How to Secure WordPress Site in 6 Simple Steps
How to secure your WordPress site is an essential question, especially in the times of GDPR. Every website owner has the responsibility to guarantee that his or her website visitors have a secure browsing experience without having to worry about the protection of their personal information.
In the age of cyber technology, hacker attacks have evolved and matured with the digital market, meaning that you will meet them in different shapes and forms.
That’s why it’s imperative for each and every website owner to be well prepared to tackle security issues in an efficient and preventive manner. Keep in mind that a cybersecurity attack not only threatens your site’s visitors but also the functionality as well as the integrity of your site and by default your revenues.
The good news is that if you follow the instructions of this article regarding how to secure your WordPress site, you’ll find that keeping your site safe from unwanted and unauthorized attacks isn’t as complicated as it seems to be. We are here to show you how to protect your site with a few simple actions.
Can a WordPress Site Really Ever Be Secure?
WordPress being the most popular content management system (CMS) to date, is used by 35.2% of all website owners with a CMS market share of no less than 62%.
While this market lead is a major advantage for the CMS provider, it’s at the same time a double-edged sword.
Looking at their success from a different angle will reveal that WordPress is oftentimes associated with a lack of security. This is not just a hearsay knowledge but is a fact that is also reflected in the statistics. In 2019, 94% of all security breaches were pertaining to WordPress.
Of course, this doesn’t come as a surprise. When the vast majority of website owners relies on the WordPress CMS, then by the sheer law of probability chances are high that the websites targeted by hackers will be WordPress sites.
But what can you, as a WordPress website owner do to prepare yourself for such unfortunate incidents? Well, the first thing that we at 10Web recommend is know what you’re up against.
It was Sir Francis Bacon who once famously said, “Scientia potestas est”. Knowledge is power. You will never be able to properly protect yourself from cybersecurity attacks if you don’t know in which shape or form they can occur. That’s why let’s first dedicate our attention to existing security vulnerabilities before answering the question of how to secure WordPress site.
The Versatility of WordPress Vulnerabilities
For those of you who aren’t very well acquainted with the IT world’s subculture of hackers, here’s a rough overview for you of existing channels that hackers like to use for attack. Our list is based on the statistics provided in Sucuri’s 2019 annual report, which showcases the most frequently encountered security threats of the year.
Let’s start with a rather general, yet still frequently recurring term. Malware comes in third in 2019’s most common cyber security threats. Now we’ve already used the term malware several times in this article, but what exactly does it stand for?
For one, the word itself is shorthand for malicious software. As the name already indicates it refers to any kind of malicious and disruptive software that permits unauthorized access.
Spyware, phishing, viruses and trojans are all types of malware, to name a few.
At the risk of stating the obvious, you can get infected by a malware as with anything else through the internet or through emails. Hacked websites, free trials or any kind of downloads are all potential sources for malware.
But how can you even tell if there’s a malware in your system? Well, ask yourself this:
- Does your computer run slow?
- Do you get a lot of popups or spam?
- Do you experience a lot of crashes?
If the answer is yes, then we recommend you run a malware scan to check if your computer is infected, because all of the above mentioned are signs for an infected computer.
According to Sucuri, SEO spam is the greatest source for CMS infections. The problem with these kinds of hacking activities is that your website will be infected without you having any awareness of it for a long period of time. The spam is specifically designed to not be noticed by the infected. In the meantime, your website and every user visiting it will be at the mercy of the attacker.
But how do you get infected by the SEO spam? For starters, and this is a well-known fact, you become vulnerable when you rely on a weak password or use an old plugin that has a security loophole. This allows the hacker to infect your site with a malicious code but then slyly changes your code back to its original form with the help of the PHP function, so that you won’t notice the changes made to your script.
Once your site is infected, the attacker will use your SEO pages that have a high SERP ranking to
- redirect visitors of your own site to its own,
- insert their own keywords,
- add new pages to your site,
- send spam email, as well as
- add their own ads or Calls to Action (CTAs).
