Practical Ecommerce

How to Keep Your WordPress Site Safe from Hackers

Editor’s Note: This article was originally published by Web Marketing Today. Practical Ecommerce acquired Web Marketing Today in 2012. In 2016, we merged the two sites, leaving Practical Ecommerce as the successor.

Once open-source software becomes the most widely used content management system on the Internet, it will undoubtedly also become a target for hackers.

WordPress, an open-source platform, powers over 18.9 percent of all websites, which amounts to more than 74 million sites total.

The platform has received quite a bit of negative attention recently for its security vulnerabilities. If the proper steps are taken, however, WordPress can be just as safe as other CMS systems.

Has Your Site Already Been Hacked?

The first step to securing a WordPress site is to make sure that it hasn’t been compromised already. Many business owners never visit their site and may be unaware that an attack has taken place, albeit in a very discreet way.

Sucuri, a website security and malware protection site, provides a site check utility that scans your site to ensure it has no publicly visible signs of malicious activity.

Also, set your site up on Google Search Console (formerly called Webmaster Tools) as it will notify you of a website breach. You can visit the hacked site information page to learn more about Google’s process for marking sites as malicious.

Once you know your site’s status, there are several steps you can take to ensure it is as secure as possible.

Update, Update, Update.

In my experience, the number one reason most WordPress sites get hacked is due to a lapse in regular updates. WordPress is open-source software, which means it is developed and worked on by a large community around the world. That also means bugs and security vulnerabilities appear quite often as well.

Vulnerabilities that have been discovered and fixed are posted publicly, and all users are advised to update. Unfortunately, those who seek to do malevolent hacking have access to detailed information on the new vulnerability, which they can use to exploit all the outdated installations.

WordPress updates take on three different forms: core, plugins, and themes.

Core updates. WordPress knows that regular updates are critical. Version 3.7 introduced automatic background updates for minor security releases. This feature doesn’t fix a major upgrade from version 3.7 to 3.8 but does ensure security fixes routinely take place on most sites.

WordPress core updates are critical.

WordPress core updates are critical.

The bigger problem is that many people still use versions older than 3.7. To check which version you are running, go to [your site URL]/readme.html or visit your admin dashboard and look at the “Right Now” or “At a Glance” widgets to find it.

Check the admin dashboard to see the WordPress version.

Check the admin dashboard to see the WordPress version.

The current version of WordPress is 4.2.3; if you are still running a version 3.9, you should upgrade as soon as possible.

Plugin and theme updates. Plugins can be another major security risk for WordPress installs. A first step is to ensure that you update the plugins on your site and that they are compatible with your version of WordPress. Many plugins utilize other libraries or scripts that can become outdated and vulnerable to hacks.

The same premise applies to themes, as many WordPress theme makers will bundle their template files with a variety of plugins or frameworks. There have been a few high-profile vulnerabilities with popular gallery and image plugins.

Once you update your core WordPress installation, visit the “Updates” or “Themes” page to see if your theme is due for an upgrade. Also, removing unused themes and plugins will increase both the speed and security of your site.

Hardening Your Hosting Server Protects WordPress Files

Whether your site uses WordPress or another CMS, server security is necessary to make sure hackers don’t get access to your system files.

If you installed WordPress through your hosting company’s site, you are probably safe when it comes to file permissions. However, if you or someone else installed WordPress manually, you may want to review WordPress suggestions on file permissions to ensure you aren’t leaving your site open to malevolent activity.

Shared versus private hosting. If your business runs off of WordPress, I highly suggest you avoid using low-cost hosting that relies on shared servers, which store not only your site but thousands of others.

Although hosting companies try their best to wall off customers accounts from each other, a skilled hacker can gain access to other accounts through a single vulnerable account. Even if you invest time and money into protecting your site from hackers, someone else’s vulnerability could grant them entry.

Although it may cost more, your investment in security will ultimately save you time and money. Companies dedicated to hosting WordPress sites, such as WP Engine and Pantheon, are specially designed for WordPress security. Many of these will even guarantee to keep your WordPress core and plugins updated on a regular basis.

Usernames and passwords. Having a secure username and password is an easy way to keep your site safe from hackers but are steps many site owners overlook.

Instead of using the default “admin” user account, create a new user with admin privileges and delete the old account. Attribute all posts and content to the new account so that no data is lost.

Also, use a unique password not tied to other sites. That way, if hackers discover your generic and widely-used password, they won’t have access to your website as well.

Other Steps to Avoid Being Hacked

Even if you regularly update WordPress and use secure server and password practices, it is helpful to have something actively working to ensure you are secure at all times.

Security plugins. Wordfence and Bulletproof Security, two free plugins with premium upgrade options, will actively scan your WordPress installation and plugins to discover any sign of malicious activity and protect your WordPress installation from a variety of commonly known attacks. They can also limit login attempts, block users from questionable IP addresses or from outside the country, and enforce strong and unique passwords.

Wordfence protects your site against attack.

Wordfence protects your site against attack.

Regular backups. Even with all the available protection in place, unfortunate incidents may still occur. Keeping a regularly updated copy of your site’s files and database will ensure that even if you are hacked, the files are easily accessible and can be restored to an older version.

BackupBuddy is a plugin that will not only perform regularly scheduled backups but can also connect to other popular file storage systems like DropBox and Google Drive.

Monitoring and repair services. For more mission critical sites, you can enlist third-party services like Sucuri or VaultPress to constantly monitor your site. In the event it gets hacked, they will automatically address the issue on your behalf. Both services charge either a monthly or yearly fee, provide services to monitor issues, and help fix or clean any files affected by hacking activity.

VaultPress monitors your site against hacks.

VaultPress monitors your site against hacks.

Conclusion

Malicious activity on your website can cost you hours of time in dealing with the issue. If your business depends on your website for income, it could also mean dollars lost. Investing in site security by making these fixes, as well as paying for quality server hosting and security monitoring, will ultimately provide you peace of mind and a safer site.

For power users looking to expand on these basic recommendations, check out the page Hardening WordPress.

Daniel Kedinger

Daniel Kedinger

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

Get the Practical Ecommerce RSS feed

Comments ( 3 )

  1. Carlos Rivera August 12, 2015 Reply

    Great advice! I am building a WordPress website now, and this article really helps a lot! Thank you!

  2. Hemang Rindani November 20, 2015 Reply

    Nice article Daniel. Being of the most used CMSes, WordPress is considered to be more liable to security breaches and thus it is important to identify the right set of safety tools for the website. WordPress provides modules and supporting plugins that can handle complex security problems. The basic plugin to use is WP security that provides a security cover for data transmission between database and User interface. It also comes with authentication tools to manage the user permissions. It is important to keep the plugins updated with to keep the website secured.

  3. David Attard February 5, 2016 Reply

    Hi Daniel,

    there’s a lot of great tips you’ve put in there.

    There’s quite a few simple tips you can do to make sure your website does not get hacked though. Some of them are really easy, some of them are a bit more technical.

    We’ve put together an essential checklist to prevent your WordPress website from getting hacked. Would love it if you could give us some feedback on it!

    https://www.dart-creations.com/wordpress/wordpress-tutorials/the-essential-checklist-to-prevent-your-wordpress-website-from-getting-hacked.html

    Cheers
    David