One of the most common queries I hear from clients when I suggest building their site in WordPress is concerns about its security. One piece of research by Sucuri in 2022 found 96% of hacked sites ran WordPress, so why on earth would you use it?
Let’s look a bit closer.
- The Sucuri research only looked at sites using a content management system, and WordPress is the market leader CMS, running 62.9% of these sites (and around 43.1% of all websites of any type are WordPress!!) If you are looking at millions of sites running WordPress, and only a handful running another CMS systems, of course you will find more security issues in the bigger group.
- The headline states that “96% of hacked sites ran WordPress”, which isn’t the same as 96% of WordPress sites are hacked. Only a small number of WordPress sites had any issues at all.
- It’s a bit like saying Fords are the most stolen cars; they aren’t inherently less secure, it’s just there are a lot of Fiestas and Focuses about.
So what makes WordPress vulnerable to security issues?
- WordPress powers 43.1% of websites, if you are going to spend time writing malicious code, it makes sense to target a very common platform.
- WordPress is open source, meaning anyone can see the code, contribute to it and write extensions like plugins and themes. Many amateur coders writing for fun don’t take security into account; so many hacks come through exploiting badly coded plugins or themes.
- WordPress is often installed, maintained and updated by non-coders. This means basic security issues and updates often get missed or ignored.
- As WordPress is free and easy to install, it’s not unusual to have several old versions of a site on a server as the owner decided it was easier to create a new install and start again. These old versions of WordPress don’t have the latest security fixes so are very vulnerable. (However, some of these old installs will be completely obsolete and abandoned, so there’s an argument that hacking into an unfinished blog from 2010 isn’t really the same thing as a security issue affecting a current live site with sensitive data, but it will still count in the data as a hacked WordPress site.)
So How Can You Make Your WordPress Site Secure?
Let’s start with the most basic way to improve the security of a WordPress site.
Set Your Own Username and Make Your Password Unguessable
The absolute easiest way to get into any WordPress site is via the login page – aka a ‘brute force’ attack. We’ve had clients who have locked themselves out of their site, and we’ve been able to get back in simply by guessing their passwords. The WordPress basic installation makes a user called Admin, so you just type Admin and common passwords in until you get a hit. In terms of sophistication, it’s the online equivalent of walking down a street trying car doors, but the bad guys only need to get lucky once to make rattling all those locked doors worthwhile. The bad news is that if your site is visible on search engines, you will have brute force attempts on your site. The good news is that this type of attack only accounts for 15% of hacked sites as although attempts are common, it’s also really easy to protect yourself against.
TO DO: If you have a user called admin, make them a new account with a non-default username – something like webAdmin or mainuser or even just your business name. Once they are set up on their new account, delete the default admin account.
TO DO: Make sure everyone with a login to your site is using a secure password – ideally a long string of letters, numbers and punctuation. Length is really the key – for example, ‘pFghW56!’ seems pretty secure, but at only 8 characters it can be guessed by a computer in a few minutes. ‘ThisIsALongPasswordWith30Letters?’ looks basic by comparison, but would take a computer 7 hundred tredecillion years to guess. 😱 Security.org have a nice password security tool that estimates how long a bot scrolling through different combinations would take to guess your password.
ADVANCED TASK: Make random brute-force attacks nigh on impossible by changing your login page url. Brute force attacks target your-url.com/wp-login.php, so moving the login page to your-url.com/secret-login makes it tricky for the bots to even find your page, let alone start guessing passwords. However, you will need code skills or a specialist plugin to do this.
“Having an easily cracked password is the equivalent of leaving your doors unlocked.”
Outfox Targeted Log-In Attempts
Neither of these username and password measures will stop someone who really wants to get into your site specifically. Page author usernames are visible as part of the page metadata, and ‘YoullNeverWalkAloneAnfield’ is a hard password for a bot to guess, but fairly easy for a human who might also be checking out your Facebook page or LinkedIn. If you use the same password in several places, a data leak from a relatively insignificant site can give hackers a great starting point to access your more valuable accounts.
TO DO: Check your email and any reused passwords on Have I Been Pwned; an old password I used regularly for online games as a teenager appears on 67 different lists 🤦♀️ Luckily I have been more diligent when setting passwords to current services I use, so I’m not too bothered if someone resets my high score on Neopets. If you do find your email and current password on a hack list, change your passwords immediately, especially if the compromised password is used to access your email, online banking or accounts that contain your personal data or financial details.
TO DO: Use a password manager like LastPass to generate and store uncrackable passwords without the hassle of remembering them.
ADVANCED TASK: Set up 2-factor authentication so that even if a password is guessed, there’s another layer to get through.
Control Access
If you give other people access to your site (such as staff members or web developers), make sure they only have access to what they need when they need it. It’s unusual, but not unheard of, for site hacks to be an inside job, where a staff member abuses their login rights.
TO DO: Regularly audit the users on your site, check their permission level and delete ones who no longer need access. It’s easy to reinstate them if you make a mistake or they need access again in future. Make sure that staff who leave your company have their access removed ASAP.
The next most common way for WordPress sites to be targeted is through vulnerabilities in the software that runs the site. This is the most successful route for a skilled hacker – it’s estimated around 70% of compromised sites were accessed via a software vulnerability in a plugin, theme or core file. Luckily this type of attack is trickier to do, so there are fewer attempts to worry about. Let’s look at some ways to reduce this risk.