Why would a hacker even be interested in this kind of conduct? As a person who works in digital marketing and has to make sure that every published piece is optimized on multiple levels – be it the page speed, the images, or the keywords – let me tell you that it’s an extremely cumbersome and complex process.
To save all the time and energy spent on gaining visibility through search engines, the hackers decide to use a shortcut instead by stealing your SEO achievements. That’s why SEO spam also goes by the name spamdexing or search engine poisoning (SEP).
Victims of SEO spamming can be websites of various sizes. A common misconception in this regard is that hackers primarily target big websites. That is simply a false assumption, given that it’s much easier for hackers to have success with smaller websites. This is because small websites tend to not have a SSL certificate and by default no necessary protection from such attacks.
The second most common malware source are backdoor attacks. For the purpose of clarification, in the IT world, the term backdoor refers to an alternative access to a software or to a hardware system that enables a circumvention of the regular security measures, in other words the access protection.
A backdoor can be built in by a programmer or installed by a malware without your knowledge. Oftentimes trojans are used to install a secret access possibility. It should be mentioned that the terms backdoors and trojans are usually used within the same context; however, they are two different things.
A trojan is a software that is disguised as a useful program in order to infiltrate your computer and install backdoors. Basically, it’s just the means to an end. The end in this scenario is the ability to gain unauthorized access, also known as backdoors.
But how come those access options exist in the first place? Wouldn’t it be easier to just not have them to begin with? Technically speaking, yes. However, IT systems manufacturers build those in on purpose in anticipation of situations where a customer needs reparation services. This way the manufacturer can jump in and assist the customer whenever needed without great effort.
Hack Tools, Mailers, Defacements, Phishing and Skimmers
Having discussed the three most widespread cybersecurity threats let’s take a look at the other malware families that are less distributed.
Fourth on Sucuri’s list are hack tools, which are malware, that are deployed to automatically create viruses, trojans as well as for denial-of-service (DoS) attacks. The purpose of hack tools is to try to make a website inaccessible to its targeted users.
Mailers, I’m sure is already known to you. There’s probably not a single soul in this world who didn’t have the displeasure of receiving spam messages.
Defacement, on the other hand, as the word already indicates, means that once your website is successfully infiltrated, hackers will deface it and exchange your website content with theirs.
As for phishing, this term refers to a situation where hackers will try to gain people’s personal information, such as passwords through falsified emails disguising themselves for example as your bank or an online shop.
Another way to gain users’ payment information is skimming. It refers to an incident where an ecommerce website’s payment page is exposed to hackers through malware and is used to steal user information.
6 Steps to Increase Your Cyber Resilience
Now that you’re familiar with some of the cyber lingo and informed about what kind of potential cybersecurity threats are looming out there, let’s take a look at how to secure WordPress site.
A study of the University of Maryland shows that on average “hackers attack every 39 seconds”. The following steps will help you build up a website that is resilient to these attacks:
1. Choose the Right Hosting Provider
Nowadays, the quality of your website is dependent on your hosting provider. There’s no way around that, unless of course, you’re an IT expert who hosts their site on his or her own.
But for the rest of us less-tech savvy users out there, choosing the right hosting provider is one of the most essential tasks. Why? Because it affects every element of your website – whether it’s the design possibilities, the page speed, or the traffic inflow capacities.
So make sure that you find a hosting plan that fits your needs on different levels, one of which being the security of your website.
Take for instance shared hosting services. Shared hosting by its very nature means that you’ll have to share your server and resources with several other users. So, if you rely on this type of hosting, you’re automatically taking the risk of suffering from a cyber attack every time other users who share the same server as you are hacked.
Beyond that, you should be aware that when it comes to receiving support when you’re experiencing cybersecurity issues, shared hosting providers usually don’t include customer service into their hosting plans. In other words, you’re basically left on your own with your problems.
To those of you not able to handle the technicalities of running a website by themselves, we advise to rely on automated hosting services, given that they are very easy to handle due to the automation of website building processes.
