A secure WordPress website: our best practices

WordPress, one of the most popular content management systems in the world, often faces scrutiny regarding its security. This perception, while partially valid in the past, is outdated and largely inaccurate when WordPress is managed and maintained properly. With the right expertise and vigilance, a WordPress website can be just as secure, if not more so, than websites built on other platforms.

Importance of securing your WordPress website

To understand how to keep your WordPress website safe and protected, it’s essential to grasp the significance of website security. A compromised website can lead to various detrimental consequences, including:

Data breaches: A compromised WordPress website can expose sensitive information such as customer data, login credentials, and financial details to unauthorized individuals. This can result in identity theft, financial loss, and damage to your reputation.

Malware infections: Malicious software, commonly known as malware, can infect your WordPress website and compromise its functionality. Malware can redirect visitors to malicious websites, steal sensitive information, or even take control of your website’s resources.

Search engine blacklist: If your WordPress website is infected with malware or involved in malicious activities, it may be blacklisted by search engines like Google. This can significantly impact your website’s SEO ranking and organic traffic.

Loss of trust: A security breach can erode the trust of your visitors and customers, damaging your brand reputation and potentially leading to decreased sales and customer churn for e-commerce.

Common security vulnerabilities

To effectively secure your WordPress website, it’s crucial to be aware of common security vulnerabilities that attackers often exploit:

Outdated Software: Failing to update your WordPress core, plugins, and themes regularly can leave your website open to known vulnerabilities that have been patched in newer versions.

Weak Passwords: Using weak or easily guessable passwords for your WordPress admin account or database can make it easier for attackers to gain unauthorized access.

Insecure Plugins and Themes: Installing untrusted or outdated plugins and themes can introduce vulnerabilities to your WordPress website. Always download plugins and themes from reputable sources and ensure they are actively maintained by their developers.

Unprotected wp-config.php File: The wp-config.php file contains sensitive information such as database credentials. It’s crucial to ensure that this file is not publicly accessible and has the appropriate file permissions.

Lack of Security Measures: Neglecting to implement basic security measures like SSL/TLS encryption, regular backups, and security plugins can leave your WordPress website vulnerable to attacks.

Targeting the masses: How hackers exploit WordPress’s popularity

One of the main reasons WordPress is considered insecure is its enormous market share. According to recent statistics, 63.3% of websites with a CMS run on the open-source WordPress platform. This means it is a large and attractive target for hackers and malefactors. A good metaphor to illustrate this is a “scattergun approach”. Hackers generally are not looking for one specific target but try to hit a large number of sites, hoping some prove to be vulnerable. This contributes to the thought that a ‘WordPress website is not safe’.

Thanks to WordPress’s large market share, the chances are higher that a random attempt by a hacker will hit a WordPress site. However, by applying a little protection to your website, you can avoid the vast majority of these attempts. In other words, if you properly secure and maintain your WordPress website, it becomes much harder for hackers to succeed. While the large number of WordPress sites makes it an attractive target, this does not mean your individual site is automatically vulnerable, as long as you take the right security measures.

Diverse users, Diverse security needs

WordPress is so popular and user-friendly that it is used by both large companies and organizations as well as smaller, non-business users.

 

This means there is a wide variety of people responsible for managing and maintaining WordPress websites. Unfortunately, not all users have the knowledge or expertise to properly secure their website.

Expertise matters

When building and maintaining a custom WordPress website, it’s important to choose a reliable partner. There are many parties creating WordPress websites, ranging from independent developers working in attics to ISO 27001 certified digital agencies. By choosing a reliable partner, you can trust that your website will be properly secured and maintained.

When choosing a builder or WordPress hosting provider, it is important to consider their experience, expertise, and references, as well as the security measures they take to ensure your WordPress site remains safe.

Is WordPress easy to hack?

While WordPress is not inherently insecure, the risk of hacking increases if updates are neglected or weak login credentials are used. Regularly updating and choosing strong login credentials can improve security.

