What Is The Best Way To Protect WordPress Sites From Hackers?
January 5, 2021 by Agnes Talalaev
Why do you need to protect WordPress sites from hackers? There actually is a simple answer to that. It’s because there is a war going on on the internet right now. And the target is not you, specifically, but your resources – the data you have, your server resource, and more.
For that, hackers have built automated tools. They are developers like you, but their aim is to build tools to break not to create. And in many cases, unfortunately, they are successful. When they are successful – it means that you suffer from reputation loss, money loss, and time loss.
To make their lives harder and ultimately block their success we have invested into making a tool to protect WordPress sites from hackers.
This article will go over and give you some statistics to shed a light on the current situation in the market. It will explain the biggest problem in WordPress security, how to tackle that problem, and what do you need to do to prevent bad things like malware infection away from the sites you manage.
Some statistics
Preparing for cybersecurity breaches is part of having or managing a website, no matter what business you’re running. The latest Cyber Readiness Report found that small and medium-sized companies were likely to suffer multiple attacks. What’s more – 59% of small and medium firms surveyed already had faced an attack.
There’s some more worrisome information. Nearly half, 47%, of small businesses were attacked in 2019, up from 33% in 2018. The average cost of an attack for small businesses was $14,000, depending on the severity and type of attack.
Despite this, only 14% of small businesses had a plan in place to fight off cyber attacks.
Want to know more about website hacking statistics?
Here’s a bit of context on how attacks happen. The 2020 Data Breach Investigations Report found that web applications were a major reason why websites were hacked. It’s a big problem for WordPress websites in particular. Estimates show that 98% of WordPress vulnerabilities are related to plugins.
This should you a good idea about just how important security is for you, especially if you’re using WordPress as your content management system.
And most problems you’re likely to face will come from plugins and themes because these applications are built by third-party developers.
Does this mean WordPress plugins are not safe?
Right now, you have an opportunity to choose from over 58,000 plugins on the WordPress repository and the plugin review team approves each one.
They approve the plugin when it is first listed on the WordPress plugin repository. What they do is they ensure that the plugin works as it is intended, and follows WordPress’s security guidelines.
However, that’s not enough to keep you safe. Even the most efficient review team can’t guarantee that all applications are safe.
For example, look at the App Store or Google’s Play Store. Despite being heavily-guarded marketplaces, reports of breaches are more common than you would think. In April 2020, researchers claimed that Apple’s default email app for the iPhone has a security flaw that has existed for over 10 years.
Then there are the dangers of being an open-source platform. WordPress’s success as a CMS is because of how popular it is with individual developers. Every single plugin and theme is built by developers because they see value in making a service available to WordPress users.
It has all worked well. WordPress is the most popular CMS in the world. It’s estimated that 40 percent of all websites globally run on WordPress. In fact, it’s such a trusted product that almost 40 percent of the top one million sites use WordPress.
This leads us to the next big question. Does this mean WordPress is a vulnerable platform? The answer is no. The problem does not lie in the WordPress core.
Why are there so many vulnerabilities in WordPress sites?
Well, it’s not WordPress itself. The CMS is developed constantly and the few vulnerabilities are patched up quickly. As we said before, it’s usually plugins and themes that make websites vulnerable.
However, using older versions of WordPress can leave your website open to attacks as well. According to WordPress, only 24.2 percent of users have updated to version 5.5, their latest.
At least 79.2 percent have updated to version 5 or newer. That still leaves millions of websites running older versions. In 2012, it was reported that Reuters was using an outdated version of WordPress when the site was hacked. That’s a big mistake at a big company.
Users often prefer not to update their CMS because they worry it could break their website or change their current workflow. The same is true for updating plugins and themes. You should never run older versions of plugins and themes. In fact, outdated plugins and themes are also the number one reason for websites getting hacked.
Imagine a process or a fresh plugin coming out from development. The plugin developer wants the plugin to be added to the WordPress repository, the WordPress security team will review it, point out problems and after fixes, the plugin is allowed to the WordPress repository.
Now the problem arises when the plugins get updates because these updates are not reviewed by any security teams anymore and this is usually how vulnerabilities end up in plugins. Should you not update the plugins then? Not that. Updates can also mean security fixes of vulnerabilities that have been found.
How to protect WordPress sites from hackers?
Now that you know that even your website can be a target and how you’re likely to be targeted, you should do something about it. Here are some basic steps you should take to protect WordPress sites from hackers. It doesn’t require too much technical expertise:
1. Keep your WordPress CMS, plugins, and themes updated
We have already stressed how important it is to keep all software up to date. Don’t worry about how your website will change with an update as there’s always a way to fix anything that might break.
