WordPress is growing! If you missed the news, 25% of the world’s highest traffic websites are now powered by WordPress. That’s really exciting news, but unfortunately as WordPress’ presence grows on the world wide web, it also becomes a larger target for folks with less than stellar intentions. That makes security something that ought to be on your radar.
Last month, Imperva (a leading international cybersecurity company) published a report that indicates WordPress as the most frequently attacked content management system on the web. That’s certainly a cause for concern, but it’s no reason to panic either. There’s some really easy, basic steps you can take to secure your WordPress site so that it’s not the “low hanging fruit” that attackers prefer to target. That’s what we’ll get into today: 5 really simple steps you can implement right now to up your website security. Follow below!
1) Update, Update, Update!
Update! Get up to date! Go do it right now then come back and finish the article! Running an out of date version of WordPress has been identified as one of the top three security threats facing the platform.[1] We’re not just talking about WordPress core, either. Your themes and plugins need to be kept up to date as well.
Updates are not just about adding new features. Many include patches to fix recently identified security flaws. A recent update to Ninja Forms, for example, included just such a security patch. When you don’t update you leave known opportunities for exploitation open for whoever cares to take advantage of you.
2) Keep a Clean House
Updating is a part of this, but it’s not the whole package. A relatively recent security report on the state of WordPress by WP White Security discovered that 51% of compromised WordPress websites were exploited through a security issue in either a theme or plugin installed on their website.[2] Not necessarily one they were even using at the time, but just one that was installed. Another recent study looked at the code that WordPress plugins are built on (PHP static analysis). It found that ~10% of the top 1000 WordPress plugins are vulnerable to at least one common method of attack.[3]
So, keep your house clean. Pay attention to the themes and plugins you download. Exercise good judgment: look at active installs, reviews, update log, etc and do your best to use only well supported, regularly updated, high quality extensions to your WordPress site. Purge old plugins and themes. Even if they’re not being used, do some housekeeping and toss ‘em.
3) Use a Quality Host
The same WP White Security report cited above identifies security vulnerabilities in the hosting platform as the means of access for 41% of attackers.[2] That should speak rather plainly to the importance of choosing a good host for your website. There are a variety of great ones out there.
WP Ninjas use Pagely for our needs, and they are a great fit for us, but they may be more than what many of you need. Bluehost is outstanding, and GoDaddy has really stepped up its game in recent years to be one of the best in the market. Take a look at yours and do a bit of research on what kind of security they offer and what their track record is for identifying and patching vulnerabilities.
4) None Shall Pass!
While password/login type attacks get all the attention, they actually make up a small percentage of the successful attacks against WordPress installations.[2]
Passwords can be a real headache because you know something random is more secure, but harder to remember. Forgetting your password frequently can be a real pain. The traditional advice is sound in this case, though: 12+ characters, mix of alphanumeric and symbols, stay away from personal info and dictionary words. The more random, the better.
Some common tools used by attackers will keep repeating different passwords until they hit paydirt. These brute force attacks can tally up thousands of attempts per minute and have a good chance of cracking passwords that are not very strong. Implementing a reputable and comprehensive security plugin on your site can go a long way towards deterring these attacks.
Of course, you could always go a different route entirely and dispense with passwords altogether. If you’re not familiar with Two-Factor Authentication, it’s worth reading up on that separately. Clef Two-Factor Authentication and WordFence are both great plugins that will implement this protocol for you. Definitely worth your time to research and consider. Never fool with passwords again!
5) Manage Your Users
First, address user comments. The same Imperva study we spoke about above also identified spam as the leading form of attack against WordPress sites. Make certain that Akismet or a similar plugin in installed to fight spam comments. A spamfighter will help keep the problem in check, but at the end of the day your level of protection against spam attacks comes down to you and your common sense.
- Setup WordPress so that all comments have to be approved before they post.
- Be highly suspicious of new comments by default.
- Be wary of any links in the comment, both in the text and in the user info to the left of the comment. You basically have to click on something shady for spam to be a problem. If you’re not certain, don’t click.
Second, if you’re not the only contributor to your website, or any time you have a guest contributor, manage your permissions wisely and keep a tidy house. Guest contributors, unless you trust them implicitly, don’t need levels of permission beyond what their contribution requires. Never give Admin, Editor, or Author level permissions to anyone you wouldn’t trust with valuable personal property. Don’t leave unused user credentials active. Even if they’re not active, if they’re in the system that’s another door into your site that needs managing.
People with malicious intent aren’t going anywhere, and as WordPress grows it becomes all the more important for you to stay focused on security. Fortunately for us, there’s plenty of tools at our disposal to help us out. We don’t need to be a proverbial Fort Knox, either. We just need to not be the low hanging fruit of websites. These 5 steps will accomplish that for you and your website. Stay safe and have fun WordPressing!
People with malicious intent aren’t going anywhere; as WordPress grows stay focused on site security!Click To Tweet
Leave a Reply