When it comes to your website, it’s one of the most powerful assets you can have, whether it’s a business or a personal website. It’s your online home where visitors can learn more about what you have to offer, get in touch with you, and hire you or buy your products.
By now, you probably know that WordPress is the most popular platform for building websites. However, that popularity comes at a price as statistics show that nearly 70% of all installed WordPress is vulnerable to hacking attempts.
As such, one may ask how secure is WordPress? to protect your site is of paramount importance, however many WordPress users make mistakes while trying to secure their WordPress website.
In this post, we’ll discuss the most common WP security mistakes (like when your website is hacked) and offer advice on how to fix them. Hopefully, these WordPress security tips and WordPress security checklist helps protect your website.
About Common WordPress Hardening Mistakes:
The mistakes on this list do not require any special knowledge but can have a big impact on how secure your website is. Anybody asking how to secure WordPress website from hackers, whether you’re a WordPress beginner or more advanced user, go through this list so you can take the appropriate steps and make your WordPress blog more secure.
Mistakes People Make While Hardening WordPress:
- Not Applying Updates
- Using Poorly Coded Themes and Plugins
- Not Updating Plugins and Themes
- Leaving Your Login Area Unprotected
- Not Using Appropriate User Roles
- Leaving Unused Themes and Plugins Installed
- Not Using a Secure Host
- Not Performing Malware Scans
- Using Weak Passwords
- Not Backing Up Your Website
- Not Using Built-In WordPress Security Measures
1. Not Applying Updates
Keeping your WordPress updated is of utmost importance. The team behind WordPress security issues regular updates to ensure WordPress users get access control to new and improved features. And also to fix any potential security issues. Major WordPress core will automatically update and they usually bring new features in their security updates. But, minor updates are the ones that contain security fixes and patches and those are not carried out automatically.
Instead, it is up to us to make sure those updates are installed as they are released. You can easily spot when an update is available thanks to the dashboard notification so that you can go ahead updating WordPress.
2. Using Poorly Coded Themes and Plugins
Another mistake that is often the main cause behind a hacked website is using a poorly coded command line in plugins themes. This also applies to downloading popular premium themes offered for “free” on third-party websites.
Using such themes can slow down your site. And what’s worse, they can be incompatible with your version of WordPress or any plugins you have. Not to mention they may contain malicious PHP code.
While it might be tempting to download a premium theme for free, keep in mind that there is a pretty good chance you’ll wind up paying for malware removal sooner rather than later so it’s not really worth the hassle. A good majority of premium themes are much cheaper than hack repair so save yourself a headache and the money.
Use themes and plugins that come from the official repository or reputable third-party marketplaces and developers. If a free theme comes with a premium version, make sure to download it from the developer’s website.
Look for themes and plugins that have a higher rating and good reviews as well as a high number of downloads. You’ll also want to make sure that the plugin or theme is updated regularly and actively maintained.
3. Not Updating Plugins and Themes
WordPress theme and plugin also release their own set of updates. It not only contains new features but also fixes various bugs and security problems.
They need to be updated manually from your dashboard just like WordPress so make sure to apply those updates as they are released. For best practices, update WordPress plugins one by one and then proceed with theme updates. This will help eliminate the potential for an update to go wrong. And in the event the worst happens, you’ll be able to identify which plugin was the culprit. And it’s better to delete unused plugins and themes instead of keeping them deactivated.
4. Leaving Your Login Area Unprotected
If you’ve been using WordPress for any length of time, you probably know how to access your login page and the WordPress admin area. Unfortunately, just as you’re aware of that information so are the hackers.
That’s why you need to be hardening your WordPress login screen or area. Luckily, this is not hard to do and can prevent hackers from gaining access to your site. Here are some tweaks that will help you in limiting logins or to protect the login area and login credentials:
- Change your display name in the Users section so it’s not the same as your admin username. The display name shows with every published post which means hackers now only need to guess your password to get in.
- Limit login attempts to stop brute force attacks. Using a WordPress security scan plugin like MalCare can help you with this.
- Adopt 2-Factor Authentication with a plugin like Two Factor Authentication.
5. Not Using Appropriate User Roles
If you have multiple users on your WordPress sites, make sure you assign them appropriate user role. For example, if you have several contributors, there is no need to grant all of them admin access. This can make it easier for hackers to break into your site as there is no guarantee that all users will follow the best security practices.
6. Leaving Unused Themes and Plugins Installed
It’s not uncommon for many WordPress website owners to keep trying out new themes or plugins. After all, finding the right theme or plugin is not an easy task. However, many of us are guilty of leaving them installed on our site, even if we end up not using them.
This poses a security risk as hackers can take advantage of theme and plugin vulnerabilities or this particular WordPress security vulnerabilities even if they are not active on the site. As such, you need to make sure that you not only deactivate unwanted themes and plugins but also delete them from your site.
By doing so, you’ll minimize the risk of hackers using them to run and php execution of malicious code. But you’ll also free server space which will help your site to run faster.
While you’re at it, go through your media library and remove any unused images or image thumbnails, uploaded files. The ones that are no longer relevant, and any inactive user accounts. All of the above can be a malware entry point to your site so don’t take any chances. Before deleting any inactive user accounts, remember to assign content to another user so you don’t lose any valuable and relevant content.
7. Not Using a Secure Host
WordPress hosting comes in many shapes and sizes. From cheap shared hosting to more expensive managed hosting and dedicated web servers. But, not all hosting providers are created equal. Some are more secure than others which are often reflected in the pricing plans. Web host affects your website security.
