Running WordPress or any CMS (content management system) without sufficient security is like owning a warehouse and leaving the key under the mat for thieves. But even with security, being hacked is becoming the new fact of life for many online business owners, content publishers, and digital marketers.
Attackers can easily access your confidential data and private information once they hack your digital properties. You can lose significant market share immediately after it gets out that you’re websites and apps have been compromised. For example, this 2018 Fortune report says that Facebook lost over $13 billion in stock value when news broke out about a data breach that affected more than 29 million users worldwide. Meanwhile, The Manifest claims that their research last year indicates around 44% of all Facebook users started frequenting this social media platform much less after learning about this security issue.
The problem is that in general, we’re unaware of potential risks and how easy it is for us to improve the security of our digital properties. So today, we’re going to examine 12 of the biggest security problems of many WordPress operators this year. We’re also going to look at ways you can improve the security of your site. Finally, we’ll review 6 of the most popular WordPress security Plugins available right now.
But before we delve into different security issues, we need to understand which parts of WordPress offer the most vulnerability.
This report states that 37% of hacks were caused by issues from the WordPress core. Meanwhile, the remaining 63% came from thousands of rogue WordPress themes and tampered plugins.
Top 12 WordPress Security Issues of the Year
Hackers are finding more ways to breach the security we have in place. And here are some of the most common WordPress security issues we’re facing this year:
1. Not Keeping WordPress Updated
Some think that once a WordPress site is up and running, it’s self-manageable. This couldn’t be any further from the truth. If you aren’t continuously on top of your site, then hackers will find their way in. And it doesn’t matter if you have a small or large online business.
WordPress automatically updates many of its features. But you still need to make sure that your site is kept updated. If WordPress is not updated, then it’s vulnerable to malware.
Malware doesn’t necessarily stop at embedding malicious links into the content of your digital properties to infect the devices of your viewers. It can also secretly use your Web servers as part of the author’s bot network for performing other illegitimate activities on the Internet.
Malicious programs are also able to access the databases of your websites, blogs, mailing lists, and CRM (customer relationship management) servers. Remember, this is mostly where the private information and confidential data of customers and viewers are stored. Attackers can also configure automated mass mailing campaigns to distribute more malicious programs to the devices of your subscribers and clients.
The most up-to-date version of WordPress is 5.1.1, which was released March this year. Checking for updates regularly will help to add an extra layer of security to your site. It’s a quick and easy job. You don’t need to be a computer whizz, and this can save you a lot of trouble.
2. Installing Low-Quality WordPress Themes & Plugins
A WordPress theme is what allows you to change the appearance of your site. With themes, you can change the layout or design, how the site is navigated, or even just it’s the color scheme. On the other hand, plugins are small programs that you can install into your WordPress site to extend its functions.
Choosing low-quality plugins or themes can open your website to several security issues. It’s like providing easy access for hackers, especially considering 63% of security issues occur through plugins and themes. Now, this is an important detail that you should seriously keep in mind.
Independent developers and companies create and distribute these WordPress themes and Plugins. Since many of these are open-source content, it often isn’t always clear how many of these are integrated with security updates. Plus, remember that cyber-criminals are distributing rogue themes and tampered plugins for WordPress. These are disguised as legitimate versions or cracked premium applications to trick unsuspecting Webmasters into installing these malicious content into their WordPress sites and blogs.
3. Brute Force Login Attacks
If you try to access your email or online banking platform, then you usually have three attempts before you’re blocked because of too many failed attempts. But there often isn’t any limit to the number of attempts for someone to try and log into a WordPress site. This is one of the main reasons why the WordPress login page is hacked more than any other default page of a WordPress site.
Though another problem is that many Webmasters don’t use secure passwords. Time published this 2017 report about SplashData’s annual list of the worst passwords. Unbelievably, at the top of this list was “123456.” And in second place was “password.”
Also, there’s a lot of software tools that can be used to quickly input millions of combinations of usernames and passwords automatically. These are often designed to exploit WordPress sites without any login attempt limitations and those with default or weak administrator passwords. This is known as a brute force attack.
But also keep in mind that using your local device to stay logged into your WordPress site for several hours with long periods of inactivity is also a leading cause of malware penetrations, backdoor installations, and hacker attacks. That’s because a lot of malicious programs are designed to secretly penetrate and lie dormant in local machines like Microsoft Windows PCs, Mac OS X computers, UNIX systems, iOS, and Android mobile devices.
