Choosing WordPress as the CMS for your website is almost a slam-dunk. WordPress powers just over 20% of all the websites on the Internet worldwide, which means it is a well tested, and accepted, platform for websites. With 20% of the world’s websites being on the WordPress platform you are assured that it is a quality platform.
There is a downside to this popularity of WordPress among website owners, however.
The popularity of WordPress among website owners means it is also popular among hackers, and since the core code is available (since WordPress is open source) hackers are able to more easily find and exploit vulnerabilities to your WordPress site.
There are things you can do to harden your site.
Let’s take a look at some simple things you can do to keep hackers moving along to an easier target than your site.
- The first thing you need to understand is that no site can be totally, completely, 100% secure. Any site can be hacked. We read in the news periodically about prominent sites, even sites of government agencies that you would think would be secure like the IRS and the Department of Defense being hacked. Just recently, during the holiday season, it was big news when Target and Neiman Marcus had their sites hacked and credit card information stolen. These are large, expensive, and well-maintained websites that hacker(s) found security weaknesses on that they were able to exploit. You have one thing going for you, as compared to these examples, to help keep your site secure. While your site is very important to you and to your customers, in the eyes of a hacker is not nearly as important as targets like the Department of Defense and Neiman Marcus. Those kinds of sites are under constant attack, while yours (and mine) are relatively obscure in the grand scheme of things, and not as obvious a target.
- The first security item you should consider for your WordPress site comes before you even install WordPress on a hosting account. It is your choice of host. Unfortunately, most hosting companies get new customers by emphasizing how inexpensive their hosting service is. Yes, there are some hosting companies that are both very inexpensive and that have best practices in place to maintain site security for their customers. For example, all of the sites owned by the principles for HayleStorm Interactive are , and Host Gator is both inexpensive and does an excellent job of securing its customers websites against hacking.
- The next item to address, and one of the simplest to keep up with, is to always keep your WordPress core installation up-to-date. On your WordPress dashboard. There are two options… “Home” and “updates”. When you select the updates option, you are taken to a page that will tell you what version of WordPress. You are running, whether it is the latest version, and it will give you information about the current status of your plug-ins and themes.Because WordPress is open source, any hacker can easily find out what the current version is, and more importantly can see what changes were made in the current version. Most WordPress updates are security-related, so when a hacker sees that you are running a version of WordPress that is not up to date, the hacker also sees what security vulnerabilities are available on your site to be exploited (basically, every security vulnerability that has come before the current version).For this reason, it is very important to always be running the latest version of WordPress.
- You need to be just a security conscious about your plug-ins and themes as you are about the core WordPress itself. Because plug-ins and themes are built to work with core WordPress, when WordPress is updated. It can expose plug-ins and themes to becoming exploitable security holes in your site.You need to do two things to keep your plug-ins and themes from giving hackers access to your site. First (this is a debatable point, but it is how we look at it at HayleStorm Interactive) consider the source of your plug-ins and themes very carefully. A Google search for “free WordPress themes” or “free WordPress plug-ins” will return dozens, if not hundreds, of websites that will give you free themes and plug-ins.Beyond the free resources are premium, or paid, plug-ins and themes. Again, a Google search for “premium WordPress plug-ins” or “premium WordPress themes” will return dozens of sites. While there are certainly many free WordPress themes and plug-ins available from all of these various sites, we suggest that except in very, very rare instances you source your free WordPress themes from the and your WordPress plug-ins from the .The WordPress theme repository has about 8000 themes, while the WordPress plug-in repository has between 15 and 20,000 plug-ins. Using themes and plug-ins from the WordPress repositories is not a guarantee that these themes and plug-ins will be hacker proof, but it does increase the odds of your site remaining secure.
When buying premium themes and plug-ins, always check your source, and then check it again. Read reviews. Check for when the theme or plug-in was last updated. Hasn’t been updated since the last WordPress update, or is it for updates out of date? If it is being updated far slower than the WordPress core, then it is not keeping up with the potential exploitable areas of WordPress and needs to be avoided.
(This goes for the themes and plug-ins in the WordPress repositories as well. These are far less likely to be out of date, but a few do slip through and remain in the repository when they should have been deleted for being outdated)
After the core installs (WordPress, theme, and plugins), what else can I do to stop a hacker attack?
There are four primary points of attack that hackers use against a website. These are:
An attack through your hosting company, an attack on the core WordPress software, and attack through plug-ins and themes that are not properly coded or are out of date, and a Brute Force Attack. The precautions listed above will do a very good job of stopping the first three. Preventing the last one… A Brute Force Attack… Is dependent upon a site owner or manager taking certain precautions after the core installations are done.
Let’s take a look at the ways to minimize the chances of a successful Brute Force Attack..
- The most used, and least secure, username that is used in WordPress is “admin”. Some WordPress installation procedures used by some hosting companies automatically assigns this username to a WordPress installation. Change it. Immediately. The easiest way to attack a website is for a hacker to simply figure out how to log into it, just like you do, by using the correct username and password. By using “admin” as your username you have given a hacker half of the combination. The only thing left standing between the hacker and getting into your website would be the password, so pick a different username. Do not use a username that would be easily cracked by having just a small amount of information about you, the site owner. If your name is John Smith. Do not use “JSmith” or jsmith” as your username. Do not use your date of birth or company name either. Use something that you are able to remember, but that would be obscured to anyone else.
- The same goes for your password. The most commonly used password on the Internet is “password”. The second most used password on the Internet is “QWERTY” (the first six letters of the top row of letters on your keyboard, capitalized).Use some imagination. Some basic parameters would be a minimum of seven characters, a combination of letters, digits, and special characters (&^@/?), and a random mix of uppercase and lowercase in the letters.
Many people do not like to take these password precautions because it is such a PITA to keep up with a lot of different passwords. The solution is simple. (it has both free and premium. I use the free version and have all I need). It will both generate secure passwords for you and then remember them so you don’t have to keep a written list. In just a few clicks, you can login to anything on the Internet that you need to use a username and password to access your account.
- We talked about this above when talking about choosing themes and plugins, but it needs to be addressed here as well. Once installed, keep your themes and plugins updated, along with your core WordPress install. Also, if you have plugins and themes installed that you have deactivated because you chose to use a different one to do the job (changing caching plugins, for example), don’t just deactivate the old plugin or theme…delete it. Unused, deactivated plugins and themes that are still installed are a relatively easy exploitable back door to your site for a hacker.
There are more technical aspects to keeping your site even more secure that we will go over in another post, but by following the steps outlined here you will have hardened your site enough to make it hard enough to get into that most hackers will go looking for a softer target.