Firewall: Using a firewall for your site will help provide one more layer of protection. You can have hardware firewalls on your actual server or software firewalls that protect the website. A good application of a software firewall is Cloudflare, which offers a vast array of benefits in addition to a software firewall to protect your site. Cloudflare is often called a CDN or Content Delivery Network and gives website owners benefits on performance and security. It is extremely cost-effective for the benefits it grants website owners but provides some great security benefits. It is outside the scope of this article to discuss all the benefits of a CDN or how to set them up, but for the purposes of this article just knows that it provides another fantastic layer of security.
Applying all these measures to your site will go a long way to ensuring your site is a much harder target and ward off a lot of hackers and other bad actors trying to damage your website or business. Most of these items are not difficult or even that expensive, especially when weighed against the cost to develop the site or costs to fix a damaged site and lost business down after an attack.
Let’s assume you are convinced to take every single one of these suggestions to heart and you implement every one of them? Are you now like Superman and invulnerable to attack? Well, even Superman had to deal with Kryptonite, so no, it isn’t a guarantee against all attacks. What you are doing as you implement each item above is lowering your risk profile, but unfortunately, you will never get to a zero percent risk factor. There are always weaknesses people haven’t found yet that a hacker will.
That brings us to our last recommendation that offers the “Plan B” in case everything above fails, and you are still breached. That is frequent (preferably daily) backups of your entire site. A full website backup is the ultimate plan B because it allows you to completely wipe away an infected site and replace all the files from the latest non-infected backup. Depending on the exact nature of the attack you may need to do some pre-cleanup of your server before applying the backup, but at least if you have a backup you have clean website files to restore to your server.
Daily backups will give you the most protection with the least amount of information loss. If your last backup was 3 months ago and you had multiple new pages or updates added to the site those will all be lost. If your backup was from the day before your loss may be nothing or a very small amount of changes that are lost.
In addition, if going back one day doesn’t provide a clean version of the site you can simply go back one more day and keep going back to the last working clean copy. Again, if those backups are only monthly or quarterly you may have to go back a long time and lose A LOT of data before you find a working copy depending on how long the malware or hack was in place.
Website security for your WordPress site doesn’t have to be expensive or complicated, but understand there are some costs and some inconveniences, which we believe are far outweighed by the benefits. The old saying of not being penny wise and pound foolish applies here.
If we can answer questions you may have on security or you have a website issue that needs fixing please give us a call. We are happy to give you a free, no-obligation, consultation regarding your issue.