WordPress is the most popular open-source content management system used by millions of people around the world to build websites however due to its popularity and the fact that WordPress, its themes, and plugins are not updated or maintained by website owners it has become an easy target for hackers who hack websites for criminal, financial purposes.
WordPress Security Statistics
We have highlighted the following security and business statistics in this article to make you aware of the importance of website security and why you should take it seriously.
- At least 30,000 WordPress websites are hacked every day
- 4.7 million websites are hacked by cybercriminals every year
- A majority of hacked websites are due to poor website management, maintenance, and security
- Almost 1 in every 25 websites has been hacked
- 8% of sites get hacked by weak or stolen passwords
- Outdated WordPress sites are the cause of 61% of all attacks
- 97% of all website attacks are automated
- 90% of all security vulnerabilities within WordPress are due to themes and plugins
- A majority of the attacks are broken down by 61.65% Malware, 60.04% backdoor, 52.60% SEO Spam
Business & Personal Impact Of Getting Your Website Hacked
- Getting your website hacked can be a very stressful experience that can have a serious impact on your mental health and overall wellbeing
- Ultimately you are responsible for your website to ensure that WordPress, themes, and plug-ins are kept up to date and to ensure you have the right security precautions in place to protect your website, and visitors. If your website visitors unknowingly get infected with Malware after visiting your website and their personal, credit card details are used for criminal purposes as a result of malware infection you could be subject to a law suite.
- Most hosting companies will suspend the hosting account of comprised, hacked websites. This means your website will be offline and unable to get website traffic or sales.
- It can have a huge impact on your business and brand reputation with current and potential customers
- You can lose your hard-earned search engine listing position on Google
- The time, resources, and money to deal with a compromised website can have a big impact on you and your business.
Common Attacks On WordPress Websites
The following are examples of the types of attacks which can take place against WordPress websites.
Cross-Site Scripting (XSS)
This type of attack occurs when an attacker “injects” malicious code into the backend of the target website to extract information and wreak havoc on the site’s functionality. The code can either be introduced in the backend by more complex means or submitted simply as a response in a user-facing form. Stay vigilant of this.
Brute-Force Login Attempts
The brute-force login attempt is one of the simplest forms of attack. It occurs when a hacker uses automation to enter as many username-password combinations very quickly, eventually guessing the right credentials. Brute-force hacking can access any password-protected information, not only logins.
Another common type of attack is a backdoor. A backdoor is a file that contains code allowing an attacker to bypass the standard WordPress login, ultimately accessing your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
Also known as SQL injection, this form of attack happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code in its database. Like with an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
Security Tips For Your WordPress Website
The following security tips will help you to protect your website from hackers
Hosting is the foundation of your website. Spend some time researching the different hosting providers to compare what services and functionality they offer. From a security point of view, we would recommend you choose a provider which offers managed WordPress hosting which basically means the hosting company will ensure your website, themes, and plug-ins are automatically updated. They will also normally include custom security via a web application firewall and specific support for WordPress provided by experts in the field.
Keep WordPress Core Files Updated
Keeping your WordPress website up to date is critical to maintaining the security and stability of your website site. If you aren’t updating your WordPress website, then you are likely using a version that has known vulnerabilities which makes you an easy target for hackers to hack your website. We recommend you enable automatic WordPress updates via the admin area of your website which will ensure when updates are released your website will also get automatically updated for you.
Update Your Themes And Plug-ins
We recommend you keep all the themes and plug-ins you have installed on your website up to date. The developers of the themes and plug-ins release code improvements and security updates to address known security vulnerabilities that hackers are trying to exploit every day. It has been reported that plugin vulnerabilities represent 55.9% of the known entry points for hackers. That is what WordFence found in a study where they interviewed over 1,000 website owners that had been victims of attacks.
We recommend you enable automatic plug-in and theme updates via the admin area of your website which will ensure when updates for plug-ins and themes are released your website will also get automatically updated with the latest updates
Backup Your Website
It is essential that you back up your website on a regular basis which will save you time, money and a lot of stress should anything happen to your website. Do not rely on your hosting provider to back up your website. We recommend you look at the following backup solutions for WordPress
Do Not Use The “Admin” Username
Because “admin” is such a common username, it can be easy to guess by hackers plus it makes it very susceptible to brute force attacks and social engineering attacks. Never use the user name “admin” we recommend you change it to a unique user name which will make it much harder for the hackers to brute force or hack it. If you’re already using the account admin you can change it by following this guide to change the admin user name.
Use a Strong Password
Passwords are a very important part of website security and unfortunately often overlooked. If you are using a plain password i.e. ‘123456, abc123, password’, you need to immediately change your password. While this password may be easy to remember it is also extremely easy to guess. An advanced user can easily crack your password and get in without much hassle.
It’s important you use a complex password, or better yet, one that is auto-generated with a variety of numbers, nonsensical letter combinations and special characters like % or ^.
Install A SSL Certificate
Nowadays Single Sockets Layer, SSL, is beneficial for all kinds of websites. Initially, SSL was needed in order to make a site secure for specific transactions, like processing payments. Today, however, Google has recognized its importance and provides sites with an SSL certificate a more weighted place within its search results.
