Right now, as you read, thousands of people are typing search engine queries. They’re trying to...
How to Secure a WordPress Website: Best Practices
The web is constantly under attack. Even high-profile sites from big companies can have problems with website security and fall victim to hackers. The media widely reports when data is stolen from companies like Evernote, eBay, Target, or Ashley Madison.
Even if your website has relatively little traffic compared to eBay, you’re still susceptible to security breaches. Security through obscurity is not a solid strategy. Nor is wishful thinking. Whether you’re a Fortune 500 company or a small-scale online shop, protecting your website from hackers should be a top priority.
Today we will be focusing specifically on how to secure a WordPress website. The WordPress platform is used by around 23% of all websites today, making it a tempting target for hackers and data thieves.
If you’re currently running a WordPress-based site or are considering WordPress for your Content Management System, you should be asking yourself:
- How can I secure my WordPress site?
- How can I ensure the safety of my data and my customer’s data?
You’ve probably read about numerous data breaches and cyber attacks over the past months and years. Here are a few examples of recent security vulnerabilities that have affected the WordPress ecosystem.
Examples of Recent Reported WordPress Vulnerabilities
|Publication Date of Cited Article||Level
|Description of Vulnerability||Approximate # Sites Affected|
|Plugins||Sucuri discovers vulnerabilities in four WordPress plugins between May through July 2014: WPTouch, Disqus, All In One SEO Pack, and MailPoet Newsletters.||Up to 20 million|
|WordPress Core||SoakSoak.ru malware
|WordPress Core/ Plugins||Cross-site scripting vulnerability is found to affect many popular plugins including Ninja Forms and Google Analytics by Yoast.||Unknown|
|Themes||XSS vulnerability reported by Envato to affect many Themes from ThemeForest, CodeCanyon, and other marketplaces.||Unknown|
Note: The website CVE Details attempts to catalog known WordPress vulnerabilities, as well as vulnerabilities in many other software products.
Weak Points – Don’t Leave WordPress Vulnerable
There are 4 layers at which your WordPress site can be vulnerable if not properly configured and updated. Vulnerabilities can be introduced at the level of:
- your web host;
- WordPress core installation;
- and plugins.
We can think of these as the four layers of WordPress website security:
It is nearly impossible to keep abreast of every security concern that is discovered, which is why updates are of the utmost importance. Updating WordPress core, themes, and plugins as soon as updates are made available is the single best policy for maintaining a secure website.
1) Web Hosting Services
No website is secure if its web host’s servers aren’t secure. WordPress sites are no exception. Your web host represents the lowest-level security risk for your website no matter what content management system or website technologies you’re using.
To protect a WordPress website from hackers you should always make sure to set appropriate permissions for files and folders on your personal web server or on your web host’s server, and should make sure that your web host offers adequate server-side stability and security.
Appropriate permissions for files and folders on your server should create the following environment:
- your user account can read and modify files and folders;
- your WordPress installation can read and modify scripts;
- WordPress can create, modify, or delete files and folders;
- visitors cannot access database credentials;
- and visitors cannot write to or delete anything they shouldn’t be able to access!
Note: If you’re interested in reading more about permissions for your WordPress installation we recommend Smashing Magazine’s article Proper WordPress Filesystem Permissions And Ownerships.
If a hosting provider’s web server is compromised you may lose access to your site, leaving hackers in total control (for a time). While any web host may be vulnerable to an attack, you should consider the following when choosing a hosting service:
- prior published security breaches (and how web hosts responded);
- the availability and quality of customer support;
- the frequency with which a web host updates server software;
- supported backup and restore methods;
- and reviews from other customers.
2) WordPress Core
Keeping your WordPress installation secure involves a) updating regularly, b) renaming and/or moving your wp-config file, and c) changing prefixes in your database.
WordPress is regularly updated to address newly-discovered vulnerabilities and to add new functionalities. It is highly advisable to update your WordPress platform as soon as new updates become available. Updating WordPress typically requires only a few clicks, especially if using a dedicated hosting service. The update process is relatively painless even if you’re running WordPress on your own server.
