As the most popular content management system, it’s unsurprising that WordPress powers 35% of all websites on the web. That’s an impressive accolade, but it’s sadly one that goes hand in hand with the fact that more than 70% of WordPress installations are vulnerable to hacker attacks.
It seems that, as well as gathering a huge amount of interest from website owners and businesses, WordPress has also managed to attract a slightly less desirable audience looking to exploit vulnerabilities in software for a variety of reasons. This is a real concern any business looking to launch their website will need to consider well in advance.
After all, consumers are more concerned than ever about how companies use their information. So much so that, according to IBM, large-scale breaches can now cost upwards of $3.92 million. Those are numbers few companies could cover without feeling the sting. Hence, online security should be a pressing priority. On WordPress, especially, putting security at the forefront of your plans is the only chance you have at staying safe. That’s why we’ve put together some critical pointers to help you protect your online presence where it matters most.
# 1 – Keep up to date
Staying up to date with your WordPress site will ensure you have the latest features and bug fixes on your website. But, keeping up to date with everything from themes to plugins is also fundamental for security. After all, roughly over 50% of WordPress breaches uncovered in a recent reports, were on sites with outdated software.
That’s something you need to address sooner rather than later, by keeping an eye out for upgrades, and pushing them manually. Some updates can occasionally lead to downtime, if there are compatibility issues for example, so it’s important oversee their progress to check for any potential problems, and run full website backups beforehand.
As a recent example of how important updates are, in May 2020, a vulnerability was found in the popular plugin “Elementor PRO”, which has approximately over 1 million users. This vulnerability allowed a malicious user to execute any PHP function with any arguments they specify. Just 1 day after the bug was found, the Elementor team released an update to fix and remove the vulnerability. So if you happened to have this plugin installed, and were not keeping your plugins up to date, you could have been leaving your site vulnerable for an attack. That’s why it’s important to keep things updated as frequently as possible.
# 2 – Choose secure website hosting
You can’t create a WordPress site without a host, obviously. But, you might not realize that you can take your security further by considering a managed WordPress hosting company. Rather than just providing you with basic host services, fully managed hosting can provide everything from speed and performance enhancements, along with extra security hardening and firewalls.
Choosing a managed hosting company means that you have an added layer of protection for your WordPress website.
This is a benefit that you may struggle to find with a standard shared host for example, but it’s a fact well worth noting. After all, going the “fully managed” route ensures your data is on a secure platform and that such security comes in monitored layers for utmost protection at all times, this includes managed firewalls, malware scans, activity tracking and more.
# 3 – Use WordPress security plugins
Unless you’re an IT expert with loads of time on your hands, checking your WordPress security manually simply won’t be an option. Instead, you should look into the various WordPress security plugins that other companies have already put on the market.
Options like those available from companies such as WebARX, iThemes Security, and WordFence are created by security experts, for you. Installation can see you enjoying a host of benefits, including brute force protection, the ability to lock out bad users, and even security scanners to check core files for changes, and more.
# 4 – Use a web application firewall
Using a web application firewall can help protect your website from unwanted spam and bots, that could be on a mission to take down your site, or break their way in.
However, there are 2 routes you can go to implementing a firewall on your site, with either a “Endpoint WAF” or “Cloud WAF”. You can see a detailed comparison of both of these from WebARX security here, however in general, there is no harm in implementing both types on firewalls on your site. We would suggest a combination of Stackpath (cloud WAF) and WebARX (endpoint WAF).
If you have signed up to one of our WordPress maintenance plans (with hosting), then a cloud WAF is included for free on your site.
# 5 – Use two-factor authentication
Password management has always been vital to WordPress security, but you don’t need us to tell you that much. Instead, it’s worth noting that you should also implement two-factor authentication to increase those security efforts.
Two-factor authentication that asks for both a password and a secret question or similar is sure to prove far more efficient, then just having a secure password. This is a step you can integrate into your sign-in processes by looking to add-ons like Google’s Authenticator or Authy. This way, even a breach on one level of your security can no longer provide hackers the access they need to break into your site.
You can find a variety of popular free plugins for implementing two-factor authentication on your WordPress site via the official plugins directory here.
# 6 – Limit login attempts
WordPress offers users as many login attempts as they need. This is fantastic news for you and your team on a blurry Monday morning, but it also allows hackers to join the feast. After all, brute force attacks are just that – crude attacks where hackers will work out your password by process of elimination. A cheat they can easily get away with when they can sit there guessing all day long.
By comparison, a plug-in that limits these login attempts can make a huge difference. Three is a good number here, as it’s unlikely you or any approved users will get things wrong that often. Yet, you can make sure that hackers don’t gain access and that you receive ample warning of them attempting to do so.
# 7 – Secure your own devices
Keeping your WordPress site in itself safe won’t achieve anything if hackers can stroll right into your broader computer landscape. From here, they’ll be able to track and overcome any hurdles you may have in place on your WordPress site itself. Worse, they’ll be harder than ever to get rid of, as this less focused form of attack is never easy to identify.
As such, you also need to take steps to protect your computer systems and connections themselves with software like Malwarebytes. By blocking and automatically detecting attacks in real-time, this alone will go a long way towards ensuring your devices don’t leave your site at risk. Even better, this has the benefit of securing your company on a much broader scale.
# 8 – Encrypt your data with SSL
An SSL (secure socket layer) certificate, is another sure road to security.
This is because an SSL is in place to ensure secure data transfers between your browser and server. This significantly reduces the entry margin for breaches with the help of encryption that even top-end hackers would struggle to go toe-to-toe with.
As well as providing reassurance for you, an SSL can have the significant benefit of offering reassurance to anyone visiting your page. This is because these certificates act as a form of authentication, letting consumers know that you are who you claim to be, and that they’re connecting with you on a secure network. Of course, it doesn’t hurt that SSL certificates can potentially offer a small benefit to your SEO too.
The days is becoming more common, and easier to implement and SSL on websites, with the likes of free SSL’s from Let’s Encrypt along with free EdgeSSL certificates with the StackPath CDN and WAF.
# 9 – Protect your wp-admin directory
Protecting your wp-admin is another fundamental step towards a site you can trust. After all, your wp-admin is the heart of your website, and it’s a key that you want to keep out of the hands of hackers.
A two-password process could help you achieve this goal, but many businesses are going further with protection, and even hiding the /wp-admin login page. This can be done easily using the “WPS Hide Login” plugin, and is also a feature of the “iThemes Security Pro” plugin.
# 10 – Let someone else keep an eye on things
Let’s say that you’ve put your best security efforts into play. You feel secure in turning your attention to all those other tasks on your to-do, and bam! Hackers break through regardless.
The sad reality is that, even with these measures in place, real-time monitoring is your best chance at keeping on top at all times. This is a step that managed maintenance as offered by RelyWP can help you to achieve. With benefits like daily malware scans, free malware removal, web application firewalls, and weekly managed updates, this is a sure way to perfect your security, all while freeing you for those other business aspects. And, that ensures all your other efforts in this area will be worth your while.
A final word
Security isn’t easy, even (or especially) on a popular platform like WordPress. Worse, hackers are forever adapting to ensure the access they need. Make sure they don’t sneak into your website defenses by staying one step ahead of the game using these pointers.