WordPress is one of the world’s leading, most trafficked blogging platforms. Its security is always a serious topic because many bloggers and web owners earn their livelihood from their websites.
If their WordPress sites become compromised, they’ll lose their source of income.
WordPress itself is a secure system, but there are still risks that could compromise websites and/or blogs.
Though WordPress is regularly updated and audited by expert developers, hackers can also use the same knowledge and skills to break through its defenses.
In this guide, you’ll learn about two main things:
- The basics of WordPress security
- Practical steps to follow in strengthening WordPress security
Things You Should Know About WordPress Security
Contents In Page
Common Threats to WordPress Blogs and Sites
WordPress uses a strong security system, but there can still be loopholes that hackers can use to infiltrate websites. The following are most common threats that can attack a WordPress site:
Virus and Malware
By use of viruses and malicious software (malware), hackers can alter codes in your site’s database and security settings.
These malware can be injected into your database through vulnerabilities in the plugins and even the themes that you use.
The purpose of these malware is to obtain information or data from your website and use them for criminal activities.
Spam no longer only refers to unwanted emails. And Spam attacks now range from bombing of unwanted comments, Negative SEO, DDoS attacks, and trackback abuse.
The purpose of spamming is to slow down your website, bring down your page ranking, or have your site penalized by Google. Spamming is a dirty trick commonly pulled off by sore competitors.
Hacking bots are automated software that is designed to hack into websites. Unlike viruses that are injected to work from inside of the website’s system, bots work from outside by attempting to access the login page.
Bots attempt to break in by applying various combinations of login data and passcodes. Once bots succeed in breaking in, hackers can access your database and steal information for criminal purposes.
Common Mistakes and Weaknesses in the Security System
Many times, the loopholes found in the security system of WordPress sites are those that are made by the site owners.
Here are common examples of how you can cause vulnerability to your website:
Overlooking or forgetting to manually installing major updates.
Many think WordPress automatically updates everything when newer versions of the software are released. Actually, only minor updates are automatically installed and it’s up to you to initiate major updates.
If you don’t install major updates manually, you miss out on the new security features that will protect your site from new threats.
Using highly predictable passwords or codes.
The most classic mistake many people still make is using passwords based on birth date, anniversary, street number, etc. These kinds of information are readily accessible to hackers.
If you are using the same for your site’s login, then you are making your website into an easy give-away.
Overlooking the value of using reliable web hosting service.
In free hosting, their servers are open to all; there are little restrictions on accessibility. If anyone can access the server your site is on, then anyone can hack into it.
On the other hand, shared, dedicated and managed web hosting services offer extra protection because they keep their servers clean and functional.
If you are maintaining a website for your business, you should consider purchasing a hosting service that meets your needs.
Why It’s Important to Keep Your WordPress Blog Secure
There are several important reasons why you should strengthen the security of your WordPress site:
You don’t want to lose the money that you worked for.
One of the primary reasons why hacking exists is to get a hold of your financial account information.
If they know that your website is earning well, hackers can target your site to steal your earnings.
You don’t want to be a source of spam attacks.
If your website is infiltrated, hackers can use your website for malicious activities such as sending spam emails to spread malware or viruses.
The spam attacks can be traced down to you and you might get blamed for it. This is especially critical for websites that maintain mailing lists for their subscribers.
Once your subscribers report you as a spammer, your reputation will be damaged and affect your future online operations.
You don’t want your site to be falsely accused and penalized for SEO malpractices.
Many competitor sites would play dirty just to get ahead of you. If you don’t keep a close watch on your site, someone can pull a Negative SEO attack on you.
Others might abuse your trackbacks for their blackhat SEO methods. These tricks involve the abuse of backlinks from your sites.
In Negative SEO, someone posts your site’s URL or page links on different websites to make it look like you’re spamming those websites.
In trackback spamming, someone abuses your trackbacks by linking to your site so they can automatically get a backlink from you.
You don’t want to lose your website.
If your website is hacked and you have no back-ups, hackers can easily shut down your site without a chance of recovery.
Everything you worked hard for will go down the drain and you’ll be back again to zero.
How to Safeguard Your WordPress Blog from Hackers
WordPress’ security system may be strong and reliable most of the time, but common hackers can be very persistent.
They’ll try to find a loophole around their targeted website and won’t stop until they find or create a small crack.
To guard against common hackers, you must strengthen your site’s security by taking preventive measures that discourage hackers.
There are five important steps that you should follow:
- Create or install a back-up system.
- Keep your platform, including plugins and extensions, up-to-date.
- Install and enable a WAF (Web Application Firewall) such as anti-spam plugins.
- Customize your login URL and change user name for admin.
- Add security questions and Captchas.
There are other advanced measures that you can also apply to reinforce WordPress Security. However, these five steps are the simplest, most basic measures that every website owner should know how to practice and apply.
The next part is a practical guide on how to apply these measures.
Creating and Installing a Back-up System
Creating a back-up system for your WordPress blog can be done in three ways:
- Manual Back-up
- WordPress Back-up Plugins
- Web Host Back-up
You can choose any these, but you can secure your site much better if you choose to do all three.
In Manual back-up, you manually download your website and database into a secure or encrypted hard drive.