For instance, 10Web as an Automated WordPress Platform provider offers an all-in-one package deal including a high-quality security service, that protects your website from hacker attacks without you even realizing it.
For those of you who are curious, take a look at our approach for how to secure your WordPress Site here.
Another plus is that on the rare occasion that you do suffer from a hacked website, we offer 24/7 customer support thereby guaranteeing that you will always have a helping and qualified hand in such precarious situations. You don’t believe us? Then we welcome you to start our free trial – with no credit card requirement – and see for yourself.
Secure Hosting is the Essence of 10Web
We take active and passive measures to prevent most common WordPress attacks and malicious actions.
Naturally, there are other ways in which we ensure the safety of your website. But more on that below.
One very common source of vulnerability arises when people forget to update their WordPress to its newest version.
What happens is that every time WordPress introduces a new version it by default reveals the vulnerabilities of its previous versions. This makes every person who neglects to update their WordPress core an obvious and easy target.
Another problem is that while some people do think of updating their WordPress core, they sometimes forget about doing the same thing for their plugins and themes. However, to avoid that your website content is overwritten every time you update your theme, make sure to carry out your changes in a child theme and not parent theme.
We at 10Web help you to overcome this problem by offering automatic updates. This you can manage on your 10Web dashboard, where you have your plugins options. You have the possibility to schedule your updates on a monthly, weekly or daily basis.
By also choosing the option “Perform Stage Update” you can also make sure that your website is automatically backed up before any scheduled update.
At this point, we would like to emphasize that while automatic updates are essential, they’re only half the battle without continuous vigilance.
With this in mind, our security services will allow you to scan your WordPress core, plugins and themes for an unlimited amount of time. Beyond that, you can scan your file changes and compare them to the original form. Should you detect any mistakes, malfunctions or any suspicious activity, you will always have the possibility to restore the original files.
We, 10Websters, highly recommend you to fully exploit these services.
Stealing passwords is another very widespread way of hacking websites. Unfortunately, we as a WordPress hosting provider have little influence on the decisions our customers make when it comes to choosing their passwords. That’s why we can’t stress to you enough the importance of vigilance when facing the question of how to secure WordPress site.
By making sure that no one has access to your password and by choosing a password that is very hard to decrypt, you’re already halfway through making sure that your password cannot be compromised.
Despite the fact that in certain cases, for instance phishing or sniffing attacks, a strong password won’t prevent the hackers from stealing your password, it’s still a very efficient way of protecting yourself from so-called Brute Force Attacks.
These refer to a hacker’s attempt to repeatedly guess your username as well as your password until it finds the right combination. To date, it’s the most popular way of attacking WordPress websites.
You’re not so sure about how to create safe passwords? As a rule of thumb a strong password includes numbers, special characters, and lower-case as well as upper-case letters with a minimum length of 7 characters.
You’re still not sure if you’re up to the task? Then you might want to take a look at the services some password generator tools, such as Strong Password Generator, have to offer. They will give you a suggestion of a good password, which they won’t save. Plus you get to decide which level of security you want your password to have.
In general when it comes to saving passwords, we recommend to avoid doing this in your browsers. This will increase the possibility of being open to attack. You should only save your password on programs or applications of which you are sure that they store your password in an encrypted form and protect it with a master password.
And it goes without saying that you shouldn’t write your passwords down on paper or save it in a word or excel document. By the same token, we strongly urge you to refrain from sending your passwords via email or any other communication channels, such as WhatsApp.
What we recommend instead is for you to safely store all of your passwords in safe places, such as LastPass or KeePass Password Safe.
4. Secure Your WordPress Login Details
When dealing with the question of how to secure WordPress site you won’t come around the issue of your WordPress admin page.
The first rule to securing your login details is to use a unique username. Refrain from designating it simply as administrator or admin.
Some people like to use their website domain name or their own name as an administrator username. We highly discourage you from doing this, because with just a little bit of research, hackers will be able to find out those information online.