SSL is mandatory for any sites that process sensitive information, i.e. passwords, or credit card details. Without an SSL certificate, all of the data between the user’s web browser and your web server are delivered in plain text. This can be readable by hackers. By using an SSL, the sensitive information is encrypted before it is transferred between their browser and your server, making it more difficult to read and making your site more secure.
Install A Security Plugin
A security plugin is a great way to quickly add an extra layer of protection to your website which can help you to block a wide range of attacks. We recommend you look at the following security plug-ins
- WordFence – https://en-gb.wordpress.org/plugins/wordfence/
- All In One Security – https://en-gb.wordpress.org/plugins/all-in-one-wp-security-and-firewall/
- Ninja Firewall – https://en-gb.wordpress.org/plugins/ninjafirewall/
- Shield Security – https://en-gb.wordpress.org/plugins/wp-simple-firewall/
Limit Login Attempts
WordPress allows its users to make an unlimited number of login attempts on the site. Unfortunately, hackers can brute force their way to your admin area by using various password combinations until they find the right one. You should limit login attempts to prevent such attacks on the website. Limiting failed attempts also helps monitor any suspicious activities on your site.
One way to limit login attempts in order to increase WordPress security is by using a plugin. There are many great options available, such as:
- Limit Login Attempts Reloaded – configures the number of failed attempts for specific IP addresses, adds users to the safelist or blocks them entirely, and informs website users about the remaining lockout time.
- Loginizer – offers login security features such as 2FA, reCAPTCHA, and login challenge questions.
- Limit Attempts by BestWebSoft – automatically blocks IP addresses that reach the login attempt limit and adds them to a deny list.
Change the WordPress Login Page URL
To protect your website from brute force attacks, consider changing the login page’s URL.
All WordPress websites have the same default login URL – yourdomain.com/wp-admin. Using the default login URL makes it easy for hackers to target your login page with brute-force attacks.
If you use the WPS Hide Login plugin, here are the steps to change your WordPress login page URL:
- On your dashboard, go to Settings -> WPS Hide Login.
- Fill in the Login URL field with your custom login URL.
- Click the Save Changes button to finish the process.
Enable Two-Factor Authentication for WP-Admin
Activate two-factor authentication (2FA) to reinforce the login process on your WordPress website. This authentication method adds a second layer of WordPress security to the login page, as it requires you to input a unique code to complete the login process.
The code is available only to you via a text message or a third-party authentication app.
To apply 2FA on your WordPress site, install a login security plugin like Wordfence Login Security. Additionally, you’ll need to install a third-party authentication app such as Google Authenticator on your mobile phone.
Monitor User Activity
Identify any unwanted or malicious actions that put your website in danger by tracking activities in your admin area.
We recommend this method for those who have multiple users or authors accessing their WordPress website. That’s because users may change settings that they should not, like altering themes or configuring plugins.
By monitoring their activities, you will know who is responsible for those unwanted changes and if an unauthorized person has breached your WordPress website.
The easiest way to track user activity is by using a WordPress plugins noted below
- WP Activity Log – monitors changes on multiple website areas, including posts, pages, themes, and plugins. It also logs newly added files, deleted files, and modifications to any file.
- Activity Log – monitors various activities on your WordPress admin panel and lets you set rules for email notifications.
- Simple History – in addition to recording activity logs on WordPress admin, it supports multiple third-party plugins like Jetpack, WP Crontrol, and Beaver Builder, recording all activity related to them.
Remove Unused WordPress Plugins and Themes
Keeping unused plugins and themes on the site can be harmful, especially if the plugins and themes haven’t been updated. Outdated plugins and themes increase the risk of cyberattacks as hackers can use them to gain access to your site. We recommend you review all the themes and plug-ins installed on your website and remove the ones you no longer need.
Protect the wp-config.php File
The wp-config.php file in the root directory contains WordPress core settings and MySQL database details and is the a key file for the hacker to attack in order to exploit your website
Protect this file and keep WordPress secure update the .htaccess file with the following.
#Disallow wp-config.php <files wp-config.php> order allow,deny deny from all </files>
Disallow Access To The xmlrpc.php File
XMLRPC is used quite frequently by hackers to gain access to your website with brute force attacks. XMLRPC is not really used much so it’s best practice to simply deactivate it. To disable this completely you can install the free Disable XML-RPC plugin.
Or you can add this code to the .htaccess file
# Disallow XMLRPC <files xmlrpc.php> order allow,deny deny from all </files>
Disable directory browsing
Directory browsing can be used to find out if you have any files with known vulnerabilities. so hackers can take advantage of these files to gain access.
Directory browsing can also be used to look into your files, download images, look at your directory structure, etc. This is why it is highly recommended that you turn off directory indexing and browsing.
Add the following code to your WordPress .htacecss file
# Disable directory browsing Options All -Indexes
Block Direct Access to /wp-includes
The following code allows you to restrict the direct access to the wp-includes directory which contains core WordPress code and scripts. Public access to this directory is not required or intended for a WordPress site to function so direct access should be restricted.
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [NC,F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [NC,F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [NC,F,L] RewriteRule ^wp-includes/theme-compat/ - [NC,F,L] </IfModule>