Keep On Top of Plugins and Themes
With so many free plugins and themes available for WordPress, it’s tempting to try them all out and install more than you need. Having plugin bloat will slow your site down, but it also introduces more opportunities for security issues. As mentioned before, many free plugins and themes are made as side-projects or by inexperienced coders, so can be vulnerable to exploitation. Another good rule of thumb is to check when the plugin or theme was last updated, and avoid anything that has gone more than a few months without an update. Be extra wary of any site offering a free version of a premium plugin; if a plugin normally costs £300 per year, it’s unlikely they are giving it away for free. The old rule of something being too good to be true definitely applies here, a “great” deal like this is usually because the plugin has been modified to give a third-party backdoor access to your site.
TO DO: Delete any inactive plugins you aren’t using. Inactive plugins don’t bring you any value and introduce a security risk.
TO DO: Keep active plugins and themes updated; you may want to back up your site beforehand in case the update causes any issues. If you don’t log in to your site very often, consider setting up auto-updates.
TO DO: Review and update your themes. Keep the latest WordPress default theme; deleting this can introduce bugs, and the latest one will be the most secure. Best practice is to run a child theme off your real theme, as this allows you to update your main theme while keeping your customisations safe in the child theme. If you have more than 3 themes (an active child theme, an inactive main theme and an inactive WordPress default) then strongly consider deleting the rest.
ADVANCED TASK: Check your plugins against this banned list on WP Engine. While WP Engine prevents users installing some of these plugins as they conflict with the default caching and backups of the sites they host, some of them are banned due known security issues. If you have one of these insecure plugins, delete it immediately.
ADVANCED TASK: Check your plugins and themes are still available to download from WordPress.org. They are generally pretty good at removing compromised code and abandoned plugins, so if the only place you can still get a plugin is a dubious third party site then it’s best to steer clear. (The exception here is paid plugins – these are often downloaded from another site after payment. However, free versions or other plugins by the same developer should be available on the WordPress library.)
Update WordPress Core
The core software behind WordPress is updated every few months, often in response to possible vulnerabilities, so keep on top of these patches. Many people are wary of these updates, because a previous one broke their site; in reality this issue usually occurs when the site is very far behind the latest release. If you are trying to jump from WordPress 2 to WordPress 6 then it’s almost inevitable you’ll have problems. However, going from WordPress 6.4.3 to 6.5 is unlikely to cause any trouble, and out-of-date core files are an easy vulnerability to solve.
TO DO: Check your version of WordPress against the release list, and update if needed.
ADVANCED TASK: If you are several versions behind the latest release, you should apply the update in a staging environment before implementing it in your live site.
The third way sites are attacked is via the hosting environment. This is a tiny percentage of successful hacks (less than 5% when all routes are considered) but still worth making sure you are covered.
Use A Reputable Host
Online security is very complex, and the best website hosting companies will have whole teams of experts working around the clock keeping their servers safe and secure. Generally you get what you pay for so only use free or very cheap hosting for throwaway projects, as you can’t be 100% sure it will be safe. If your website is integral to your business, then investing in a hosting plan from a reputable company is the only way to go. We’ve written a post about hosting with recommendations if you’d like to look in to this more.
TO DO: Review your hosting package and check the reputation and track record of your host if unsure.
ADVANCED TASK: If you think your site is at particular risk of a targeted attack due to the nature of your business, it may be worth moving to a host who specialises in WordPress specific security, such as WP Engine.
Keep Your FTP and cPanel Credentials Secure
Just like your WordPress login, it’s possible to brute force entry to hosting control panels, or use an insecure FTP account to access your files directly. Never reuse passwords for these systems and make sure they are complex and long enough to be unguessable.
TO DO: As before, reset any insecure or easily guessed passwords, ideally with a password manager. Activate 2FA where possible.
ADVANCED TASK: Delete old FTP accounts and set up SFTP connections or use SSH instead.
Finally, let’s look at some ways you can be proactive when it comes to online security.
Install a Security Plugin
If you are with a reputable host already, the default WordPress installation often includes security features. Siteground’s security plugin is particularly impressive out of the box, and protects against many of the issues discussed in this article. WordFence, Sucuri and Limit Log On Attempts are all good options too and may work better depending on your hosting environment and existing site functions. Jetpack is also a strong choice, but it comes with lots of non-security features that may clash with your existing setup, so it’s perhaps better for new sites than established ones.
TO DO: Review security tools already in place, upgrade as needed. Avoid plugins that duplicate features found elsewhere to prevent clashes.
Minimise Impacts
Unfortunately, you can never protect your site 100%. Royal Mail, NHS Scotland, The Guardian and the British Library have all been victims of recent cyber attacks despite professional security teams, so you should always consider how to mitigate the consequences of any incident. Sometimes the only way to repair a hacked site is to delete it and start again, so keeping a backup of your site files and database means this is not a big deal. You might also want to consider specific insurance if data loss or leaks pose a significant risk to you.
TO DO: Ensure you have regular automatic site backups in place, either through your hosting provider or a plugin. Ideally these should be stored separately from your site. Many hosts will store backups on a separate server for you as standard, but if you are using a plugin to create backups, ensure that you download a copy to another location (such as your own computer, or a private Dropbox account) regularly.
TO DO: Check what security features your hosting provider offers. Many will help clean up and fix compromised sites or have step by step instructions that account for their specific hosting environment. Switch hosts if you think they aren’t taking security seriously.
So How Worried Should You Be?
Luckily, following the basic security measures in this article will put off all but the most dedicated hacker, and realistically most websites aren’t that interesting or valuable as targets. Someone who has the ability to bypass several layers of security is not going to bother holding a small business to ransom if they could just as easily target someone larger with much deeper pockets.
If you are worried about your site’s security, need to clear up a breach or just want some expert advice for your situation, we’d love to help you. You can book a free introductory call or drop us an email to find out more or request a quote.