You can use your computer’s local hard drive, but it’s better to use a separate hard drive because your computer can easily get compromised by infecting malware.
Another safe location where you can store your back-up data is the cloud. It’s recommended that you use a cloud service outside of your web host or server’s back-up cloud.
WordPress Back-up Plugins:
Plugins are third-party software that you can install or incorporate into your website. Many back-up plugins are available to use with WordPress.
You can use either free or paid plugins. Though paid plugins offer more convenient features, free plugins are also adequate for website back-ups.
Usually, the process of installing and using back-up plugins involve the following steps:
- Choose a back-up pluginfrom your WordPress plugin list and download the file.
- Unzip the plugin file and place it in your site’s wp-content/plugins/folder.
- Go to the Plugins menu and activate the plugin.
- The plugin should then appear on your dashboard.
- To create a back-up, just follow the steps instructed by your chosen plugin.
Most back-up plugins enable you to set a back-up schedule so your WordPress site can be backed-up on a regular and continuous basis.
Ideally, your website should be backed up at least once daily. However, the necessary frequency of back-ups depends on your website’s traffic and updates.
If your website receives a lot of traffic on a daily basis and new content is updated more than twice a week, you need to set real-time back-ups.
Backing up real time is the most recommended schedule for e-commerce sites which deal with multiple transactions at each time.
If your website is mainly informative and is updated only monthly or quarterly, you can set up a more relaxed weekly or monthly schedule.
Web Host Back-up:
Paid web hosting services, particularly dedicated and managed hosting, usually perform regular back-ups as part of their service package.
If your web host offers back-up service, simply collaborate with them about your website’s back-up needs. If it’s not part of their service, ask them if it can be added to your service package and contract.
Keeping Your WordPress Blog Up-to-Date
Updating your WordPress blog is mainly a matter of duty and responsibility. In the latest versions of WordPress, minor updates are applied automatically.
However, it’s your responsibility to watch out for major updates and install them as soon as possible.
Usually, a message or notification about major releases will appear on your dashboard.
To update your site to the new version, just click on the “Please update now” prompt within the message.
As for plugins and themes updates, some providers or developers automatically update their products. For those who use plugins and themes that need to be manually updated, just watch out for update notifications on your plugins menu or page.
Using a Web Application Firewall
A web application firewall is an anti-spam plugin that protects your website form spam attacks.
In WordPress an anti-spam plugin called Akismet plugin is pre-installed. Just look for it and activate it in your plugins menu.
You can also add other anti-spam plugins if you want a back-up anti-spam protection.
Customizing Your Login URL
Your WordPress login URL is usually set to the default http://www.nameofsite.com/wp-login.php format. If you don’t change this, hackers will use this information to break in.
The risk is associated with WordPress setting the default admin name to “admin”.
The /wp-login.php part of the URL is a giveaway that you are using WordPress and that your admin username could be “admin”.
That leaves hackers thinking that the only thing they need to do is guess your password and they’ll be in.
To change your login URL, you must use a plugin that hides your login.
Using a plugin is a smart and safe way to change your login URL because manually changing it poses risks. Examples of this kind of plugin are Better WP Security and WPS Hide Login.
Follow these steps:
- Create a new back-up of your WordPress blog first so you can restore it in case something goes wrong.
- Install and activate your chosen plugin from your plugins menu.
- Follow the plugin’s set up instructions.
- Change your URL’s /wp-login.php into something less obvious such as /login or /sitelogin.
- Apply the change as per the plugin’s options.
You can also use the plugins to change your admin URL. WordPress’ default admin URL is /wp-admin/, and you can change that into /admin/ instead.
Changing Your Admin Username
To change your admin username from the default “admin”, you can do the following:
- Add a new user on your dashboard and delete the old “admin” user. This is the simplest method to changing the admin username.
- Use a username changer plugin to change the admin name without deleting the old admin. Just install and activate the plugin, change the admin name, and save changes. After that, you can delete the plugin without problems.
Adding Security Questions
Security questions add another layer of protection for your site. The key to make this work is to set questions that are difficult to guess by a stranger.
To add login security questions, just to these:
- Install and activate a plugin that will implement a two-factor authentication process. An example of this is WP Security Question plugin.
- Set up the plugin for use.
- Enable security questions for different screens or pages: login, register and forgot password screens.
- Choose the question to be asked and provide the correct answer.
- Update your profile to apply the changes.
Once the update is applied, the security question will now appear every time you access your login screen.
Captchas are useful in blocking off spam comments and registrations attempted by hacking bots. To use Captcha for your WordPress blog’s comment section, just install and activate a Captcha plugin such as Google Recaptcha.
Besides these basic yet crucial security measures, you should not forget that your WordPress blog’s security also depends on the computer hardware that you use to manage it.
Always remember to:
- Keep your computer physically safe from damaging elements.
- Keep your computer’s drives clean and free of malicious software.
- Scan your computer system for viruses and malware.
- Update your computer’s anti-virus and anti-malware software.
- Practice safe internet browsing activities.
And lastly, always remember that it’s you that’s responsible for safeguarding your WordPress blog. Take your duty seriously and always be on the watch.