Only upon accessing your WordPress sites and other digital properties are these malware components signaled to activate and infiltrate your remote resources. Remember, a bug in Facebook’s “View As” feature was the cause of the massive data breach mentioned earlier, which affected more than 29 million users worldwide last year.
4. Not Using a WordPress Security Plugin
You might feel that you’re more than capable of managing the security of your WordPress site. However, there are various security plugins that you can use as a more formidable solution. We know that WordPress offers some security features. But considering that it’s the most targeted CMS today, it’s worth adding more layers of defense against this year’s top privacy threats and risks.
Without a good security plugin, your site is still open to brute force attacks and malware. You’ll have limited default options to automatically monitor, scan, detect, and block potentially malicious activity in your WordPress sites and data servers. This is like buying a house and not taking out any insurance.
One of the key things about a security plugin is that many of these programs provide instant notifications. Running a business is time-consuming. Sometimes, we forget about updating and checking our WordPress sites, blogs, and other digital properties.
This is where issues can happen without our knowledge. But when you receive instant alerts in your mobile device or real-time email notifications from a plugin regarding potentially malicious activity in your WordPress site, then you’re much more likely to be capable of fixing the problem immediately before it worsens.
5. Lack of Formidable Firewall Applications
A typical computer that many Webmasters often use does not normally have formidable default firewall applications. These are usually software programs that offer the bare minimum when it comes to security functions.
If you’re working from your Mac OSX computer or Microsoft Windows PC, then your system usually has a built-in firewall. Some broadband routers also have embedded firewalls. Though these might not be enough, some people choose to use an additional firewall from a credible third-party security software development company.
But a good firewall application will examine data packets sent through the Internet and also to and from your Intranet (your local network). These third-party firewall programs often work on both hardware and software levels. So keep in mind that when you request access to a website, a token is generated and a message is transmitted to check if you have valid permission to enter. If you don’t have the right authentication tokens, then you won’t be able to access the site.
6. WordPress Plugin & Theme Hoarding
With so many plugins and themes available in WordPress, it’s quite normal that you want to install and test these programs to improve the functions and change the visual appearance of your site from time to time. But you can sometimes forget to uninstall your older plugins and themes, which are left unused in your WordPress administrator platform.
Also, these older plugins and themes are usually outdated versions. That’s because if you forgot to remove them from your WordPress platform, then it’s likely that you aren’t upgrading them to their newest versions. So they become vulnerabilities in your WordPress sites that attackers can exploit.
And aside from these security risks, having used plugins and themes can often slow down your site. If a blog takes a long time to load, then a potential customer might just find a different one. So you can also lose a lot of revenues when you do this.
7. Not Controlling Your Admin Users
Many Webmasters hire remote workers to perform their digital advertising, multimedia marketing, and content publishing campaigns for their WordPress sites. They often provide their staff with user accounts that have administrator privileges. Lots of them either do this unknowingly, or consciously.
This is where issues can happen. The Verge stated in this October 2018 report that the identities of suspects for last year’s massive Facebook data breach were being withheld by the FBI. They claimed that the FBI isn’t discounting the possibility that Facebook’s staff also had the opportunity to play a role in this data security scandal.
So remember, there are various roles with limited administrator privileges that you can assign to your staff. These are:
- SEO Editor
- SEO Manager
Choosing the correct roles for each of your personnel can provide you with more control over the security of your WordPress sites and databases. We’ll discuss more each of these roles later.
As the name suggests, shared hosting is where you, along with hundreds of other Webmasters, use the same Web server to host your sites, blogs and various digital properties. But this also means that your own hosted resources can be significantly affected by data breaches and malware infections that happen to the sites and tools of other Webmasters who use the same server, and vice-versa.
On the other hand, managed WordPress hosting is a different set of packages that lots of Web hosting companies offer to Webmasters who want to use WordPress for their digital properties. This can provide you with much better control over your WordPress installation and server resources.
The main advantage of managed WordPress hosting is the selection of security tweaks that are specifically designed for the WordPress CMS, themes, and plugins. These include beneficial add-ons like firewalls and malware scans. It also offers login security protocols to prevent brute force attacks.
