It is a fact that WordPress is the most widely used CMS in the world and powers 33% of the website today. In spite of WordPress being so secure, the question that comes to our mind is – What makes WordPress website vulnerable and how to secure your WordPress website from Hackers?
Any WordPress website that you access in your web browser has multiple working components that include – hosting, WordPress core, themes, plug-ins, and more. From security standpoint a breach can occur at any of these working components. The below Pie chart will help you understand the key vulnerable areas and what you need to focus on in order to achieve optimum security.
- 40% of the websites are hacked by vulnerabilities in their hosting platform
- 30% due to insecure theme
- 21% due to vulnerable plug-ins
- 9% due to the use of weak passwords
So let’s dive deeper into each aspect and learn how you need to prevent your WordPress website from hackers.
Always be super cautious while choosing your website hosting company. Never opt for cheap hosting services just because they suit your budget. Choose a hosting company keeping in mind your long term goals and how serious you are about your business. When it comes to hosting services you would want to check on the following points.
- Check if yours website is hosted on Shared Server
- In case you are hosting your personnel blog as a hobby and not looking for serious commercial returns then an unmanaged shared hosting service may work well for you. But if you are hosting a business website then you should always look for managed hosting services. Look for hosting providers who provide you with complete hosting solutions that takes care of the followings:
- Regular Updates
- WordPress (Core, Theme and Plugins) Updates
- Security checks
- And last but not least provides some short of reports on regular basis
- Uptime guarantee
- Support is very important both Chat & Phone. Specially check the promptness of the support, you would not want to keep listening that Symphony for long time.
- Backup and Security
- Reviews and Ratings
Once you have right hosting provider in place, it’s time to look into inner areas of the WordPress Software which is its most important selling point but at the same time to look at very carefully from security stand point which is It’s themes and Plugins.
Never use Nulled Themes
If you are unsure of what that means then check with your developer/company provided you the website that they have not used any Nulled Theme to create your website. The way to check this is see if your website was built by using some readymade / premium theme and check if your site uses proper license key for the same. This will ensure your website has all the best codes in it and will also help developers of the theme to continue doing good work after all it’s not that costly even to buy license for such premium themes.
Why not to go after Nulled themes?
Though It may look tempting as it can save a few dollars in first place but forever avoid downloading / using null themes as it can cause big harm to your website. Premium themes look additional skilled and have additional customisable choices then a free theme. Premium themes are coded by extremely virtuoso developers and are tested to pass multiple WordPress checks right out of the box. There are not any restrictions on customising your theme. Most of all you may get regular theme updates. But, there are some sites that offer nulled or cracked themes. A nulled or cracked theme could be a hacked version of a premium theme, on the market via illicit. They’re additionally terribly dangerous for your website. Those themes contain hidden malicious codes that might destroy your website and log your admin credentials.
Themes & Plugins check
If you are not using any of the default WordPress themes or have not purchased one from premium marketplaces and someone has developed a custom WordPress theme for you than it becomes really essential for you to check that your WordPress theme is clean and follows all the standards laid out by WordPress community. Prior to making your website live you should always have local or live development environment and have done a few basic following checks, this will ensure your site was developed by reliable hands.
- It should not have any deprecated code / function neither from WordPress and from PHP
- It should have checked by enabling WP_Debug mode
- It should have WP_DEBUG_LOG enabled and checked periodically to ensure its smooth functioning.
- It should have been tested with WP’s Theme unit test data to ensure theme doesn’t gets break with heavy load of content, comments, images or any other type of content when added.
- For more deep checks you can try steps mentioned on WordPress theme development standards page.
Through Plugins you can really take your WordPress website to the next level. For example within few clicks your simple website can turn into fully functional ecommerce store. Having said that after themes plugins are the third most important place you should always be careful of. For a hacker a weak coded plugin can easily give them a key to your website, database and sometimes it can infect other sites hosted as well. Paying attention to a few of the following points will help you make the right choice from security standpoint.
- You should avoid downloading plugin from external source unless it’s paid one and coming from reputed developers like Gravity Forms or some paid stores…etc.
- While downloading plugin from WordPress backend as well you should consider looking at some of the points such as:
- No of active downloads
- No of stars received
- Last updated
- Compatible with your WordPress version
- Most importantly google if that plugin or it’s version doesn’t contain any known vulnerabilities.
- Compare other similar plugins providing the same functionalities
Always keep your themes, plugins and WordPress core updated with its latest versions.
Hide login page
It’s a good idea to change default WordPress login URLs. This gives some extra security against brute force attacks. It also helps in preventing from spam user registrations, If your site allows users to create free subscription account.
Login lockdown feature
You can make unlimited failed login attempts by default but this feature can expose your site for brute force attacks. By implementing lockdown feature to your site, you can restrict users for a given interval of time after a number of failed login attempts.
Don’t use weak password
I would recommend implementing strong password policy in place for your WordPress site because weak passwords and login data are chargeable for an honest range of hacks. This is very true for brute force attack that permits them to check uncountable login combos during a short quantity of your time. As stupid as this sound, it works!
You can check the list of most common passwords on Wikipedia
As a first line of defence, adhere to the following best practices for WordPress login information:
- Avoid using the “Admin” as username (which used to be the default in older WordPress versions and is therefore often targeted first)
- Create a strong password
- Oblige other users to do the same Force strong passwords.
Disable directory listing with .htaccess
Add following snippet to .htaccess
Options All -Indexes
Disable trackbacks and pingbacks
WordPress introduced Trackbacks and Pingbacks to enable blogs to send notification saying they have been linked. Today it is mostly being used by spammers to spam the sites therefore Disabling it is a good idea.
Add recaptcha to forms
Google recaptcha or any type of captcha will ensure that your forms are being submitted by actual humans. It will save you from Spam submissions and for poorly custom coded forms from SQL Injections as well.
Disable XML-RPC in WordPress
Xmlrpc.php file allows you to post content remotely. Example from your mobile devices, but lately these feature is mostly being used by hackers to execute mass attacks on your website. Therefore if you are not utilising this feature of WordPress then it’s a good idea to disable it all together. It will take down your resource usage upto great extent.
Check directories & files permissions are set correctly
This belongs to the most important checks, it becomes more vulnerable if your site is hosted on shared hosting. As a best practice all your directories should have “755” and files should have “644” level permissions.
Change the default database prefix
Changing default database prefix from WP_ to something difficult to guess gives protection against SQL Injections.
Setup SSL and have proper redirects in place for SSL
Adding SSL Certificate to your website not only adds great security but also provides SEO benefits to your website. Having SSL with proper redirects will ensure your site being served from port 443 and not port 80 which is not an encrypted port.
That all must go to https://www.example.com
Note: Your site falling back to www or non-www is your preferred choice, nothing better here.
Consider protecting your site against DDoS attack
In DDoS (Distributed Denial of Service) attack your site becomes unavailable, mostly multiple infected sites gets used to target one site so that it becomes unavailable. You can subscribe for free Cloud flare account they sits between Client browser and your server and provides great protection from this type of attacks.