At The Loop Marketing, we have been designing websites almost exclusively with WordPress since 2010.
Since it’s an open-source engine, concerns frequently arise about the overall security of WordPress sites for business users. It does make a tantalizing target for hackers: it powers nearly 40% of all websites and has an easily identifiable structure with known vulnerabilities. Hackers target WordPress sites mainly to drive spam emails through the server mail system or leverage hidden pages for their own SEO gain.
If Google detects malware on a WordPress site, it can remove the site from search results or provide a dire warning, neither of which is good for business. There has also been a recent increase in ransomware attacks on WordPress sites, although those are still rare and mainly target higher profile sites.
How do you keep a WordPress site safe? The key to security comes down to three pillars: parts, updates, and passwords.
Choosing the parts of the site carefully is an essential first step.
If you choose a public WordPress theme that is well supported and updated, well-timed updates will close the door to hackers anytime a vulnerability is identified. DIY WordPress builders should pay special attention to which plugins they choose, as these can also provide security liabilities if not well designed or supported.
The history of plugin vulnerabilities is well documented, and, likely, hackers will always stay one step ahead of developers. Creating a secure custom theme with custom code rather than plugins when possible (as we do) is a better way to own more control of that risk.
Next, when updates for the WordPress Core, themes, or plugins become available, it is important to manually make those updates if they are not automatically updated for you. Most WordPress Core and plugin updates are security-related. These updates can be as easy as clicking a button.
Keep in mind that there is some risk that these updates may cause instability in a website. It’s important to make regular backups that you can revert to if something does go wrong.
Finally, but by far most importantly, WordPress passwords need to be very strong.
Most WordPress sites have their login page as “domainxyz.com/wp-admin,” making it easy for bots to identify them and create what’s called a “brute force” attack. These attacks are the most common type of security threat and involve guessing common usernames and passwords at a rate of thousands per minute.
Most people leave the “username” for the WordPress administrator as “admin,” which just leaves the password as the only barrier to access. In just 5 minutes, the automated bot could have guessed 10 to 20,000 password variations – and a simple password is likely to be found.
Sophisticated brute force attacks can also use pulled company information and combine them to guess password information, like the domain, company name, employee names, phone numbers, and ZIP codes. An easy-to-remember password like “theloop60661” becomes an easy lock to pick.
For a WordPress site with many user admins, it also just comes down to the weakest link, so every site and organization should have a policy in place to protect against weak passwords. You should never have a WordPress user with the username “admin,” and some developers recommend changing the WordPress login page from “domainxyz.com/wp-admin,” although a sophisticated bot can easily find the login page no matter what.
Advanced WordPress security plugins, such as Securi or Wordfence, can limit login attempts to prevent brute force attacks, perform regular vulnerability scans, and give early warning if your site has been compromised. I can say with 100% certainty that these programs have stopped malware attacks on sites we have designed and managed.
Just because WordPress is a popular website design tool and a popular target doesn’t mean you have to worry about security, but it does mean you should stay vigilant. With the tips above, you should feel confident that your WordPress website is as secure as can be, but it doesn’t hurt to have a developer seasoned in malware eradication on call. For any questions on website design or WordPress security, get in touch with us or stop by our frequent free “office hours” sessions.