I decided to write ‘A guide to WordPress security for technophobes’ because I see the insides of many WordPress websites every day. Mostly from tiny business being run by one or two people. Two things are evident. Security is not a priority and even if it was , they don’t know how to make the site secure. The technical jargon can be overwhelming.
This guide will eliminate the confusion and give you some actionable steps you can carry out today to make your WordPress website more secure.
What is WordPress and why do people use WordPress?
WordPress is a free, open source website publishing platform. It powers 30% of all websites according to WordPress.
Out of the box, it is very easy to use and can help you build a website very quickly. It doesn’t have much functionality so you will need to add plugins to achieve the final result you desire. Plugins are little programs that run on your site to enable certain functionality. E.g the plugin Woo Commerce turns your website into an online store. Without this plugin you can’t sell products.
WordPress needs a theme installed before it can be used. A theme gives the website its design. You can purchase themes or find a free theme, although free themes are best avoided unless you can trust the source 100%. Sites can also be build with theme builders which are drag and drop interfaces created so you can design your website by yourself.
The fact that is is free and open source is both it’s strength and weakness. Being free has meant it has grown in popularity. But being so popular also means hackers have more to gain if they can find a way to break into your website. Open source means anyone can see the WordPress code and change their copy. Updates can be suggested to the dedicated WordPress development team and they may or may not include your change. This has enabled a very large WordPress community to develop full of very helpful and supportive people wanting to improve WordPress which is good news for you because you should always be able to find a competent developer to give you a hand. Unfortunately it also means hackers have access to the code and build scripts that exploit vulnerabilities in the code.
How secure is WordPress?
WordPress is very secure as long as WordPress security best practices are followed. Many security problems arise because the user is not security conscious, leading them to be careless with their website, enabling their website to be hacked. Having usernames such as ‘admin’, having weak passwords, not updating code when new code is released are common mistakes that WordPress users make and these mistakes leave their website wide open to hackers.
This is a good time to mention that it’s impossible to completely secure WordPress. Al you can do it minimise the risk of someone hacking into your site. Nothing is ever completely secure.
What is hacking?
Hacking is gaining unauthorised access to a website. The unauthorised user is highly likely to cause malicious damage.
Who is behind hacking and why do they hack?
Crime gangs are often behind hacking attempts. Gangs will hack computers to place malicious code on the website so when someone visits the site the code can steal their personal details. They might completely remove the website and hole the site owner to ransom until they pay a huge sum of money to get their website back.
Individuals trying to drive traffic to a site to make more sales find their way into a site to replace links so when someone clicks on the link they are taken to another, unrelated site. This increases the traffic to a site to make it look popular and to try and drive sales or impressions.
It’s not often just someone bored in their bedroom. It’s done by organised, highly skilled people because there is a lot of money to be made.
How do people hack in to websites?
Sometimes a lone person can sit at a website and try and hack in using different combinations of name and password but this method is very time consuming. It is more common now to use bots.
Bots are automated scripts that a hacker will use to do the tedious manual work for him. This enables the hacker to scale his efforts and attack hundreds or thousands of websites at the same time.
Sometimes, more computer power is needed and more sophistication is needed to gain entry into a website. In these cases bot nets are used. This is where many servers are used at once to carry out attacks. The servers have often been taken over by the hackers, they are not likely to own the servers because this might lead to them being identified.
5 ways people can hack your site
1. Brute force
A brute force attack is where access to your site is gained by someone guessing combinations of password an user name. Bots are commonly used for this and can force it’s way into your site by trying many password combinations per second. This puts enormous strain on your server resources and can lead to your hosting account temporarily disabling your account.
2. File inclusion exploits
This is the second most common way hackers gain access to your site. This is done by finding vulnerabilities in the php code (that is use to build your site, theme and plugins) on your website. Vulnerabilities allow the hacker to upload and run scripts to then give the hacker access to your site.
3. SQL injections
A WordPress website uses a database called MySQL. An SQL injection is where the hacker accesses your database and adds a new admin account enabling him to have full access to your site. Being able to access your data base also means the hacker can delete, copy or modify any of your data.
4. Cross site scripting – XSS
Malware is malicious software that has been placed on your site to help the hackers gain access to your site.
Having malware on your site is better known as you site is infected. The most common WordPress malware infections are;
- Drive-by downloads
- Pharma hacks
- Malicious redirects
They are all easily identifiable and removed by restoring from a clean backup.
What happens when your site gets hacked?
If you have no security monitoring you might not even know your site has been hacked until a well meaning visitor alerts you via email. By this time a lot of damage could have taken place. So how will you know you have been hacked?
- You might not be able to log into your site. you account might have been deleted.
- Your website might look different. Images and text might have been changed.
- You whole website might have disappeared and be replaced with something else entirely.
Why do you need to secure you site?
If you use your website for business, you really don’t want to be hacked. The longer you are unaware that you have been hacked, the more visitors will see your damaged site.
- Hacking damages your brand. When visitors arrive at your site. They will see you have been careless about our security and might assume you will be careless with them as a customer.
- It damages the trust people have of your site. They are not likely to return if the see it has been hacked.
- It can be damaging to you and your visitors life, especially if personal details are stolen.
- Google will blackmail yo and remove you from search engine results, wiping out your SEO efforts.
- While your site is down you can lose leads, sales and revenue for your business.
- It’s extremely inconvenient. You will spend time trying to get the hack cleared up and emailing people to apologise.
- You might lose a lot of data if you haven’t got a back up.
- You might lose your whole site.
15 ways to improve your WordPress security
1. Update everything!
Updates are released to fix bugs and security issues. You must always update to ensure you stay protected.
- Keep your WordPress core files updates. 37% of security problems are from WordPress itself.
- Keep your Theme updated. 11% of security problems come from themes.
- Keep your plugins updated. 52% of security issues are from plugins
2. Be cautious about where you get your themes and plugins from
Stick to reputable plugin and theme developers. Poorly coded plugins and themes greatly increase your chances of being hacked. Be aware of free plugins that are not from the WordPress plugin repository, there is a high probability they contain malicious code. Even be aware of free plugins from the repository. Free doesn’t always mean good. Make sure you follow these guidelines for picking a theme and plugin.
- Has it been tested with your version of WordPress?
- Has it been updated in the last few months?
- Check the reviews.
- Is the developer someone doing it for fun or a serious business?
- Does it come with support?
3. Keep your themes and plugins to a minimum
If you have had your site a while you may have a collection of themes or plugins. You should remove any theme or plugin you are no longer using. Even if they are not active they can still be a security threat.