If your core WordPress installation is not updated then your website is likely running with known vulnerabilities. Hackers often take advantage of website vulnerabilities even after they are patched since they know that a certain percentage of websites will continue running older versions. Don’t make your site an easy target!
Renaming or at least moving the wp-config file for your WordPress installation may sound trivial, but it can go a long way in making your site more secure. The wp-config file “is the blueprint for how your site functions and how it is structured.” As you may imagine, it’s a bad idea to let hackers check out or modify your site’s blueprint!
One way to secure wp-config is to rename the file. Others recommend moving wp-config up one level from root (it is at root level by default) in order to keep it more secure. No matter which approach you take, make sure that you set the correct permissions for your file so that it can’t be viewed or modified by anyone other than your user account and your WordPress installation.
Databases are probably the most frequently targeted components of any website. When hackers want to download massive amounts of data – often sensitive data – they go straight for the database. Changing prefixes for your database is a smart idea because it makes it harder for hackers to access your database tables. By default, all WordPress database tables start with the prefix “wp_”. For example, “wp_comments” and “wp_posts”. When your database is named according to default values, the names of your tables are very easy to guess. Changing the prefix means that hackers need to correctly ‘guess’ your naming convention if they are to successfully access your information, adding one extra degree of difficulty to the process.
3) WordPress Themes
WordPress themes let businesses and individuals set up attractive, responsive websites without needing to spend hours on graphic design and without being CSS wizards. They’re pretty great!
That being said, themes can contains more than meets the eye. Just because a theme is visually appealing doesn’t mean that it’s safe. Unfortunately, themes can hide malware, or contain poorly written and vulnerable code. The most important security considerations when choosing a WordPress theme are:
- Who is the developer?
- Is the theme regularly updated?
- What kind of support does the theme’s developer offer?
- How reliable is the marketplace that is selling the theme?
WordPress themes come in both Free and Paid/ Premium flavors. While free themes may look great and be tempting to install, they may not be as well supported as their paid counterparts.
No matter if themes are free or paid, always avoid themes from unknown and/or untrusted sources. Installing a theme from a questionable source is never a smart idea, as such themes are more likely to introduce vulnerabilities into your site. Marketplaces such as Themeforest, CodeCanyon, and Mojo Themes are well-regarded and offer a great selection of themes from many different developers.
Besides offering more advanced functionality and a snappier look, paid themes are likely to be updated more frequently and maintained for a longer period of time than are free themes. That being said, updates to WordPress themes are entirely dependent on each independent developer. Make sure to take a look at a developer’s portfolio, read reviews, and check out their history of updates to make sure that you’ll get the level of support that your website needs.
4) WordPress Plugins
As with themes, WordPress plugins rely on individual developers or companies to keep them updated and secure. Risks from plugins can best be managed by:
- limiting the total number of plugins used on your site;
- only installing plugins from trusted sources;
- and updating plugins as soon as updates are available.
The frequency of updates and level of support varies somewhat less between paid and free plugins than it does between paid and free themes. But no matter what type of plugin you’re looking for, try to pick plugins that have a history of regular updates, are well-rated, and have many users.
Updates: The Risk of Breaking Functionality
Constantly updating WordPress sites doesn’t take that much time. But if an update breaks website functionality, then even a minor security update can prove rather costly and time-consuming.
Some individuals and companies justify not updating their WordPress installations, plugins, and themes on the grounds that everything works as it is: updating one component may disrupt the harmonious ecosystem!
It is logical for companies to avoid creating unnecessary technical headaches. Unfortunately, the long-term risks of not updating are greater than the short-term risks of breaking a feature of your website. Losing access to your site temporarily or losing customer data can be far more costly and disruptive to business than adapting your site to work with updates.