Some Webmasters often choose shared hosting as they require more inexpensive options. But you won’t benefit from added security or extra features that you can get from a managed WordPress hosting plan, such as automatic updates and backups. Plus, you don’t have any sort of control over how seriously other Webmasters tackle the security of their sites and digital properties that are hosted in the same Web server.
9. Failing to Backup Your WordPress Sites & Databases
Let’s say you have hundreds of posts and pages, downloadable content materials, self-hosted videos, mailing lists, and CRM data stored in your WordPress platform and databases. Also, let’s say you carefully followed all the previously discussed ways to protect your WordPress site against malware threats, privacy risks, and data breaches.
But what if your site and server suddenly get hacked? What if the attackers installed malware into your server that copies all your resources before it completely deletes it? That’s right — You’re now left with no possible way to restore your content, CRM data, mailing lists, and so on.
That’s unless you have a snapshot of the most recent version of your entire site and digital properties stored in a secure place as a backup file. Now all you need to do is wipe your server clean from all malicious code, restore this backup file, and your online business is now fully operational again. Though of course, all the private data and confidential information in your databases and servers have been compromised, that’s another problem.
Simply put, WordPress backup services can help to recover part of the site or even the whole site. But don’t forget that you should always store your backup files in a secure location or even in a different offline machine.
Web hosting companies often offer the ability to configure automatic and manual backups for your WordPress sites, databases, and other digital properties. But if you have a shared hosting plan, then it’s likely that these features don’t come bundled with your package.
10. Not Making the Most of WordPress Default Security Features
Your WordPress database is like the brain of your website. You may have noticed that all tables in your WordPress database start with the prefix “wp_.” Now, this makes it easier for hackers and malware authors to guess table names. Realistically, if you don’t customize these settings, then you’re making a huge mistake.
A simple way to resolve this issue is by changing this “wp_” prefix, either at the time you install WordPress or when the site is up and running through the help of a security plugin. You can also opt to manually do this, in case you have sufficient technical experience.
Changing the prefix is not a task for beginners. If not carried out properly, then you run the risk of breaking your site. So if you have any doubts about your coding ability, then you’re recommended to hire professional resources.
11. Insufficient Scanning
SiteLock Website Security Insider analyzed 6 million websites and published this 2017 Q4 report. Their findings indicate that a website on average was attacked in 2017 around 44 times per day. This totals to 16,060 attacks per year.
Lots of SEO pros also say that once a site has been hacked, they’ve noticed that many of these sites get de-indexed from Google search results. This means you can lose significant numbers of new viewers and potential customers once this happens.
So how often to scan your site for potentially malicious activity is a question up for debate. But many cyber security experts recommend you to do this at least once a week.
When you run a scan, you should configure it to check every location, including places like your databases, themes, plugins, and .htaccess files. A scan should also include malware-related keywords, such as “base64”.
Regular scanning is often forgotten or usually ignored. Lots of Webmasters don’t realize that doing this can provide security benefits, and also how scanning can prevent more serious problems in the long run.
Most webmasters are aware of the damage that malware can do to their digital properties, databases, client, and server apps. But the Sucuri Remediation Group released this 2017 report, which indicates 71% out of 34,371 infected websites have PHP-based backdoors. Since WordPress is mainly a PHP-based CMS, the same report points out that 81% of these infected websites run on this platform.
This also means the malicious code that hackers leave behind to deploy backdoors often look like a normal WordPress file. This makes it difficult for Webmasters with beginner to average remote system security experience to spot and remove these malware components from their WordPress installations. So to help you out — here are three of the main areas to look for backdoors in your WordPress site:
- In core WordPress folders;
- In new folders (even if they don’t look harmful); and
- In plugins and themes.
8 Quick & Easy Ways to Protect WordPress
Many of the issues mentioned earlier can be prevented through some DIY (do it yourself) solutions. These can greatly improve the security measures and protective protocols of your WordPress sites. Also, expert Web programming and technical cybersecurity experience aren’t required to implement these quick and simple ways:
1. Testing WordPress Plugins & Themes
One of the best ways to check the quality of your plugins is to run a plugin test. This checks if your plugin has code errors or if it is likely to make your site run slower. Tests are able to check blocks of code to make sure they’re doing what they’re supposed to do.