In the hands of an experienced WordPress agency, you can expect this.

Core principles of WordPress security

Keeping WordPress Core, Themes, and Plugins Updated

At the time of writing, just under half of WordPress installations are running the latest version, and only 21% are running a PHP version that still receives security updates. Outdated software is at greater risk of security issues.

It is crucial to perform regular updates and ensure your PHP version is up-to-date, so you can benefit from the latest security updates and features.

Software updates, particularly for the latest minor version of WordPress Core, should be applied as quickly as possible.

Automating WordPress updates saves time and ensures prompt application, enhancing overall security. Regular updates and automation are crucial for a secure and efficient IT infrastructure. Additionally, automation allows for faster response times to vulnerabilities and threats, ensuring that security patches are applied as soon as they become available. WordPress has a built-in auto-update feature, which also applies to WordPress plugins.

Plugins: Be Vigilant

Plugins are a convenient way to quickly add functionality to your WordPress website. However, they can also pose a security risk. Poorly designed or outdated plugins can introduce vulnerabilities that hackers can exploit. Therefore, it is important to be cautious when choosing and using plugins.

To minimise risks, it is advisable to conduct audits and use only reliable and well-maintained plugins. Therefore, we work closely with trusted plugin builders (such as Yoast and Gravity Forms) who respond quickly to incidents and security issues.

It is important to stay informed of security incidents that may affect the websites we manage. That’s why we subscribe to newsletters and updates from reliable sources reporting incidents. This allows us to respond quickly and take necessary measures before a vulnerability is exploited.

The Strength of Passwords and User Permissions

Strong Passwords

To create robust passwords, combine uppercase and lowercase letters, numbers, and symbols. Avoid reusing the same password across multiple accounts, as this makes it easier for attackers to gain access to your information. Utilize password managers like 1Password or LastPass to help you generate and securely store complex passwords. WordPress users should be encouraged to pick a strong password.

User Roles and Permissions

Assign user roles and permissions based on the principle of least privilege, granting only the access necessary for employees to perform their tasks. Regularly review and revoke access privileges promptly when an employee leaves the organization to minimize the risk of unauthorized access.

Two-factor authentication (2FA/MFA)

Enable two-factor authentication (or multi-factor authentication) as an additional layer of security. When you log in, you’ll be prompted to enter a code sent to your mobile device, ensuring that even if your password is compromised, unauthorized access is prevented.

Single Sign-On (SSO)

Implement single sign-on (SSO) to allow users to use the same login credentials across multiple applications and services. This eliminates the need to remember multiple passwords and reduces the risk of password fatigue, making it more convenient and secure for users. Reputable platforms like Microsoft Azure Active Directory or Google Workspaces provide robust SSO solutions.

By implementing these account security best practices, organizations can significantly enhance the protection of their accounts, deter potential threats, and safeguard sensitive information.

Advanced Security Measures

While WordPress is quite safe out of the box, there are some improvements you can make to further strengthen the security of your website. By using the right configuration and WordPress security plugins like WordFence or Sucuri, we can minimise potential vulnerabilities for you and secure WordPress.

We recommend disabling unnecessary features, such as XML-RPC, to reduce potential attack points. Some plugins offer this as a built-in security feature.  They can also provide another layer of security by restricting access to the WordPress login url, or forcing users to log out after a certain period. They will also give security tips and enforce industry standard security practices.

Limit login attempts to block hackers

Limiting the number of login attempts allowed for a user account in WordPress provides several key benefits, including enhanced security against brute-force attacks and credential stuffing, reduced risk of account lockout, and an improved user experience.

When implementing login attempt limits in WordPress, organisations should consider best practices such as gradually increasing limits, communicating with users, monitoring and adjusting limits based on login patterns, and combining login attempt limits with additional security measures like two-factor authentication (2FA) and password strength requirements we mentioned earlier. 

