WordPress is one of the most popular CMS tools in the world with more than 16 million live websites running it. Sadly, this fact alone has made it a popular target for a growing number of cybercriminals who constantly crawl the web to identify vulnerable WordPress versions or plugins, in order to get control over the website.

Many small website owners don't think about website security, imaging that no one will ever bother to hack them, and that’s why they are so attractive to hackers. If that applies to you stop now and read: “How much is your website worth on the Black Market?”

We’ve picked out the five most critical risks which can affect WordPress installations, and advise on how best to avoid them - follow these simple tips to secure your WordPress from over 90% of intrusions.

Make sure your WordPress, its Plugins and Themes are Constantly Up To Date

The biggest security risk to a WordPress CMS is a missed update. An outdated installation of WordPress, its plugins or themes make your WordPress installation a perfect target for hackers. According to the WordPress website, only 40% of all existing WordPress installations are using the latest version of WordPress. Updating your WordPress site manually can be boring and you can even forget about doing it. However, you can use a plugin, such as Easy Updates Manager, to automate updates of your WordPress installation. Problem solved.

Make sure you use only well-used plugins for your WP installation

WordPress plugins and themes are the Achilles heel of your website. WordPress core code has been audited and tested by numerous security companies, independent researchers and hacking teams since 2003.

They have already discovered the vast majority of important security weaknesses and flaws that were successfully patched by WordPress developers. However, obscure plugins do not necessarily get so much attention from the security community, so still contain many vulnerabilities that are not publicly known yet, and therefore are not patched. The less popular a plugin is the more chance that it contains some vulnerabilities that nobody bothered to detect and to patch.

When selecting a plugin for your WordPress installation, try to get the most popular plugins trusted by thousands of users: such plugins usually contain far fewer vulnerabilities and are patched pretty quickly if a security flaw is discovered. However, do not forget to keep all your plugins up to date, as even very popular WordPress security plugins may contain dangerous vulnerabilities.

Make Sure your WordPress Administrator Interface is well Protected

The first step to take is to hide the default admin panel located at /wp-admin/ - even if attackers exploit a zero-day vulnerability in your WordPress installation to get administrator credentials, they will then find it difficult to perform malicious activities via the WP admin panel afterwards. The less predictable the admin panel location is the better it is for security. You can also restrict access to your admin panel from your subnet using .htaccess file.

Strong passwords are very important for WordPress. Even if you have no single web vulnerability on your WordPress installation, hackers will try to bruteforce your admin accounts to compromise it. Do not reuse your email or web hosting passwords, and always select complicated and unique passwords.

You can also think about implementing Two-Factor Authentication (2FA) for your WordPress with Google Authenticator plugin.

Make sure you are Using Secure Hosting with a Good Reputation

Many hacks occur because website owners tend to save on web hosting by selecting the cheapest offer on the market. Web hosting companies should keep all server side software (e.g. PHP, MySQL, Apache) up to date and also maintain all patches and security fixes.

Proper user segregation is also very important, as one user should never be able to access any information of another (files, logs, databases). Not because your hosting neighbors are necessarily hardened cybercriminals, but if their own website is hacked then yours will also be hacked automatically if you don’t have proper user segregation.

Backups are also very important: they should be regular and securely stored outside of the main site server. Many web hosting companies have their backups (and backup of backups) stored in the web server file system, and accessible to a web server user. Almost all of these issues can be prevented if you select a good hosting company with a solid reputation. Don’t save money on your security.

Make Sure your Own PC is Well Protected

Once attackers have compromised a website administrator or designer’s PC a direct compromise of the website isn’t far behind.

Once your PC is hacked, cybercriminals will grab all the credentials and accounts they can to continue their intrusion or to sell them on to their criminal partners.

Follow common sense: make sure your antivirus is enabled and is up to date, don’t click on suspicious links you receive by mail, in comments or via social networks. Don’t trust public Wi-Fi or public PCs, and login only from your own computer and only via trusted networks. An SSL certificate may be very helpful to reinforce the security of your connection to the website, also increase visitors’ trust, and even improve your ranking in Google.

For larger sites you amy also condider using a web penetration testing service, such as High-Tech Bridge, to help find vulnerabilities on your site.

By following these simple guidelines, you can secure your WordPress from over 90% of intrusions. 

Tags: 

• Content Management
• WordPress
• Security
• Story

About the Contributor

Rory Oza

Content writer on B2B, web technology and digital marketing.