Plugin Security Scanner is a plugin to test plugins! It checks all of your plugins against the register on the WPScan Vulnerability Database. The daily scan will check plugins and themes for possible security issues.
Another good option is to check the reviews people have left about a particular plugin or theme. This takes more than just seeing how many stars the plugin or theme has. Try to read through the good and the bad reviews.
Follow the comments made about the review. Sometimes a person posts a bad review because they didn’t know how to use the features properly, or they had a particular problem with the site they were developing. It doesn’t mean the same will happen to you. It is always a good sign if the creator of the plugin or theme has made a comment about the review. It shows they care about their product.
Just because a plugin is free or cheap, it doesn’t mean it isn’t secure. But it’s worth checking before you install it in your WordPress Site.
2. Spring-Cleaning Your WordPress Plugins
Hoarding plugins can lead to more than just security issues. It can slow down your WordPress site and also cause certain compatibility issues with your active plugins and themes. Because there are so many options to add on to your WordPress site, it’s easy not to do anything with those that are no longer in use.
But deactivating plugins is not enough. Doing this won’t remove it from your database. The only way you can remove a plugin from the database is to delete it completely. Clearing out the clutter from your database is a way of freeing up more space in your site’s. And remember, dormant, outdated plugins are a hackers dream because they can exploit these to easily access your site.
To delete a plugin that isn’t in use, first go to the installed plugins in the Plugins section of your dashboard. You will be able to see the plugins that aren’t being used by clicking “inactive.” From here, you can select a plugin and choose to delete it.
If you aren’t sure about deleting a plugin because you don’t know if you are still using its features on your site, you can update all plugins. By automating your this process, you can update both active and dormant plugins. But beware of this option because not all updates for themes and plugins are going to be compatible with each other.
3. Managing Roles in WordPress
It’s important to limit the access privileges of your staff for your WordPress sites, databases and Web servers. Many of the roles you assign to them can be accessed without sharing your superadmin password.
Also, it’s much better to have fewer users with accounts and various access privileges to your resources. So here’s more information about the available roles in WordPress to help you select the most suitable account type for each of your personnel:
- Administrator — The admin has the most control of your site. They can add, edit and delete posts, and install and delete plugins. In terms of security, they can add new users and manage passwords.
- Editor — An editor is able to change posts, add or delete existing posts. They don’t have any access to plugins or user role configurations.
- Author — An author can create their own posts and publish, edit or delete their posts based on any existing category.
- Contributor — They can add posts and edit them. But they can’t publish any content.
- Subscriber — The only thing a subscriber can really do is log in to your site in order to update their profile.
- SEO Editor or SEO Manager — Both roles are for search engine optimization. But the SEO manager has access to more settings.
When you add users to your WordPress site, make sure to provide them with accounts under the roles most suited to the access privileges they require to carry out their tasks.
4. Ensuring WordPress is Updated
According to this 2018 report, approximately 72% of all WordPress installations worldwide are not updated to the latest version as of last year. This means these Webmasters are almost making a hacker’s job much easier.
But did you know that it’s quick and simple to do this? There are even 2 ways to keep WordPress updated. So let’s talk about the most convenient one, which is the automatic way. To set up automated updates, you need a back-up system in place, just in case anything goes wrong. You then need to choose a plugin that manages automatic updates.
Easy Update Manager is one of the most popular plugins for the job. Once you have the plugin, you can configure this plugin’s settings to best suit your needs.
The other way is the manual method. To update WordPress manually, you can either click “updates” in your dashboard, or click the two arrows forming a circle. But keep in mind that choosing to do it manually means you have to remember to actually do this from time to time. Also, don’t forget these pointers when updating the core of your WordPress installation:
- Back up your site;
- Deactivate plugins;
- Retrieve files;
- Update the Root installation;
- Update wp-content;
- Update everything else;
- Check wp-configuration;
- Update the database; and
- Reactivate plugins.
5. Switching Over to Managed WordPress Hosting
Shared hosting might be ok if you’re just getting up and running. but this leaves your site vulnerable to the same security dangers as everyone else who shares the same server. So as soon as you can, it’s worth upgrading to managed WordPress hosting.
