Security on WordPress is an issue to be taken seriously, primarily due to it’s sheer popularity! There are over +75 million WP websites out there, so devising a successful hack opens up a world of opportunities.
Whilst you can expect determined and sophisticated hacking attempts directed against your WordPress sites, there are numerous preventive measures that ensure the integrity of your site will be maintained. .
These hacking efforts run the whole gamut of attack variations;
- Blackhole Exploit Kit attacks
- SQL Injection attempts
- Brute Force Login & Password access efforts
- Link Injection & Phishing attacks, where links to bank fraud efforts are made
- DDOS – distributed denial of service attacks where thousands of computers simultaneously access your site with multiple request in order to bring it down
Many attacks are initiated in China, Russia, Poland, Iran, North Korea, Turkey and Indonesia. Generally speaking, its easy to minimise the potential threat by a few minutes of preemptive efforts!
Read the Protect WordPress from Hackers page for a 9 Stage plan
In other words, an ounce of prevention is better than a pound of cure!
WordPress Security Plugins
This is the first line of defence – a couple of properly implemented WordPress security plugin will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to access the internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money…
There are multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. Those that I have direct personal experience with are;
- Limit Login Reloaded – excellent brute force login security
- Block Bad Queries – fast firewall that does not intrude into other activities – such as WordPress Management Consoles
- Block Bat Bots – reduces the impact on server resources by rogue bots and thwarts many spambots too.
- Disable XML RPC – this is a WordPress component that most business websites don’t need
- Disable REST API – except for logged in users
- Cloudflare CDN – using Cloudflare greatly enhances site security! from both script injection threats AND DDoS attacks.
These all work well together.
Wordfence & Sucuri
In the quest to ensure best possible performance and minimal server resource use, I prefer to use several small “light weight” WordPress security plugin across all sites I manage.
However, on all recent hacked sites I am asked to assist with, I install Wordfence and/or Sucuri to help sort out the chaos. Once the site is sanitised, I replace the “heavy weight” plugins.
I’ve used Wordfence on many websites over a number of years… It has grown into a behemoth with a much more complicated interface than previously. Whilst it is very robust, many people don’t ever find all the crucial areas that need settings adjusted. Because of that, its not uncommon for me to get asked to “un-hack” sites that the owner thought was well-protected with Wordfence…
When Wordfence is correctly configured, it is going to defeat the most determined hacking efforts! It can be configured to provide email warning of a variety of threats, including;
- Alert on critical problems
- Alert on warnings
- Alert when an IP address is blocked
- Alert when someone is locked out from login
- Alert when the “lost password” form is used for a valid user
- Alert me when someone with administrator access signs in
- Alert me when a non-admin user signs in
Other important security aspects include;
- Enable automatic scheduled scans
- Scan core files against repository versions for changes
- Scan for signatures of known malicious files
- Scan file contents for backdoors, trojans and suspicious code
- Scan posts for known dangerous URLs and suspicious content
- Scan comments for known dangerous URLs and suspicious content
- Scan for out of date plugins, themes and WordPress versions
- Check the strength of passwords
- Monitor disk space
- Scan for unauthorized DNS changes
- Scan files outside your WordPress installation
- Enforce secure passwords
The fast alerts on the slightest hint of a problem are comforting. I especially like the “Scan core files / plugins / themes against repository” function!!! If a file changes, or an extra one appears, the alarm bells start ringing!
WordPress Security Plugins Summary
These plugins outlined above are sure to solve the particular security issues on your WordPress website. They provide a known base from which to start your countermeasures.
There are several basic elements that need to be addressed as part of any recommendations on WordPress security.
Secure WordPress User ID
The default WordPress User ID is “admin” and you should NOT use that on your site. Doing so immediately means half of the “site access equation” is known, and all that’s required is the password! That’s pretty reckless in this day and age…
A secure User ID ought to be a minimum of 10 + 12 characters containing a mix of upper and lower case and including numeric and/or special character variations and no recognisable words e.g.; Tgp#1BzsB4Fc
In addition, you should then assign a different User Account “nickname” so that there is no clue as to the Admin identity if you inadvertently use the account to publish any pages or posts! Ideally, you should publish the pages and posts from a “Editor” level account…
Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!
There are several websites specialising in secure password generation…
USE one of them!
Comment Spam & Bad Links
These contribute negatively to your website’s online profile. Eliminate the majority of potential issues by using the inbuilt automation options;
- Don’t allow registration unless its absolutely necessary!
- Don’t allow comments on pages
- Close comments on posts after 2 – 4 weeks
- Don’t allow trackbacks / pingbacks on posts
- Disable XML RPC – if you don’t know what it does, you don’t need it…
Installing and configuring the WordPress Zero Spam plugin is not at all difficult and it effectively screens out the worst of the remaining garbage!
I use Cleantalk on sites that get a lot of spam post attempts.
Maintaining WordPress & Plugins
Its extremely important to diligently maintain WordPress and any plugin applications. When a security breach or flaw occurs, fixes are put in place, but word of the potential exploit quickly circulates among the hacking community. Hackers immediately start looking for sites that are at risk, and target them!
A ‘once a week’ login to your WordPress Admin should be a standard task, in order to check if there are upgrades available. Install any upgrades immediately! Having a plugin like Wordfence installed ensures you are notified immediately WordPress, a plugin or theme has upgrades available.
WordPress plugins: now have an “Enable Auto Updates” option – activate it!
Make sure WordPress itself has “auto-updates” turned on.
Themes can also be auto-updated: this can be problematic on themes like Avada, even (or especially) where a child theme is used.
Having an automated monthly backup process scheduled, with off-server storage, makes sound business risk management sense.
The best backup available is Updraftplus. I use the premium version on all sites I manage.
- Schedule regular backups – Database daily with 7 rotating, Files weekly with 2 rotating
- Upload them to cloud storage (Dropbox, OneDrive etc)
How to deal with WordPress Hacking
Don’t panic, because it absolutely won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in;
- No security implemented at all
- Out of date / vulnerable Plugins or Themes
- Weak passwords
- Use of “admin” as the Administrator User ID
The first indication may be;
- an email from Fraudwatch requesting you delete the offending content
- a warning from your hosting company that the site is compromised and in danger of being shut down
- a tip from a friend or client that Google is displaying malware or virus warnings about your website
These days, its rare to have an overt, immediately obvious hacking occur. Its more often an out-of-sight, deeply planted problem that the hacker hopes won’t be discovered for weeks or months.
Dealing with the problem is explained in the How to deal with WordPress Hacking page..
WordPress Security Conclusions
- Avoiding the problem is not particularly difficult.
- Eliminating the problem is usually straightforward.
If you need WordPress Technical Support, use the form below to get in touch.
The SEO Guy provides a comprehensive annual WordPress Website Maintenance Plans that addresses all of the issues covered in this article, for a very modest annual cost.