Bear in mind that when it comes to website hacking, in some cases, the hackers may not be after your site. But another site that shares the same server as you. If you’re using cheap, shared hosting with no security measures in place, your hacked website can bring down all the sites on the same server.
Given the above, it’s easy to see why the saying “you get what you pay for” rings true when it comes to hosting. As such, choosing a reputable hosting company is important.
While this means you’ll pay more for your hosting account plan, keep in mind that with higher prices comes better security as well as better customer support overall, not only in the case of an attack. Paying more also means that you’ll save money in the long run as you won’t have to shell out extra cash to have your site cleaned up after an attack. This is especially true if you have a business website so look at it as a sound business investment in one of your most valuable assets.
8. Not Performing Malware Scans
One of the worst things about having malware on your site is the fact that malware can enter your site unnoticed and remain hidden for a very long time. Even while it’s hidden, it can harvest sensitive data, track your visitors, and insert backlinks to malicious websites or execute malicious scripts.
If you don’t notice or suspect anything is wrong, that’s not the case with the search engines. They will notice malware on your site and start de-indexing your site to prevent malware from spreading onto other websites. Soon, you’ll notice a drop in traffic and wonder what’s going on.
Unfortunately, by that time, it’s already too late which is why you need to perform regular malware scans on your site. Luckily, there are several free plugins that can help you scan your site for malware. Some of these plugins also come with security features that scans your site. And also make it more secure by employing tactics such as adding captcha to WordPress login security, brute-force login protection, disable file editing, and more.
9. Using Weak Passwords
If you’re in the habit of using the same usernames and passwords for every online account you own or if you’re using something that’s easy to guess like your birthday or your loved one’s name, you’re guilty of using a weak password.
While it’s true that keeping track of all the passwords is not easy. And that coming up with a strong password on your own for each and every website or service can be cumbersome. There is no excuse for doing it when there are services like LastPass available for free.
A weak password makes a hacker’s job easier so don’t give them the satisfaction of getting access to your site. Use LastPass to generate unique, strong passwords for your website’s admin area (and every other website you’re using), hosting control panel, and your email. It’s also a good idea to change your password every six months or so and to use a mix of uppercase and lowercase letters, numbers, and symbols.
10. Not Backing Up Your Website
Even if you’ve taken all the precautions and implemented all the security measures above, your job is not done. The number of online threats is growing on a daily basis and the methods online hackers are using are getting more and more sophisticated by the day.
As such, it’s crucial that you get in the habit of backing up your site on a regular basis. Without a backup, you run the risk of losing years of content and having to rebuild your site from scratch. With a backup, you could easily restore your site in a matter of hours.
However, be sure to use best practices when it comes to WordPress backups:
- Backup your database as well as all your WordPress files which include themes, plugins, wp-content folder, .htaccess file, and wp-config.php file
- The frequency of the backup depends on how often you make changes to your site If you publish new content several times a week, a daily backup will be better than a weekly one
- At the same time, make sure you store the backup offsite and in several different locations
- Lastly, be sure to test backups regularly to make sure they function properly
Backup solutions like BlogVault offers the best back practices.
11. Not Using Built-In WordPress Security Measures
Finally, WordPress itself comes with several security measures that can help WordPress hardening. However, for a hardened WordPress website, you need to know what to look for. Here’s how you can take advantage of them.
- Disallow file editing by adding the following to your wp-config.php file define( ‘DISALLOW_FILE_EDIT’, true );
- Remove WordPress version number to make it harder for hackers to guess which security vulnerabilities they can exploit. Add this to the top of your theme functions.php file: remove_action(‘wp_head’, ‘wp_generator’);
- Use the SALT key generator to replace the default set of security keys that are added to the wp-config.php file.
- Protect your uploads folder by adding the following to your .htaccess file:
<Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> <FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$"> Order Deny,Allow Allow from all </FilesMatch>
It’s worth mentioning that you can implement most of these fixes with a WordPress hardening plugin like MalCare if you don’t feel comfortable editing the code yourself. MalCare is one of the best WordPress security plugins that’ll help you harden your website. It offers a plethora of features including a web application firewall or WordPress firewall. And the ability to find the IP address that has been trying to log into your website unsuccessfully (recommended read – How to Ban an IP Address?).
Some of the other ways you can harden your WordPress site is by changing WordPress file permissions, or changing WordPress user permissions, website file integrity monitoring, using an SSL certificate, password protecting your login page, changing the default WordPress login page, or even disabling directory. Keeping an eye on the error logs and activity log or audit logs can also help significantly reduce threats to your website.
Any WordPress security expert will tell you that safeguarding your website is the most important task you have. That is if you want to make sure your visitors have the best user experience and your reputation to remain untarnished. Users can harden their website by changing WordPress database table prefix or database prefix or by performing a security audit, among other things.
However, security is not just about installing an ultimate WordPress security plugin (like MalCare or Sucuri Security or iThemes Security or Wordfence) or scanning your site for malware. It also involves a lot of smaller tweaks that will help you stay ahead of potential vulnerability exploits. Now that you know what common security mistakes are and how to fix them, you can easily avoid leaving your site vulnerable to hacker attacks like SQL injection attacks, etc. Take a look at some of the posts on our WordPress security blog to learn more about WordPress hardening.
You can also try out MalCare’s Site Hardening features that offer advance level website hardening techniques. Using MalCare, users can harden their website with just a click of a button. If you enjoyed our article you can check our WordPress security guide to learn how to secure your website from bad guys.