Contrary to popular belief, website builders like Wix and Shopify make a small impact on the market share of WordPress. To this day, WordPress retains a firm stronghold of being the leading content publishing platform on the web. And because of its popularity, it is one of the most common targets for various attacks from hackers with bad intentions.
In late 2021, a group of Vietnamese security researchers reported an SQL injection attack in the WordPress WP_Query function. This left millions of blogs and websites exposed to potential attacks that could lead to customer data being stolen and worse. The WordPress 5.8.3 version rectified this attack, which is why it is so important to keep your site up-to-date at all times.
The fact of the matter is, that there could be dozens of similar vulnerabilities out in the wild. So, in a sense, the goal is not to achieve an impenetrable website. Rather, you should aim to implement certain security features and precautions to ensure that hackers have a hard time accessing sensitive data, for example – your admin dashboard.
Is WordPress a Secure Blogging Platform?
On a fundamental level, WordPress can be considered a secure platform. Even though it has had certain vulnerabilities found in its core system, it doesn’t have a bad track record of security issues. The bigger problem is that WordPress users themselves don’t follow even the most practical security precautions.
Here are some of the things to look out for:
- Pirated themes and plugins tend to be riddled with scripts and other hidden code that can hijack your website.
- Using outdated plugins which haven’t been updated in 3+ years.
- Adding plugins or themes to your site from untrustworthy sources.
- Leave features like “Site Editing” enabled which can lead to instant hijack with only your WordPress login information alone.
So, ultimately, to keep WordPress secure you have to be mindful of the choices you make in regard to using external features.
What Are the Most Common Types of Website Attacks?
If you look at the most common vulnerabilities being exploited in the wild, that list is too long to even begin talking about. So, rather than assuming your website is vulnerable to everything, we need to look at vulnerabilities that are most commonly exploited on WordPress sites.
- Cross-Site Scripting (XSS) – This allows attackers to hijack your cookie data and in turn give them access to your admin dashboard.
- SQL Injection – A more sophisticated attack that can be exploited to steal user data directly from the database. Furthermore, this attack can be used to alter data (such as changing the password or email).
- Bruteforce (Login) – A common type of attack on WordPress sites is when bad actors try to brute-force the password of the admin account. This alone makes it important to use secure passwords!
- Outdated Software (Themes & Plugins) – The first two attacks will have a much higher success rate unless you frequently update your WordPress version and that of your plugins and themes.
A lot of these attacks can be circumvented by applying the security tips outlined in this article. Keep reading to learn more.
Is Your Website at Risk of Being Hacked?
If you implement the tips below, you should significantly reduce the risk of having your WordPress website hacked. The way in which modern attacks work is that hackers will typically mass target a large number of sites at once. Using tools and software to scan the site for potential vulnerabilities.
So, if you’re more technically savvy – you might see things like unusual requests in your Apache2 access logs. In fact, there are numerous WordPress plugins that provide detailed logs about the requests being made to your site. And, while this may look alarming at first – it’s really just hackers looking for cheap ways to try and break into your site.
More often than not, such requests are harmless. Especially if you use the correct combination of tools and plugins to mitigate all risks.
How to Optimize WordPress Security
The following tips can be implemented in less than a minute each. And, what is a few minutes of your time in exchange for peace of mind, anyway?
#1: Change the Default Login URL
All new WordPress websites have the same Login Page URL for the admin dashboard, and it is located at /wp-admin/. So, it comes as no surprise that hackers can easily launch brute-force attacks on any given WordPress site.
One way to fix this would be to limit login attempts. However, the best solution for avoiding brute-force attacks is to change the login URL entirely. And this can be done with a plugin such as WPS Hide Login.
Once you have the plugin installed and activated:
- Go to the admin dashboard on your WordPress site.
- Navigate to Settings -> General.
- Scroll down to the bottom of the settings and find the Login URL input form.
- Type in a secret word or phrase to use as your new Login URL.
