Is you WordPress site locked down?
Ok, there is no such thing as 100% safe or secure.
All you can do is take some proactive measures to protect against any potential security issues.
If your site is hacked it is a hassle to get it back to where it was, you lose valuable time that you could have put to better use like creating or promoting content. Not to mention the headache and hassle of going through some investigation and restoration.
Here is an infographic that covers WordPress security and can give you an edge. Some of the tips are applicable to any website.
How Do WordPress Blogs Get Hacked?
- Hosting 41%
- Themes 29%
- Plugins 22%
- Weak Passwords 8%
Statistics
- 83% of WordPress Blogs that are Hacked are Not Updated
- 30,000 Web Sites are Hacked a Day
- On Average, a Website is Hacked Every 5 Seconds
If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack and is one of the primary reasons you should always keep WordPress up to date – WordPress.org
How to Prevent WordPress Security Issues?
WordPress
- Don’t Use the Default Admin Account – This is one of the most common and elementary mistakes you can make from a security perspective. What username do you think hackers try first when trying to gain access to any site? Admin, that’s right. Create another username and assign admin rights to that user before deleting the old admin user account.
- Close Comments After 30 or 60 days – OK, this might be controversial and not everyone is going to agree with this. If you are getting hit by a lot of spam comments you can try closing comments after 30 or 60 days – it certainly has cut down my spam comments drastically. Using spam comments filtering plugin like Akismet is a must.
- Get Rid of the Login Link from your Blog – Regardless of what CMS your website is running on (WordPress or similar) having a login link to the admin interface is like giving the location to the locker in the bank. Now removing the login link from your website does not guarantee safety from hackers but it just puts another step for them to go through; the more barriers the better!
- Always Keep WordPress Up-to-Date with the Latest Version – This is a no-brainer; especially when you know 83% of blogs that get hacked are not up-to-date. Most big blogs use the WordPress auto update feature to keep their blogs away from security vulnerabilities.
- Report WordPress Bugs and Security Issues – WordPress is the most used CMS on the web and the user community is huge. Every day new issues are being reported and patched. If you find a bug or an issue report it so the whole community can benefit. You can report bugs here.
- Lock Down File Permissions and Write Access – If you want to take your website security a step further you can lock down files and who has write access. You can do this in many ways: a plugin or even through the settings (cPanel) of your web host. If you are not sure how to do this; it is best to contact your web host support team and they should be able to help.
- Use a WordPress Security Plugin and Limit Failed Login Attempts –
If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery – Login LockDown
After the research for this post, I have started using Login LockDown plugin to see if I can block malicious login attempts. I am not sure how good this is so if you have any thoughts please leave a comment below.
- Consider Two-step Authentication – The traditional login requires a username, password and this is a one-step authentication. In order to increase security, you could have two-factor authentication (2FA) like an SMS code used by some banks. You can use Google Authenticator for 2FA if your site is eCommerce/WooCommerce store or similar that needs added protection. This, of course, depends on what kind of site you have and the information you are trying to protect; for a simple blog it may not be worth the effort or hassle.
Web Site Host, Themes & Plugins
Most of the above WordPress security tips are for protecting your site from security issues and the below tips are for being prepared in case of a security breach.
- Re-Evaluate Your Web Host’s Backups and Recovery – If your site is hacked you need a backup to restore your site to its previous glory (pre-attack). It’s too late to find out that you don’t a have a weekly or daily backup; otherwise, you will lose content and valuable time. The backup should also be offsite and not on the same server as your website files are as they may be down or even infected. Check with your web host before it is too late!
- Check Your Host’s Speed, Stability, Security and Uptime – When selecting a web host if you did not consider security, stability and up-time then now is a good time as ever. 41% of security issues are through the host.
- Re-Evaluate Your Website Theme and Plugins – 51% of security vulnerabilities are through the theme and plugins used by a site. Keep your plugins up to date and constantly remove unwanted plugins; this also helps with speeding up your WordPress site.
Your Computer and Network
- Ensure Your Computer is Free of Malware, Spyware and Virus Infections
- Work From Trusted Networks – Avoid Internet Cafes and Free WiFi, Where Possible
- Make Sure Your Passwords are Strong (including WordPress, Emails etc.)
- Take Advantage of a CDN’s (Content Distribution Network) Firewall – Not only CDN’s can help with reducing website load times but they also have a firewall as an added layer of protection that the hackers need to breach before getting to your site and its data. I use CloudFlare CDN as it is free and easy to set up.
WordPress Security Plugins
A simple first step towards protecting your WordPress site is to start with a security plugin. Here is a list you can choose from. Don’t install more than one as they might have compatibility issues or overlapping functionality.
- iThemes Security – offers a wide range of security features.
- Bulletproof Security – protects your site via .htaccess.
- All in One WP Security and Firewall – adds a firewall to your site.
- Sucuri Scanner – scans your site for malware etc.
- Wordfence – full-featured security plugin.
- Exploit Scanner – searches your database for any suspicious code.
Conclusion
Use this post as a proactive reminder to check your WordPress site for security issues. You can start with your username and password. If you are using ‘Admin’ as your username your first step is to create another Admin user and delete the default account as you can’t change the username. Make sure your password is strong and not something like ‘password’ that can get hacked easily. Keep WordPress, theme and plugins updated. Use a CDN for better performance and as an added layer of protection. Good luck with locking down your WordPress site. Remember, prevention is better than cure.
Hi,
I got on your site through wp360 blog. And I really enjoyed my first visit to your blog.
And the infographics you have shared are really good, got some new points.
Thanks for the share.
Hi Robin,
Glad, you liked the infographics and got some pointers. Appreciate your comment.
Cheers, Cent
Hello Cent Muruganandam,
That was my first to your blog, and I really enjoyed the way you have demonstrated
your article, so clear to understand.
Indeed got some of the tips to note down.
Thank you for sharing this one among us.
Shantanu sinha
Hi Shantanu,
Glad you found the post useful and your comment is much appreciated.
Cheers, Cent
I am using Wordfence Security Plugin. It displays all invalid login activity details with username & live traffic.
Thats cool and thanks for the feedback.
Cheers, Cent
impressive article, nice parse “measures to protect against any potential security issues”. Infographic in one another superb way of explanation 🙂
Thanks for the comment and glad you liked the post/infographic.
Cheers, Cent
Really useful content – will definitely share! Many thanks!
Hi Joyce,
Thanks for the comment and share. Glad you found the content useful and shareworthy 😉
Cheers, Cent
Another informative post. I will defnitely try the Login LockDown plugin on my WordPress website which I’m hosting at rosehosting.com. I’m new in the WordPress world so I will contact them to install it on my website :).
Thanks again.
Hi Allan,
Glad you found the post informative. Installing a plugin is very easy and straightforward. You can do a Google search if you need help. Don’t forget to change the default settings of the LoginLockDown plugin according to your needs and for better protection of WordPress.
Thanks for the comment.
Cheers, Cent
Hello,
WordPress owners take safety lightly, luckily there are articles like yours to shake up.
I do not use Akismet, because it is not very efficient and it unnecessarily clogging the database.
Best regards,
Bruno
Hi Bruno,
Glad you think so about the post. Thanks for the comment and appreciate your thoughts.
Cheers, Cent
Dose using free wordpress theme hampers my blog in terms of security and seo?
Hi Subha,
Any theme regardless of whether it is free or not could have security, seo or even performance impacts. It is best to do some research online to see what the reviews and ratings of the theme are. Thanks for stopping by.
Cheers, Cent
Great post. Thanks for the information. I enabled WordFence after recommendation from my hosting provider. The plugin is very useful and helped me to prevent everyday brute-force attacks on my blog.
Hi Dan,
Glad you found the post useful. Thanks for the feedback on WordFence. It sounds very similar to what LoginLockDown does.
Cheers, Cent