Bluehost and SiteGround are popular managed WordPress hosting providers. Bluehost costs around 2.95 USD per month as of this writing. The average load time of WordPress sites hosted by Bluehost is 2.87 seconds. You also get a free domain name.
On the other hand, SiteGround costs about 3.95 USD a month. They’re suitable for approximately 10,000 visits per month. While you don’t get a free domain name, the average load time for a page of a hosted WordPress site is just 0.74 seconds. Both Bluehost and SiteGround offer managed WordPress hosting plans that are bundled with free backups.
And if you prefer a managed WordPress hosting provider with more benefits, then Kinsta or WP Engine are highly recommended options. These hosting companies allow you to customize your dashboard so that it is easier and suited to what you need. Kinsta costs about 30 USD a month, while WP Engine goes for around 31.50 USD per month.
WP Engine’s managed hosting plans are slightly more expensive, but these plans can handle approximately 25,000 visits per month. This is 5000 more than what Kinsta offers through their managed WordPress hosting packages. You also have double the disk space with WP Engine at 10 Gb.
6. Fortifying WordPress Logins
As described earlier, hackers use automated tools to enter thousands of possible username and password combinations in seconds. This is called brute force attacks. WordPress by default, doesn’t automatically block a user after a certain number of failed attempts.
So you’re recommended to set up an account lockout policy. This will block any further attempts after a certain number of failed tries. And to reduce false positives, you can set up a lockout policy with a time delay. So after each set of X attempts, there will be a few minutes of delay before the user can try to log into your WordPress site again. Each failed attempt extends the delay time.
Plus, the “I am not a robot” tick box and tools like reCAPTCHA are great ways to stop brute force attacks. Moreover, don’t just choose a password that’s easy to guess because chances are, it’s also easy to hack. So combine upper and lower case letters, add at least one number, try not to use consecutive numbers and include special characters. If you have an issue with remembering passwords, then you can use a password manager.
7. Backing Up Your WordPress Sites & Databases
As mentioned earlier, WordPress has a feature to keep a backup of your entire site and databases, including theme and plugin configurations.
But this won’t be any good if WordPress has a technical issue that prevents you from using this feature or accessing your most recent back-up files. So it’s always a good idea to have a backup of your website in various locations.
Some Webmasters wisely choose to keep their back-up files in offline machines that they fully control. Others opt to store these in third party cloud servers like Dropbox and Google Drive. Meanwhile, some choose one of the many plugins available from WordPress. Here are a few examples:
- UpdraftPlus — A free service used by over 2 million websites;
- VaultPress — It costs 3.50 USD a month, but you get real time cloud backups; and
- Blogvault — It backs up your WordPress site and also allows for easy recovery. You need to pay 89 USD per year to use this.
8. Maximizing Built-In WordPress Security Features
Aside from security plugins, WordPress has a number of ways to improve the security of your site. Here are some ideas you could easily implement:
- Change the default “admin” user name. This will make it more difficult for brute force attacks to hack into your sites and databases;
- Activate Two Factor Authentication. Users need to log in with a username and password, and also follow up with a unique authentication code. This is a bit like the code that you get in your mobile or through email to confirm an online payment;
- Add a security question. The WordPress login screen has the option to add a security question. This will improve the security of your WordPress site; and
- Run malware and security scanners, even if you have a security plugin. It wouldn’t hurt to run your website through an online scanner from a credible cyber security company.
While the list looks exhausting, most of them are one-off jobs. Others won’t take up a lot of time. But all of them are easier and cheaper than being hacked.
Top 6 WordPress Security Plugins This 2019
There are plenty of security Plugins available for WordPress. But we selected 6 of the most popular ones today. While they mostly have similar features, some have unique functions to best suit your needs more than others. Also, most of these Plugins are free, while a few have both free and pro versions:
Sucuri Inc. is a company that’s well-known for its expertise in website security, especially in WordPress. Many Webmasters consider this as among the best free security plugins today. The free version optimizes WordPress security and scans your website for threats. On the other hand, the paid version has a firewall that blocks brute force attacks and malware. Here are some of its main features:
- Auditing Options for Security Activity
- Monitoring File Integrity
- Scanning for Remote Malware Items & Components
- Monitoring Blacklisted Sites
- Optimizing Security Protocols
- Automatic Post-Hack Security Solutions
- Alerts & Notifications of Crucial Possible Security Issues
They also offer a clean-up service if your site has been infected. We particularly like its “failed log ins” feature, which will automatically send out an email to the site administrator after a user makes a certain number of failed login attempts.