What this means is that the next time you log in to your dashboard, you will need to use the new secret word you specified instead of the default wp-admin page. So, make sure to save that word somewhere safe!
#2: Enable Auto Updates for WordPress & Plugins
There is hardly ever a scenario in which you would disable automatic updates to the latest WordPress version. In your admin dashboard, you should be able to see the status of this by going to Dashboard -> Updates.
Now, things get a little bit trickier when it comes to auto-updating themes and plugins. First off, a theme update can potentially break the design of your site unless you are using a child theme.
A child theme means that whatever changes you make to your site design will remain within the child theme itself, so whenever you update your theme – the child theme will remain intact. At the very least, you should have a backup of your theme (see below for recommendations) if you do plan to apply an update.
In order to auto-update WordPress plugins, you have to do enable it manually for each plugin. So, head over to Plugins -> Installed Plugins from your dashboard. On this page, on the right-hand side, you will see the option to “Enable auto-updates” which are turned off by default.
Auto-updates are particularly important for plugins with millions of active users (Yoast, Elementor, Akismet, etc.) because if one of them is exposed to an attack – it means millions of sites are once are vulnerable.
#3: Enable Backups
Backups don’t just provide a layer of security against your site being hijacked. A backup can be a life-saver in situations where you accidentally lose data and have no means to recover it.
Besides, not having a backup and losing access to your content can mean days of hard work to try and salvage it through external channels.
Our recommendation for a WordPress backup solution is UpdraftPlus Backups.
The plugin has over 3 million active users. And it makes it effortless to set up automated backups which can also be sent to a remote location, such as your email, once complete. It also includes the option to upload your backups to Dropbox, Google Drive, and other services, too.
#4: Disable File Editing
Let’s imagine a hypothetical scenario where a hacker has gained access to your WordPress admin account. Other than tarnishing your blog posts, what else could they potentially do?
- Insert malicious scripts in the header or footer section of the site using the WordPress Customizer feature.
- Modify your theme and plugin files by inserting scripts that can give them file system access.
- Upload plugins or themes and activate them to execute an attack.
Now, number 1 and 3 can be rectified by using a security plugin (see below) but number 2 is up to you to manage. In other words, to avoid hackers from tampering with your files – disable the file editor feature.
You can disable file editing in WordPress by adding the following snippet to your wp-config.php file (located in the root directory of your WordPress site):
define('DISALLOW_FILE_EDIT', true);
You can further improve this security aspect by modifying the file permissions on your hosting account.
The official WordPress documentation site has already provided a detailed explanation on how to do it: read here.
#5: Install a Security Plugin
For additional peace of mind, getting a security plugin is going to go a long way. We recommend the Wordfence Security plugin which has over 5 million users and is an absolute household name in the website security sphere. But more than that, Wordfence does a really good job at automatic certain security checks, such as malware scanning and potential exploit detection.
One of the things that make Wordfence unique is that the brand behind the plugin is an actual security company. Their business model is to help protect website owners from attackers, and they do it through a variety of unique features, only available through the plugin.
- Custom firewall based on a database of well-known attackers.
- Automated malware scanner which checks for common attacks like malware, code manipulation, content editing, and spam.
- Checks your themes and plugins against the official code found on the WordPress.org website!
- Gives you the option to enable Two-factor authentication (2FA).
And a lot more! To get started, you can activate the plugin and run your first scan. This should give you plenty of starting points to start adding some serious security features to your WordPress site.
Conclusion
So, to conclude – improving WordPress security is a matter of choice. And why shouldn’t you? It’s bad enough if attackers are able to steal your sensitive information, then imagine having to deal with your site users and customers who also had their data stolen! It’s a nightmare scenario.
And, as we learned throughout the various tips – it’s not even that hard to add hardened security measures. The thing about a lot of the “hacker” type people is that they rely on automated tools which often contain outdated and poorly structured attacks.
As such, by doing things like changing your admin URL or blocking file editing – you practically solve 99% of your security problems with those steps alone.