WordPress is, for better or worse, the most popular CMS in existence right now – responsible for powering about a quarter of the websites in existence. It is this popular for good reason – the ease with which it can be customized and extended means that it can be adapted for almost any imaginable use, from running a simple personal blog to running an online store. And all of this can be accomplished for a fraction of the cost of building a customized system.
But this popularity comes at a price; websites running on WordPress are enticing targets for hackers and distributors of malware. This wouldn’t be a massive problem, if everybody took the necessary steps to ensure that their sites were difficult to compromise. Note that I don’t say impossible – it doesn’t have to be. Hackers – for the most part – tend to go for the easy targets, and unfortunately a lot of WordPress website owners unwittingly make themselves easy targets.
So we thought we would provide you with a list of things you may be doing that make your site easier to compromise – and we’ll start with the most obvious ones first:
I know, I know. This is so obvious I shouldn’t even be mentioning it, because no-one makes this mistake any more, right? Wrong – if you look at a list of the most popular passwords in 2014, you’ll see such shockers as ‘12345’, ‘qwerty’, and of all things, ‘password’, at the top of the list. And it’s understandable to some degree, because recent studies suggest that the average person has 19 or more passwords they need to remember for various websites, networks and services, and keeping all of those in mind is extremely difficult. But if you’re going to go online, and if you’re managing websites, this is a mistake you need to avoid – especially when you get to the next point in my list.
One of the notable things WordPress has managed to accomplish is to make ownership of your own website accessible to nearly everybody. This is great, but not everyone is going to be aware of all the dangers – one of which is the reality of targeted brute force attacks against known targets such as the WordPress login page. Fairly basic scripts are capable of visiting the page, filling in the login form and attempting to log into any account that has admin privileges. And very often this is the default admin account, which has the username ‘admin’ which removes one piece of the puzzle for these scripts already – all they need to accomplish at this point is to guess the right password.
If you have an easy to guess password – even if it isn’t one of the howlers I listed above – it’s generally a short road into your site’s back-end and free playtime for your new hacker buddy. And don’t fool yourself into believing that even a small quiet site will escape notice. Any website is a potential target, and because of WordPress’s dominance of the online space, it gives online criminals a very big set of targets to aim at.
Later versions of WordPress will allow you to specify a username (please don’t make it admin), but if you set up your WordPress site a while ago, you may still be running with an admin user account. So go, now, create a new admininistrator account, and delete the default account.
Any website really needs only one administrator account. The more accounts you have on a site with admin privileges, the bigger the chance of one of them being compromised. I did say earlier that the majority of hackers will go for the easy targets, but this isn’t true 100% of the time. There are those willing to put in a little more time, and all you need is one account that has a weak password.
Delete the extra accounts, and if you do absolutely need to give other people access – such as contributors – absolutely limit the amount of access they have by assigning user roles.
Another very obvious point, and one we’ve addressed in a previous post about WordPress’s maintenance overhead. In that article we pointed out that only about half of WordPress sites are completely up to date – granted, that was limited to one particular region. WordPress patches regularly address not only bugs that crop up in the code, but also patch possible security vulnerabilities uncovered by security specialists.
Information about such vulnerabilities quite often surface in the public domain, which means anyone can get information about them – including hackers. And they’ll definitely be on the hunt for sites which haven’t patched up.
Ditto for all the plugins you have installed on your website. Depending on the level of functionality you need on your site, you can have any number of plugins running (Pippin of Pippin’s Plugins has about 80 running on his site), and provided that their creators are properly maintaining them, you’ll see regular updates being made to the plugin – and some of these could contain patches for critical security vulnerabilities.
Along with keeping your WordPress installation up to date, this is one of the most important parts of maintaining and keeping your website secure.
Part of the process of building a new site often involves downloading various themes and plugins to see if they meet your particular requirements for your site. And a fresh install of WordPress tends to come with all the default themes from Twenty Ten onwards bundled in. Having a lot of plugins or themes for your site doesn’t really present a major issue, but if you’re not using them you really should get rid of them since they represent a potential avenue of attack.
One of WordPress’s big strengths is its open community, which means that pretty much anyone with the necessary skills can develop plugins or themes and share them with the rest of the world. That being said, there’s only one place I would willingly download a free plugin or theme from, and that is the WordPress plugin repository.
Plugins and themes submitted to the repository first need to go through some detailed quality checks before being included in the repository, which means you can use them with some confidence.
We have spoken about this before – but if you’re not willing to pay for a premium plugin, don’t download a nulled version from some other site. Yes, you are depriving a developer of compensation for his hard work, but that is not why we have this point in the list. Nulled plugins carry inherent risks, mostly because a lot of the people hosting them feel they need some form of compensation for their ‘hard’ work, and nulled plugins will frequently ship with a little extra payload that you’re not going to spot unless you take the time to review the code yourself.
And I believe it is fair to say that this extra payload isn’t going to be something you want to be part of your site. If you really need the premium plugin, pay for it. It doesn’t cost that much, and you’ll usually get support and updates along with your purchase.
In much the same way as running a computer without an antivirus package, we have reached the point where having a website without some sort of protection is probably not the best idea, and this is doubly true if you’re making use of one of the more popular CMS solutions like WordPress or Joomla. If you’re on a custom CMS, your site might be a little harder to spot, but it doesn’t necessarily mean you’re safer.
As far as WordPress sites are concerned, our go-to plugins are usually Wordfence and iThemes Security, but there are a few other worthwhile options available. These add a valuable layer of protection to your site, but you can do more by running scans – for free – using services like Sucuri SiteCheck and VirusTotal.
Does doing all this sound like a lot of work? Not nearly as much as recovering from a hack.
Backups are not going to do much to secure your site, but they provide a very useful safety net for more issues than your site being compromised, and if you’re not doing regular backups of both your installation files AND your database, you might just find yourself out in the cold if you ever have to make a full recovery. Typically, your hosting provider should be doing this for you already, but if you’re not sure, go ahead and ask.
Nothing stops you from running your own scheduled backups, however, and again you have a horde of excellent backup plugins that will take care of this. Should the worst ever happen, you will then be able to restore your website to a point before the hack took place.
The list presented above represent some of the more obvious mistakes we see – we may well be preaching to the choir, but we see these particular issues crop up again and again, despite numerous posts and articles about the subject of keeping your site secure.
Based on the points above, there are quite a few steps you can take to harden your site even more, and you really should take the time to do so. There is a lot of very good advice online that tell you how to go about doing this, but the best place to start would no doubt be WordPress’s very own Codex.
Stay informed about all new releases and product updates