In order to minimize the risks of compatibility issues with updates:
- limit the number of plugins your website uses;
- only use well-supported and frequently-updated themes and plugins;
- and check release notes for updates to identify potential conflicts before installation.
The Costs of Security: Time and Money
Investing in website security is like investing in car insurance: it’s an unwanted expenditure until the moment when you total your brand new Lexus and submit a huge claim.
It is hard to say exactly how much time and money a company should invest in website security. Clearly a healthcare company should be willing to spend a lot to keep their patient’s electronic data secure. It will be less costly – both in legal fees and in loss of reputation – if a small-town hardware store’s website is compromised than if a major healthcare network is compromised.
In order to determine how much is reasonable to invest in website security, you should take into account the following factors:
- What type(s) of sensitive data can be accessed through the website?
- How much revenue might be lost if the site goes down?
- How many customers/ visitors may be affected if the website goes down or if data is hacked?
Approximating the ‘value’ of your website (perhaps as a per-day value or a monthly value) may help you to understand your realistic limits for spending on website security. We realize that local businesses (perhaps even with websites managed by a store employee) are not going to be able to invest as much time and money into security as will large sites such as Best Buy, eBay, UPS, or even news sites such as The New York Times, CNN, and Reuters (all of which are WordPress users!)
Keeping a WordPress site secure doesn’t have to cost a fortune, but should be allocated some quantity of time and money. Note: We will be taking a look at WordPress security plugins in an upcoming article: a great way for smaller websites to up their game at affordable rates!
Other Quick Tips for WordPress Security [Note: Choose secure passwords!]
In addition to performing regular updates, you can help keep your WordPress site secure by following a few other basic components of security best practice:
- make sure your passwords are secure, and change them periodically;
- perform regular, scheduled backups;
- never use the username “admin”;
- and limit the number of employees who have website editing rights.
A Note on Passwords
Creating passwords is a tricky business. People tend to take one of three approaches when deciding on a new password:
- Make it memorable: include the name of your pet, some numbers, etc.
- Make it complicated but write it down on a physical piece of paper or electronically.
- Use a password manager to generate and save a secure password for you.
Password managers such as 1Password and LastPass are great ways to maintain secure website logins and passwords while avoiding the constant need to click “Forgot your password?” With password managers, you can simply adjust the length and complexity of generated passwords and see a real-time rating of how secure they are.
When choosing passwords by hand, always remember that longer passwords make stronger passwords. (By ‘longer,’ we mean that passwords should be a MINIMUM of 8 characters in length.) Boston University’s Information Services & Technology website has a nice overview of how to choose a strong password.
Here are some general guidelines for creating secure passwords:
- DO make passwords at least 8 characters in length;
- DO use a mixture of uppercase and lowercase characters, numbers, and symbols (if permitted);
- DO NOT use dictionary words of common phrases;
- and DO NOT use your name or login within the password.
Examples of weak passwords are: “Sue123”, “1dog_Run”, “HarryPotter”, and “3baypassword”.
Examples of strong passwords are: “*ImH0%kAt2”, “@h0M3-aWaY”, and “2L*fp3P.u/i2e+wzJpm”. (The last password was generated using 1Password for reference.)
Websites are not once-and-done projects. Setting up a website and then forgetting about updates is a sure sign of trouble. WordPress websites demand regular maintenance and attention. Content Management Systems such as WordPress make it easy to keep your website up-to-date and protected – as long as you follow WordPress best practices.
In addition to the security tips we’ve mentioned in this article, you can improve your overall website protection by installing a WordPress security plugin to add an extra layer of cyber security to your website. We will be addressing WordPress security plugins in an upcoming article here on the Webinerds blog. While your site can never be 100% safe and unhackable, guarding against known vulnerabilities makes your site much more difficult to attack and much less tempting for the bad guys to target.
If you would like to chat about how to secure your website – whether you’re on WordPress or some other platform – then get in touch with us at Webinerds! We would love for you to join the conversation on Twitter, Facebook, and LinkedIn. Share with the links below!