In fact, you should ensure all software is updated. Like your web server, PHP, and your database (like MySQL) if you’re administering it yourself. PHP is often overlooked when it comes to website security, but it is an integral part of your WordPress site and having the latest version is good web development in general.
2. Choose the right hosting environment
It’s probably a bit late if your website is already up and running. But hosts offer some security and it’s a good idea to research any concerns you might have about the hosting service of your choice.
You should check for two things. One, check if your host provides the latest updated stable versions of all server software. Two, there needs to be a reliable way to backup and recover your website.
3. Weak password use is a problem
Passwords, like for every digital service, is the first line of defense for your WordPress website. A weak password can give someone admin privileges. It might seem silly, but far too many people use weak passwords.
This applies to the WordPress admin, your hosting account, and any email addresses attached to your domain. Learn more about password management and how to make managing passwords 10 times easier here.
Make sure your’s in not on this top ten most frequently used passwords list:
- 123456
- 123456789
- qwerty
- password
- 111111
- 12345678
- abc123
- 1234567
- password1
- 12345
4. Two-factor authentication
Try a plugin to set up WordPress two-factor authentication. It adds a second layer of security, usually a text (SMS) message, a phone call, or a one-time password (OTP).
This will let you know when someone is trying an unauthorized login attempt, and you can get more information from your WordPress activity logs.
Learn how to set up two-factor authentication here.
5. Keep a WordPress activity log
It’s a simple but useful practice. An activity log will have all major changes on your website. Take a quick look at it every time you log in. You’ll have to install an activity log plugin or use WebARX.
There are tutorials available on analyzing raw logs. Once you get comfortable doing it, you’ll know when theme and plugin editors are being used, when widgets are updated and when posts or pages are added. You can identify the IP addresses of attackers and block them.
6. Install an SSL certificate
An SSL certificate, often available for free, allows a secure connection between a browser and a website over HTTPS (HyperText Transfer Protocol Secure). Small website owners sometimes ignore it because they don’t ask for payment information.
Well, a credit card number is not the only thing that needs to be kept safe. You also get the benefit of greater user trust and some SEO gains.
7. Keep your WordPress admin area safe
You should have noticed this. By default your WordPress site’s login URL is yourdomain.com/wp-admin. Even if a hacker can’t get your login credentials right, why take the chance? You can use a plugin to do this, and it’s not difficult to do.
8. Backup your website online
Backups allow you to restore your site in case something happens. Once again, there are plugins to do this. It’s best to back up to a cloud service like Amazon or Dropbox if you can bear the extra cost.
Learn more about how to choose the best backup solution
9. Get a Web Application Firewall (WAF)
This is a big step in assuring increased security. It’s an investment that’s worth it because a WAF adds a level of sophistication and expertise to your website’s defense system.
A simple example of what a firewall does is limit login attempts by a user. This protects you from brute force attacks. A web application firewall does a lot more – read more about it here.
It’s a great tool to have if you’re serious about your website, no matter what business you’re building.
Why do you need a web application firewall?
Well, hackers always find new and improved ways to target websites, often through WordPress plugins.
To protect WordPress sites from hackers you need to work proactively while keeping an eye on the security of your sites as well. There are many myths about WordPress security which are covered here.
You should also choose a managed WAF because cybersecurity needs round-the-clock monitoring and management. Inadequate maintenance can result in spam content on your website or backdoor access that results in data theft.
You might not even be aware of it unless you know what to look for. A managed WAF can do a number of things to prevent attacks and let you know you’re vulnerable.
Here are some benefits:
- A managed WAF keeps up with the latest software releases and bug fixes. Vulnerabilities in WordPress plugins and themes are the number one reason why websites get hacked. For example, the WebARX web application firewall is automatically updated to prevent plugin and theme vulnerabilities.
- A managed service is streamlined to your needs. Apart from being protected from OWASP’s top 10 vulnerabilities, you can also write your own rules. If you notice something suspicious about your website’s traffic, you can try to correct it with custom rules.
- Round-the-clock monitoring means you will be alerted any time there’s something critical for you to look into. With WebARX, for example, you can get alerts on Slack or email.
- You can adopt modern security practices quite easily, including the likes of two-factor authentication and Recaptcha. In addition, a managed WAF is aware of compliance requirements so that you don’t break rules without being aware of them. For example, GDPR cookie and privacy policy.
- Regular security scans and reports will give you a better understanding of web security. Even if you start out as an amateur web designer, you can gain actionable insights into cybersecurity.
- To a certain extent, you can avoid having to hire a cybersecurity expert to look into your website. Not all businesses operate at the scale that allows for such an expense.
In short, the best way to protect WordPress sites from hackers is through a combination of things. You need to apply the best security practices and then add a layer of expertise in the form of a web application firewall.
When it comes to cybersecurity, there are no guarantees, and it’s about being prepared rather than trying to recover from a hack.