Rate limiting can be applied in real-time to both ip addresses, and the username the login is attempted for.

This should keep bots out of your user accounts.

Limiting file access

If you’re looking to prevent the web server from making any changes to files, you’ll want to reach out to our technical partner or hosting provider. They can help you implement the DISALLOW_FILE_EDIT directive in the wp-config.php configuration file. This will disable file editing and creating any files from the WordPress dashboard.

And to make sure the server can’t access any files it shouldn’t, you’ll need to enforce file access restrictions through the server’s permission settings. That way, the server won’t be able to read, write, or execute any files that it’s not supposed to. Just an extra hurdle to prevent attackers from implementing backdoors, placing malicious code on your web server and  helps keep your site safe.

Is WordPress reliable?

As far as we’re concerned, yes. WordPress is as reliable as other software products, provided it is regularly maintained and updates are installed promptly. That’s what we’re on top of. And that’s the trust our customers, like large webshops, municipalities, and charities, also have.

Dealing with malware and security breaches

Malware, malicious software, can infect systems and cause issues ranging from data theft to system crashes. Security breaches occur when unauthorized individuals gain access to sensitive data or systems, leading to potential harm or financial loss.

Importance of vulnerability scanning and removal tools

To protect your website, use a comprehensive vulnerability scanner and malware removal tools.

A vulnerability scanner can check your website for known security issues and assist in identifying potential threats. Malware scanning and removal tools detect and remove malware, preventing future infections. They work by comparing files against a database of known malware signatures and removing matches.

Keeping your website in a software versioning system, such as git, and having an up-to-date database backup can also assist in quickly going back to state before any suspicious activity.

Guarding against specific attacks

Some attacks are more common than others. The OWASP top 10 list defines these security threats. Though most breaches happen through weak passwords, and outdated software, some are caused by more targeted methods. 

SQL injection and cross-site scripting (XSS) attacks

SQL injection and cross-site scripting (XSS) attacks pose severe threats to website security. SQL injection exploits vulnerabilities in database queries to manipulate data and gain unauthorised access. Essentially leaking information from your WordPress database. XSS attacks involve injecting malicious scripts into websites, enabling attackers to steal sensitive information or redirect users to malicious sites. 

Understanding the mechanisms of these attacks is crucial for implementing effective defensive strategies. These include input validation, secure coding practices, and implementing web application firewalls (waf). 

Additionally, organizations should regularly conduct security audits and educate users about potential threats. By adopting a proactive approach, websites can protect their data, maintain user trust, and mitigate the risks associated with SQL injection and XSS attacks.

Defending Against DDoS Attacks

Distributed Denial of Service (DDoS) attacks are malicious attempts to overwhelm a server or network with excessive traffic, causing it to become unavailable for legitimate users. Such attacks can lead to loss of productivity, reputational damage, and financial losses. Strategies to mitigate DDoS risks include implementing robust firewalls, intrusion detection and prevention systems, rate limiting, and deploying DDoS mitigation services.

How do you know a website is secure?

From the outside, it’s hard to tell if a website is safe or not. There are plenty of examples of large companies or institutions, such as LinkedIn, Adobe, or the RIVM, that have had data breaches despite a lot of investment in security.

However, there are a few things to look out for:

  • Does the website have a valid SSL certificate?
  • Are there visible seals of approval from independent parties, such as Thuiswinkel Waarborg?
  • Are there past data breaches? How has the company behind the website dealt with them?
  • Does the website provide clear instructions on how to report a security breach if discovered?

In Summary

It’s clear that WordPress websites are sometimes considered insecure due to various factors such as the platform’s popularity, the diverse user base, the varying quality of website builders, and the need to keep software up-to-date. However, with the right expertise and attention to security, a WordPress website can be just as secure as any other platform.

Do you also want a secure WordPress website?

We would love to tell you more about the steps we take to ensure that your site and your users’ data remain protected.

Get in touch with us