Another thing to consider is that your WordPress admin login URL is usually called /wp-admin, which, of course, is the first thing that hackers will look for. To make it harder for them to find you, you can use plugins such as Velvet Blues Update URLs to change your URL.
Moreover, we encourage you to use a two-factor authentication on your login page. This will enhance your security level by adding other authentication methods, such as a mobile-generated code or a physical toke.
While WordPress doesn’t have this security method as a built-in option, you still have the possibility to install it as a plugin. Here are some options for those of you not familiar with such plugins: Google Authenticator and Rublon Two-Factor Authentication.
This will help you avoid being the target of Brute Force Attacks.
5. Security Plugins
One significant solution to the conundrum of how to secure WordPress site is using security plugins. 10Web offers a wide range of 50+ plugins, some of which are dedicated to ensuring your website’s security.
Many of you might question the necessity of security plugins and are uncertain about the advantages they offer. So let’s take a look at what added value security plugins have and if you should use them to protect your website.
- For one, you can use a plugin to limit login attempts, which we as your hosting provider always have pre-installed. So should a hacker try to infiltrate your website and guess your password wrong for three times, his IP address will be automatically blocked. Combine this with a strong password and your site will be almost impenetrable for hackers.
- The security plugin iThemes is also on the list of plugins that is highly recommended. This is due to its ability to stop unauthorized code migrations, SQL injections, backend attacks, PHP functions as well as 404 attacks.
- Another useful plugin is Wordfence. It will protect you from malware as well as hacker attacks. On top of that, it allows you to detect malware that has already gotten into your system. It does so by scanning your entire system for such attacks. It can also tell you what changes have been made and if there are potential malicious codes. Lastly, Wordfence will send you a reminder in case you have forgotten to install an update.
Of course the list doesn’t end there, there are many other plugins with a great variety of functions, most of which are introduced to customers in a comprehensible manner. So if you’re new to the game, there’s no need to panic, your WordPress security plugins will give you the guidance needed.
Everyone is acquainted with the saying that you should always have a backup plan, right? It’s just common sense if you ask us.
That’s why we offer our customers an automated backup service. Because as John Allen Paulos once said: “Uncertainty is the only certainty there is”. So, as much as we try to provide you with the most efficient tools to protect your system from cyber attacks, we can never 100% guarantee it.
Oftentimes, people assume that it’s enough to implement backups only occasionally when there are new system updates. But we beg to differ.
Let’s assume, for instance, that the last update you made was a year ago. This by way of logic means that the last backup was also done one year ago. Surely, during this one year span you’ll have made changes to your website’s content.
Now let’s further assume that your website is unexpectedly compromised due to a hacker attack. This will require a quick but at the same time comprehensive restoration of your site. In such an instance, you will only be able to restore the version of your website you had one year ago. Meaning that all of your changes that came after that are lost.
Needless to say, that it will cost you a significant amount of time and resources to regain what you have lost. It’s our goal to save you from going through all this trouble. That is why we at 10Web encourage our customers to schedule automated backups to maintain a high level of consistency of the updated data.
Another very important piece of the puzzle, which many people neglect, is to not just rely on differential backups, i.e. only the latest changes are backed up. To ensure a full and quick restoration of your website, it’s imperative that you also do a full backup, which means that you not only secure data files, but also your database.
One last tip from our side is to archive your data on multiple devices. We understand that it’s a very tedious process, but once you find yourself the target of a security breach you will without a doubt be incredibly happy and thankful that you went the extra mile and had all angles covered.
Now that we have shared with you our recommendations for how to secure your WordPress site, we are very interested to hear about your experiences with WordPress. Do you feel secure managing your website with WordPress? What measures do you take to increase the resilience of your site?
For those of you out there who didn’t have enough and are eager to learn more, take a look at our article: Preventing Most Common WordPress Security Issues: Part 1 & Part 2.
Excellent post Rebecca, and I’m sure a lot of site owners will find it quite an eye opener as I don’t think people realise just how serious the cyber threat problem is.
Thank you so much for your feedback!