With hack attacks gaining prominence over the years, WordPress security has become a much-discussed issue. WordPress currently supports over 60 million websites. Thus concerns surrounding its security is understandable. But constant speculation has also lead to the creation of a number of myths surrounding WordPress security. In this post, we intend to present our readers a reality check and help them identify and understand the real threats.
Myth no 1: WordPress is Not Secure
When a WP site gets hacked, many users are quick to blame WordPress for the compromise. But how far is the platform really responsible? Let’s find out:
WordPress core is quite secure, and it’s manned by hundreds of developers. But WordPress does not exist in isolation. Its ecosystem includes themes and plugins that are often the main culprit behind a hacked site. Besides, the onus of keeping a site safe also lies with the website owners. Whenever a vulnerability is discovered, plugin developers quickly release a patch in the form of an update. But it’s up to the site owner or site admin to update the plugin. Security of a WordPress site is, therefore not dependant on WordPress alone. It’s a combined effort.
Myth no 2: Updated Sites Cannot be Hacked
Although we keep stressing the importance of regular updates, it can’t guarantee complete protection. But keeping a site updated can improve security and reduce the chances of a compromise. You’ll be surprised to know that out of the thousands of plugins available in the WordPress plugin repository; many are not updated. One report shows that out of 37,300 plugins 17,383 were found to be outdated.
Hackers are known to target unmaintained and vulnerable plugins to break into your site. When installing a plugin, it is advised that you checked when it was last updated. Also, remove outdated plugins, if any.
But there is a catch. One disadvantage of updating themes and plugins is if they prove to be incompatible with the current WordPress version, and can end up breaking your site.
Myth no 3: Restoring Backups Will Clean Your Site
Taking backups is a fundamental security measure. When a website goes down because of a hack, one easy way of cleaning s site is by restoring backups. It can quickly get the site up and run within a few hours. But backups cannot replace the cleanup process. When a website is compromised, hackers store millions of files on the site that helps them execute their malicious intent. When you restore backups, these added files are not deleted therefore your site remains hacked.
Moreover, what if the backup itself is infected? Unknown to you, the hack may have occurred months ago, and your backup plugin has been taking backups of the infected files. Now restoring these infected backups is not an option. Cleaning the site with a security plugin like MalCare, Sucuri is then the only solution.
Myth no 4: Using SFTP Helps Protects Your User Credentials
SFTP or Secure File Transfer Protocol is a secure way of connecting with your WordPress site, but security here is not absolute. Despite the use of SFTP protocol, malicious hack attacks like the “man-in-the-middle” are known to successfully retrieve usernames and passwords. The solution is to encrypt credentials.
To access some of MalCare and BlogVault (our sister product) features, we need our customers to enter SFTP credentials. Being aware of the risk we just mentioned, we encrypt the credentials so that, no one, not even our team has the authority to read user data.
Myth no 5: IP Blocking Keeps Malicious Visitors at Bay
Websites that are constantly recording suspicious failed login attempts can identify the IP addresses of the attackers and block them. But there is a flaw in this practice. Hackers use a number of IP addresses to launch attacks on websites. When you block one IP, they switch to another. Moreover, improper IP blocking can crash your site which can take a long time to restore back to normal. We have even heard of one or two cases where the site owner or admin is locked out by mistake.
Myth no 6: Password Protecting the “wp-admin” Page is Easy
Password protecting your WordPress wp-admin (login page) is a commonly recommended security practice. While it can be useful, it’s not easy to implement. Website owners trying to password protect the page have often faced problems related to the AJAX functionality. Apart from this, there’s the risk of forgetting a password with no easy way of retrieving it. Another way of protecting the default WordPress login page from hack attempts is by preventing failed login in attempts made by bots. MalCare Firewall blocks bots from accessing your site by the use of CAPTCHA-based protection. Too many failed login attempts enable a CAPTCHA that bots are unable to read or solve.
Myth no 7: Hiding Your Entire Website Will Keep it Safe
WordPress is not just the world’s number one website building platform but also the top target in a hackers list. To avoid becoming a target, many website owners resort to “hiding WordPress” which basically refers to the concept of obscuring the existence of your blog on the internet. Sometimes, site owners hide WordPress versions to avoid hacker and malicious bots from taking advantage of any vulnerability in the core.
The truth is, these security measures don’t always work. There are multiple means by which hackers can detect your site or find the site’s WordPress version. Moreover, hiding WordPress site is known to have caused sites to break.
Myth no 8: Hiding the Login Page Stops Brute Force Attacks
One common way of dealing with brute force attack is by hiding your login page. Although a step towards tightening your website security, it fails to provide complete security.
Hiding the login page generally refers to changing the login page URL. “wp-admin” is the default WordPress login page that can be changed to say “example.com/login” by using a plugin. But these plugins offer only a few login page URL. Hacker can easily extract these URL and find out the relocated login page of your site. Moreover, changing your login page is also known to cause an incompatibility issue.
Myth no 9: Changing Database Table Prefix Improves Security
(Picture Credit: icontrolwp)
Changing prefix of the WordPress database tables is said to prevent SQL injection attacks on your WordPress site. This basically involves changing the default “wp_” value to a different value like “xyz_”.
Although a popular notion, in reality, this does not stop hackers from retrieving the list of database tables from the website they have hacked. Hackers don’t need to know the names of the tables beforehand to find them. Moreover, any error while changing the database table prefix could cause your WordPress site to crash.
Myth no 10: Firewall Guarantees the Safety of Your Site
Firewall is often viewed as a mighty saviour from various kinds of hack attempts, but the truth is far from it. Firewall is not equipped to prevent DDoS attacks, therefore, are unable to provide complete security to a WordPress website.
Myth no 11: You Can Manually Find a Hack
One popular notion amongst the WordPress community is that if their site has been hacked, users can manually search and find malware. A typical method includes looking up for keywords like Base64_decode, eval, etc. but the method is flawed. One, because these are also legitimate codes found in plugins and two, hacks are not always easily identified as they are complex and may have unidentifiable codes. This is why a security plugin like MalCare is recommended for scanning and cleaning a hacked site.
Myth no 12: Web Host Providers Are Always Responsible for Security Breaches
In the event of a security compromise, people are quick to blame web hosts. It’s true that in shared hosting if even one website is infected, the chances of all the other websites on the network being infected are high. But web hosts are rarely responsible for security hacks. Vulnerable plugins and themes are often the main cause of websites being compromised.
Over to You
We hope you are now a bit more aware of the myths surrounding WordPress security. If you want us to add or address any more myths to this list, please write to us. And don’t forget to share what you have learned here today with your followers.