Introduction To WordPress Website Security
In this introduction to WordPress website security we will briefly cover these main topics:
- Why is this important?
- Why is my website being targeted?
- What will happen if it is infected?
- How can this be prevented?
Why is this important?
As of March 2016, Google reported that over 50 million website users had been greeted with some form of warning that websites visited were either trying to steal information or install malicious software.
In March 2015, that number was only 17 million which indicates how this trend is growing. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing.
The malware is working behind the scenes in many cases to infect other servers or infect the computers used by your customers to view your website. Your website might be infected right now without any obvious symptoms.
Why is my website being targeted?
When the hackers unleash their malevolent processes out into the Internet it is like a fishing boat casting a net into the sea. The net is not discriminating between different types of fish or different sizes, it just captures everything it finds.
If they infect a large popular business website then the malware can be injected into the computers of several customers. However, if they infect a small website that no one ever visits, they can use the processing power of that server to infect other servers. Therefore, no one is really safe from the attacks.
What will happen if my website is infected?
Here are some possible outcomes:
- Your website could go down
- Data on your website might be deleted
- The personal data of your customers (such as credit card details) could be stolen
- Other websites you own (if any) could become cross-contaminated
- Computers used by your customers to access your website could become infected
- Your website could be modified, for instance with links to Cialis or Viagra websites
- Search engines such as Google or Bing might blacklist your website
How can this be prevented?
There are several steps that can be taken to guard against incursions and detect any that might take place.
SUGGESTED SECURITY PRACTICES
Remove any unused themes or plug-ins – This can represent an open door for hackers as in some cases the unused code is not updated with the latest security fixes.
Do not use admin as the user name – Some people when creating their WordPress website use “admin” as the administrator account. This is a fatal error and removes one barrier to guard against your website being compromised.
Choose strong passwords – Never use a dictionary word, your user ID, your name, your address, or any other value that might be easily guessed. Ideally a password should also contain upper and lower case letters, numbers, and special characters.
Remove old user accounts that are no longer used – User accounts that are no longer used provide additional avenues for your website to be hacked.
If you have user logons enabled, enforce additional checking – Additional features such as two-factor authentication and captchas can offer extra protection. The goal is to add extra security without really annoying your customers.
Never download questionable plug-ins – Personally, I only install plug-ins from the dashboard inside my WordPress website. I make certain the plug-in has a very good review, that it is compatible with my version of WordPress, that it was recently updated, and that it includes clear documentation.
SECURITY CONFIGURATION CHANGES
Enable local brute force protection – Brute force attacks occur when automated tools attempt to guess your password and logon to your admin console. There are several methods to prevent this, including two-factor authentication and a plug-in to lock out IP addresses.
Enable network brute force protection – By using network brute force protection, your website automatically blocks IP addresses that are in a database of known threats.
Protect system files – There are critical files and directories that need to be protected. These files are popular targets for hackers.
Disable directory browsing – This will prevent a hacker from perusing your directories to discover the exact configuration of your server.
Remove file/directory writing permissions – Most directories in your server do not require full access capabilities.
Disable PHP execution in the uploads directory – There is no reason for any PHP files to be located in the uploads directory. This is the only directory where processes require read/write/create permissions so hackers tend to place PHP files here to hack into your system.
Monitor unexpected file updates – This is very important as this will give you an early warning if someone has managed to create or update files in your website without your permission.
PROCEDURES TO PERFORM ON A REGULAR BASIS
Perform regular backups – If your website should be attacked and compromised, the easiest way to recover is to restore from your last backup. Regarding how often you should backup your site, refer to this article.
Install updates to WordPress, your theme, and plug-ins as soon as they are released – When a new version of software is released with security patches, the security holes addressed by the patch are described in the release notes. Hackers then create new software to attack sites that have not yet been updated. Don’t become an easy target! We suggest that you check for updates on a weekly basis.
Change your website salts on a regular basis – this will immediately log off any unauthorized users and make it more difficult for them to gain access to your site.
Update definitions and scan for malware on a regular basis – Create a schedule to routinely load the latest definitions of known malware attacks and scan your entire website to assure that no files have been compromised.
OPTIONAL STEPS TO CONSIDER
Disable the WordPress dashboard file edit feature – From the WordPress dashboard it is possible to edit many files inside your WordPress installation such as styles.css, functions.php, header.php, footer.php, etc. To further guard against unwanted updates you might disable this dashboard file edit feature.
Change the location of the login screen – By default the standard dashboard is located at mywebsiteaddress/wp-admin and the hackers all know this!
Change the prefix of all database tables – In the MySQL database for a WordPress installation, all database tables have the prefix of wp_ which makes them an easy target if a hacker injects malicious code into your website.
Since the frequency of hacking attempts is increasing it is crucial to protect your website by regularly performing backups, installing updates, and scanning for vulnerabilities. At Persson Technologies we strongly recommend these steps should be followed on a weekly basis and we offer a pre-paid maintenance program that includes all these services at one reasonable price.
Here are more resources if you want to explore the topic of WordPress website security in more detail:
A comprehensive report on the trend of increased hacking of CMS systems:
Fifteen-part security tutorial, the entire series is here:
Free website security scanner: