What’s the deal with WordPress security?
You wouldn’t leave the doors to your business unlocked and all the lights on overnight while no one’s there for someone to just walk in off the street and jack all your merchandise.
The metaphor isn’t exact, but websites are similar to brick-and-mortar stores when left undefended – you can lose all of your hard work in a snap of the fingers. To avoid these issues, it’s time to start thinking about security. You’ll want to understand:
- What types of security issues exist.
- Why securing your site is essential.
- The top things you should do to secure your site.
WordPress is blessed with a huge community of developers and options, but it can also be overwhelming and confusing. This post will cut to the chase with recommendations of what you definitely need and what you don’t – like do you need a security camera or a dog?
Essentially, the TL;DR is this:
Secure your website’s code, maintain nightly backups, never forget to set strong passwords, and use managed and isolated hosting.
Looking for more in-depth info? Check out our tips below (we’ve wrangled our WordPress experts to share their expertise just for you).
Types of Security Issues
First, we should explain some potential risks of an unsecured WordPress site as you’re bound to run into one of these issues without proper security since they’re much more common than you might think.
In 2021 alone, WordPress blocked 86 billion password attacks. Yes, billions with a “B.” The worst part? Password attacks are just one of many security issues you can run into.
An account break-in is one of the most common and straightforward security issues. Just like breaking into a brick-and-mortar store, this is when a hacker gains full access to the internals of your website.
Only, instead of using a crowbar or a brick to get in, thieves use software that repeatedly tries to guess your passwords (known as a password attack) or make use of a backdoor to get into your site with admin privileges. From there, they can take your stored data, steal payment information, and even change your site to further their attack.
The hacker might also add malware to your site, infecting everyone who visits it, or they could lock you out of your own WordPress site and require a ransom before giving you access again.
The bottom line: you want to avoid this to keep your reputation intact.
Another security issue is dealing with malware. In general terms, malware is software that damages your website, server, or computer. Getting a virus on your computer is one form of malware.
“Malware is tough to spot, tough to get rid of, and tough to prevent entirely. It’s a lot like glitter used in your arts and crafts project that you can’t ever get to go away, even after vacuuming for the 20th time.”Kent, Head of Operations at Nerder
Your WordPress site can be affected in a few ways by this malicious software. The malware can spread if your computer gets infected and you log into your site. Alternatively, hackers can target your website with specific malware that disrupts your services and takes your site offline.
Scripting is when a vulnerability in a hosted software is used to impact the whole website. It’s no different than a rogue picking a physical lock (D&D, anyone?).
You might experience a scripting issue if you use compromised WordPress plugins. The hacker can use those plugins, which already have access to your website, to break in and gain access.
In most cases, it’s a lot easier than trying to figure out your password or trick you so that they can gain access.
A Distributed Denial-of-Service (DDoS) attack is when an attacker floods your website with incoming requests and simulated traffic. Your website’s host then becomes overloaded, and the site will crash, inconveniencing your customers and causing panic.
A DDoS attack is similar to a mob of people rushing into your store. You can’t do much to stop it once it happens, and the situation can quickly get out of control.
Known Bugs and Vulnerabilities
Another prevalent security issue revolves around known bugs and vulnerabilities. Whenever a piece of software is developed, there are little issues with the code that can be exploited. Over time, hackers discover these problems and start abusing the program.
This is why companies roll out regular updates for their software. Each update fixes newly discovered issues, so people can’t keep using known vulnerabilities.
“If you have out-of-date software on your WordPress site, hackers can use commonly-known vulnerabilities to easily get into your website, make it crash, and/or steal your company’s data. We see this happen all of the time with unpatched and out-of-date WordPress sites.”Nick, Tech Lead at Nerder
10 Ways to Secure Your WordPress Site
Now that you understand some security issues sites on WordPress face, it’s time to dig into the top ways to secure your site.
1. Focus On Your Passwords
Before doing anything else, you need to focus on your passwords and how they’re handled.
“Having a simple password or poor password management can be the easiest way for a hacker to get full admin access to your site. If you only do one thing, start here!”
– Nick, Tech Lead at Nerder
There is a lot that goes into a secure password and its management:
- Pick a complex password – This makes it harder for hackers to use a brute-force password attack to get into your account. Use a combination of letters, symbols, and numbers for the best results. We recommend a minimum of 12 characters.
- Ensure every account has a strong password – All it takes is one weak password for your whole site to crumble. Every administrator needs a strong password.
- Use a password manager – A password manager securely stores all of your passwords, eliminating the need to remember them. This allows you to use strong, unique passwords for all of your accounts, avoiding the risk of using the same password more than once. We recommend Bitwarden, which has a full functioning free version and affordable family and business subscriptions.
- Add auto-logout – Keeping your admin account logged out when you’re not using the account can prevent others from using your computer to gain access to your website.
- Limit login attempts – When hackers “brute force” a password, they can try millions of combinations and keep trying to log in. Without a login attempt limit, they’ll eventually get in. Add a limit to ensure you can only try to log in unsuccessfully a few times before the account gets timed out.
- Add two-factor authentication (2FA) – 2FA has become an industry standard when it comes to security. It means you must have the correct password and a number sent to your phone or email before you can successfully log in. A hacker would need your password and phone to get in, making it even harder.
2. Never Use “Admin” As a Username or Password
Avoid committing the cardinal sin of using “admin” as a username or password for any WordPress account. This common username can give hackers a leg up because they won’t have to try hard to guess part of your login info.
It’s as bad as having “password” as your password (also, please don’t do that). The brute force method of guessing your username and password becomes significantly easier with easy-to-guess and common usernames like this.
“This happens more often than you’d think. Most hackers will start guessing usernames and passwords from a database of common options. Don’t make it easy on them.”Andy, Web Producer at Nerder
3. Stick to Standard, Secure Themes
When you set up your site, you’ll have thousands and thousands of themes to choose from – that’s one of the great benefits of using WordPress. Each theme allows you to personalize your digital storefront, but they also come with a risk.
“The more obscure, unmanaged themes can be a massive vulnerability for potential hacks, so stick to popular themes with good reviews. At Nerder, we’ve developed our own secure theme which we use standard in every build.”Ryan, Sr. Developer at Nerder
4. Added Security Plugins
WordPress has many added plugins that can help with your security. These plugins focus on different aspects of cybersecurity, but we recommend using a combination of them.
You can think of plugins like these as security guards in your store. They may not completely prevent a robbery but can halt most attempts in their tracks.
As of today, the most common, trusted, and valuable security plugins in WordPress are:
- Wordfence Security: Provides firewall and malware scanning
- Jetpack Security: focuses on backups, firewall, and malware scanning
- All In One WP Security & Firewall
- iThemes Security
“Wordfence is a must for every WordPress site as it blocks a wide range of automated attacks. Make sure to enable two-factor authentication for extra security.”Ryan, Sr. Developer at Nerder
5. Regular Backups
A backup entails taking all of your site information and storing it in a different area. You’re probably already backing up your iPhone’s photos on iCloud – you should do the same thing with your WordPress website.
When you back up your site, you minimize the impact of a hacker crashing your site, locking you out, or installing ransomware. With a backup in place, you can restore your site if anything should ever go wrong, rather than spending significant amounts of time and money fixing the problem.
“We always recommend backing up nightly and retaining backups for a minimum of 2 weeks.”Nick, Tech Lead at Nerder
6. Always Update Your Plugins
Earlier, we mentioned that old software has known vulnerabilities that will allow hackers to enter your site. If you want to avoid this, one way is to keep your plugins and theme updated.
Whenever a patch fix is released, you should immediately download it. Otherwise, word will spread about the vulnerability in the hacker community, and your site will be at risk.
We recommend opting for managed WordPress hosting, where this is looked after for you (see below).
7. Managed WordPress Hosting
An excellent investment for your site is managed WordPress hosting. This is when you use an outside company to provide hosting and a range of security-related services that keep your site safe, including keeping your WordPress code, plugins, and PHP stack adequately patched.
“Be aware that there is a wide range of quality regarding hosting – you generally get what you pay for. Nerder offers a fully managed, rock-solid cloud managed hosting solution, ensuring that your WordPress site is always kept patched with the latest security releases.”Kent, Head of Operations at Nerder
8. Fully Isolated Hosting
Speaking of servers, ensuring your site will be fully isolated when shopping for a site host is a good idea. Fully isolated means that the server or virtual server is only dedicated to your WordPress site, with no other sites hosted on it.
With shared servers, a hack on someone else’s site can give them direct access to your site since you’re connected through the same server. It’s like having a physical storefront on the top of a hill in the middle of nowhere. It’s much harder for a robber to access the store, resulting in a more secure property.
“Shared hosting is one of the ways we most commonly see sites get hacked. Just don’t it! We always recommend hosting on a fully isolated cloud hosting solution that can scale with your needs. Individual Cloud hosting is way more secure but doesn’t cost much more than shared hosting these days.”Ryan, Sr. Developer at Nerder
Investing in this hosting is the perfect way to ensure better security for your site before problems can arise.
9. Encrypt and Secure Your Website
A high-quality host will also offer SSL certificates. This is when a website is encrypted through a Secure Sockets Layer (SSL), a great way to keep your site safe. SSL sites have a URL starting with https:// (the ‘s’ means secure).
An SSL connection encrypts the path from the user’s computer to your website and back. Doing this will prevent man-in-the-middle attacks, a cyberattack that simultaneously steals information from you and the customer.
10. Don’t Forget Security Scans
As a final precaution, your site should also go through regular security scans. These scans are looking for malicious files on your WordPress site or anything that screams, “We’ve been hacked.”
Hackers often employ an attack that isn’t noticeable to you at all, as it’s a good way for them to stay hidden and steal even more information over time.
With a security scan, the software will look in every corner of your WordPress site and find the artifacts of a hack you may not have noticed. This works just like a property sweep in real life. A security guard will check all your store’s dark corners to ensure no one is hiding out, which is what a security scan does within your digital storefront.
The scan will usually isolate and remove the threat from your site. At the same time, you find out that you were the victim of a cyberattack, so you can take other precautions to minimize its impact.
Having a security scan set up means that your site can avoid being compromised for extended periods. That’s why a managed hosting option is helpful – everything is handled for you, so you save time and can focus on running your business.
Protect Your WordPress Site with Help from Nerder
Your website is one of the best ways clients and potential customers can get to know you. That’s why security should be a non-negotiable part of your website budget.
If you host your site on WordPress, you now have the tools to understand the importance of security, common security issues, and how to prevent them on this platform.
Check out our services and see how we help you protect your site with managed WordPress hosting so you can get back to business.