Installing the Sucuri plugin can also boost the performance and speed of your website. The firewall available with the paid version is one of the best in the market, according to lots of Webmasters worldwide.
- File Integrity Checks
- Security Hardening
- Limit Log Attempts
- Strong Password Enforcement
- 404 Detections
- Brute Force Protection
If you want to go for the pro version, then you’ll also have two-factor authentication and malware scan scheduling. Password expiration, Google reCAPTCHA and a dashboard widget are also available in the pro version, just to name a few.
And thanks to its latest update, the configurations panel of this WordPress security plugin is now much easier to use. But remember, if you’re new to WordPress security, then it’s worth going through the basic configurations before moving on to advanced settings.
Also, iThemes provides backup options for your WordPress database. But to back up your entire site, there BackupBuddy plugin is highly recommended.
3. WP Backup
WP Back up is a powerful security plugin for WordPress. It can prevent brute force attacks, has file integrity and user account monitoring. It will scan for suspicious patterns in your database. Some of this plugin’s other features include:
- Works seamlessly even in low memory, “shared host” environments;
- Manages multiple schedules;
- An option to have each backup file emailed to you;
- Uses zip and MySQL for faster backups, in case they’re available;
- Works on Linux & Windows Server; and
- Allows you to exclude specific files and folders from your backups.
It’s an easy to use a security plugin. You won’t need to set up anything beforehand. They also have a really good support team to assist you.
Moreover, WP Backup is translated into 12 other languages. But you can no longer backup your website onto Dropbox or Google Drive as per its latest update. So WP Backup suggests using Updraft Plus if you want to backup your whole site.
The great thing about the all in one security and firewall plugin is that it’s all free. There are no premium versions, so what you see is what you get. It’s full of graphs and meters that make your security settings easy to read.
Each of this plugin’s settings is broken down into basic, intermediate and advanced configurations. This way, you can conveniently change your security settings without worrying about making a wrong configuration that might break your site. Some of this plugin’s most salient features are as follows:
- Blacklist tool, in case you need to block users;
- Backup .htaccess and wp-config files;
- Brute force attack protection and view failed login attempts;
- Add Google reCAPTCHA; and
- Firewalls to stop malware reaching your site.
This plugin has a total of more than 800,000 installations as of this writing. You can download it in English or one of the 9 other languages. Overall, it’s an excellent security plugin for beginners.
Wordfence is a wildly popular security plugin, with over 3 million installations. The free version includes a powerful malware scanner and a set of exploit detection ad threat assessment features. This plugin will also instantly alert and provide you with instructions on how to fix them in case the malicious activity has been detected in your WordPress site.
The premium version of Wordfence works out to 99 USD, but if you’re planning on running multiple sites, then you can access discounted prices. But keep in mind that the free version is powerful enough for smaller WordPress sites. The free version includes:
- Web application firewall;
- Checks your site for known vulnerabilities and alerts you of potential security issues;
- Scans for dangerous URLs;
- Two factor authentication;
- Login page CAPTCHA; and
- Monitors plugins to let you know if they’re no longer available.
If you prefer, your security alerts can be sent via email, SMS or even Slack. Also, Wordfence is available in Englis and in Spanish.
Bulletproof offers an amazing range of features, both through its free plugin and paid version. The former has an anti-exploit guard and the online Base64 decoder, which many developers find attractive. For those who aren’t quite experts, you can use the setup wizard to make the process easier. Other advantages are:
- Login tracking, monitoring and security enhancements;
- Database restorations and backups;
- Anti-hacking and spam filtering tools;
- MScan Malware Scanner;
- Automatic creation of security logs;
- Hidden plugin folders; and
- Maintenance mode.
If you want to upgrade to the pro version, then there’s a one-off payment of 69.95 USD. Bulletproof also offers a 30-day money-back guarantee. The list of premium features is enormous, and some of them include:
- Database monitor, backup and status & info;
- Idle session logout;
- Frontend and backend maintenance; and
- HTTP and PHP error logging.
Bulletproof covers more potential security issues than other security plugins. This can be said for both free and paid versions.