Keeping WordPress secure

Avatar of Janina
Janina
07-12-2021
Technical

WordPress is popular, so it’s a common target for hackers. But with a few simple actions you can avoid a lot of trouble.

WordPress is the most widely used content management system (CMS) in the world. But its popularity also makes it the most targeted by hackers, who by being familiar with vulnerabilities in a single site can use what they know to exploit thousands of others.

But what makes WordPress sites particularly at risk?

Is WordPress secure?

WordPress’ core software is actually very secure. Hackers usually can't get into sites through vulnerabilities in this software. It also appears that, based on the most common security incidents, a few simple tricks can help you avoid most hacking attempts.

Below are the top ways WordPress can be exploited and the proactive measures you must take to mitigate these risks.

Outdated plug-ins and themes

Because WordPress is an open-source platform, any developer can create themes and plugins to enhance WordPress functionalities. However, this openness has also opened some security concerns.

Vulnerabilities in plug-ins, like on any tool, emerge over time. Meanwhile, there are once legitimate plug-ins that were eventually abandoned and repurposed to do you harm.

Tips

Only use plug-ins from reputable sources. The sources of your plug-ins and themes matter so download and install only from trusted sources, like the WordPress themes directory. Pirated versions, although free, often come with malware that will definitely cost you in the long run.

Always promptly update plug-ins and themes. There have been incidents when attacks could have been prevented if users only installed the updated version, which was rolled out a few weeks ago with the very purpose of preventing those attacks.

Running on outdated versions poses risks, and we never know when these risks will arrive. So make it a habit to run updates regularly and immediately once they are available.

Beware of abandoned plug-ins. Some plug-ins can continue to work years after the developer has stopped working on them. This means they can have vulnerabilities that won’t ever get fixed.

Sometimes hackers buy old plugins and update them with malware and viruses.

So make sure your WordPress plugins are updated. Major updates often happen two to three times a year. If there are no bug fixes, no adjustments to the code to update to match changes in the WordPress core or no code enhancements in a maximum of two years, you should consider it abandoned.

Uninstall unused plug-ins. There’s really no good reason to keep them around. Not only do they slow your load time and make your dashboard untidy. As long as they are on your site, it can open an entry for hackers. For unused plug-ins, it’s crucial that you uninstall and not just deactivate. Deactivating only stops them from running but they are still stored on your site, while uninstalling will remove them permanently.


Outdated WordPress and PHP

According to WordPress data, 42.6% of users still use older versions even as WordPress rolls out patches and newer versions with updated security mechanisms fairly frequently.

And yet, time and again, hackers find it easier to execute an attack on sites that use outdated versions of WordPress.

Tip

Never miss out on updates. As with themes and plug-ins, most of us might tend to put off updates later until the task sits there for many weeks. This must not be the case.

Immediately update your WordPress and even the scripting language of your site to work properly. Running older versions of PHP, which WordPress runs on, can cause incompatibility issues and crashes.


Admin access and user account

The 2020 Data Breach Investigations Report by Verizon, shows that the brute-force method — which entails using password prediction tools and trial-and-error methods — was involved in over 80% of the attacks in one way or another.

Easy-to-find login pages and easy-to-guess passwords are still a big problem today.

Tips

Use strong login credentials. As obvious as this sounds, a lot still do not do it as the most common password of 2020 was still 123456. So this point bears reiterating.

Don't worry about not being able to memorize a long, complicated password. You can always put them down on your notes or use password managers as backup.

Protect access to your WordPress admin area. The default URL of the admin login page of a WordPress website looks like this: www.example.com/wp-admin. It is quite easy for hackers to find your login page if you keep your default admin URL. Luckily, you can easily change it. Protect your WordPress admin area with a password and have a limit of login attempts. Or better yet, restrict access to the login screen by IP address. When only allowed IP addresses can access your admin page, no one else can even attempt to login.

Consider using two-factor authentication. If you use Gmail, Facebook, Instagram, you've most likely come across two-factor authentication and it's highly recommended that you take advantage of it.

Add HTTP authentication. HTTP authentication is another protection layer on a website’s login page. With HTTP authentication, you can block unrecognised and unauthenticated access to your login page.


Weak hosting environment and management

If you're hosted on outdated servers or systems, or if your hosting provider does not properly manage servers and traffic, risks pile up. A poor host can cost you a lot.

With shared hosting, an attack on one website can affect others sharing the single server. And malicious actors are known for targeting entire servers.

However, risks can still be eased if you find a WordPress web host who puts a premium on security. They can do this by constantly monitoring traffic and filtering malicious bots. Your ideal WordPress web host must be able to detect and immediately stop brute force attempts and other malware attacks.

The technology that your hosting provider uses, and the way they monitor and maintain it, is out of your control. But you carry the risks if they're not working hard enough to protect your websites. The best time to reduce this risk is before you sign up.

Tips

Sign up with a reputable hosting provider that highlights security. There are multiple providers out there who boast about the speed their servers provide. But this is not enough. Speed, security and other qualities must come hand in hand for you to have the best hosting experience.

Choose hosting providers who are transparent with their server configurations. Many hosting providers leave you on the blind side when it comes to patching up your site with security updates. More often than not, you learn a failure in server updating when a hack has already made its way to your site.


What MyHost does to protect you

Our combined security features and proactive technical, security-savvy experts will make sure you don't have to worry about security. We're serious about making security easy, which is why all our web hosting packages include free, automatic SSL.

We handle bad actors with consistent network monitoring, while our content delivery network also integrates smoothly with Cloudflare. Cloudflare speeds up your website and protects it from security threats. According to Cloudflare, a website that uses its infrastructure loads twice as fast, uses 60% less bandwidth and is more secure.

And while this is not directly related to security, you might be glad to learn that we regularly backup your data. So if you lose all your site's content to a hack, you can still pick up from where you last left it.

On top of all of this, our technical team is available 24/7 and will work on your concerns head-on, whatever your hosting plan.

Sign up to MyHost today and enjoy a high level of security that will allow you to grow your business smoothly, knowing that your WordPress site is in safe and secure hands.

MyHost and You

All this and more from MyHost

Answers and advice

Any questions about WordPress hosting? Get in touch with our friendly 
team.

Contact us

More from the blog

Occasionally we find time to write about what we've been working on, lessons we've learnt or just something interesting we have found.