WordPress Security

The WordPress world is huge. It’s the most popular CMS (Content Management System) in the world, currently sitting at 63,6% of the CMS market share.

It’s a rising trend – 1 year ago (July 2019) it’s market share was 60,8%. Almost 30% of internet users run on WordPress! Not talking about you, Dark Web!

The runner up is Shopify, a popular easy-to-use eCommerce CMS, which saw the increase of market share from 2,9% to 4,5% during last year.

All other more widely known CMS are trending negatively in their market share. Wix, Joomla, Drupal, Magento, Squarespace are all on a negative trajectory (number of websites still increasing).

Infographic: How Many Websites Are There? | Statista

On the chart above, you can see roughly the number of active websites worldwide. You can see that during the last 5 years, the number of websites has doubled!

Why WordPress?

WordPress is the CMS of choice because of many factors, the main one being the fact that it’s 100% open source. This means that it’s free to download, free to use, with thousands of free themes and plugins only in its official WordPress.org repertoire.

Highly Customizable

Along with the free customizable content, come the paid addons and theme packs that will further improve the functionalities of your websites. After you understand how WordPress works, you will learn that it indeed has a trick in its sleeve for almost anything.

With it, you can build:
• Personal blogs
• Restaurant websites
• Listing / Job directories
• Full-scale Webshops
• Raffle / Competition website
• Use its backend as an application engine
And more!

It really does have a plugin for everything!

Where concern strikes in

If no one has your database or WordPress admin username and password, how can he harm your website? And why would he do that? Well, I’m no expert in hacking ethics, but I guess they just do. And since they just do, they will make nasty bots to invade your site or attack it.

So, what can you do to defend yourself? There are a lot of factors which affect your vulnerability. We will list a number of them below and give advice on how to take the steering wheel into your own hands, and try to cover as many bases as possible.

If you are a fan of live statics, you may as well check out the websites hacked today live feed.

Vulnerability Factors / Security Layers
#1 Hosting Provider

This is where I would like to finally emphasize that cyber-security is not God-given, nor is it free. In most cases, you just want to keep your site as it is and have good, uninterrupted uptime.

Your hosting provider is the number #1 on the list because more often than not, WordPress is used on a shared hosting plan. Shared hosting is a type of hosting where you share a physical machine’s (a computer/server) resources. All users are located on the same physical memory disk. You probably understand what happens when a hosting account on your shared hosting plan gets compromised.

You get compromised along with it. But not if the hosting company takes security seriously!

Other hosting accounts that are located on your shared hosting may indulge in illegal activities, install malicious code, or simply be a vulnerability to all others because they don’t keep their software updated.

Luckily, there are hosting providers, like ours, Fastcomet, who take the security very seriously and do their best to secure that layer of imminent danger. These can be: automated DDOS or brute force attacks shielding, environment isolation / caging, backups, human monitoring and more. Managing shared hosting can be great If in the right hands.
So, what’s the solution to this? You can purchase more expensive hosting plans where you get dedicated servers or VPN hosting. These are more expensive and are used for larger-scale operations, but provide additional security layers.

Also, you should note that managed hosting plans are perfect since they provide manages software solutions like cPanel, which is full of goodies where you can further improve your security, or quality 24/7 support that will hop in straight away if something unexpected happens.

#2 WordPress updates

WordPress gets updated often, as do their plugins and themes. The main reason for this is added functionalities & features, but the often-overlooked ones are security patches.

Only about 30% of WordPress websites are regularly updated and run the latest WordPress version. If you count in the plugin-ins as well, the number drops considerably low.

According to Wordfence, almost 56% of compromised WordPress websites were attacked through plugin vulnerability exploits.

Like all pieces of software, WordPress can contain “holes” which can be exploited by the no-gooders. Keeping it updated lowers the chances of getting hacked.

This is also where you need to filter the plugin/theme creators out. Most content creating companies take their creation and updating seriously. But there is also downloadable content published by individuals or freelancers. You should check if the plugin is compatible and tested with your current version of WordPress and if the latest update doesn’t go more than 3 months back. If they aren’t compatible/tested/recently updated, I would recommend staying away from it.

Also, the Envato Market and it’s affiliates have the most wide collection of paid, well-tested and maintained content.

#3 SSL certificates

What is an SSL certificate?

Simply put, it’s a cryptographic service that contains the information about your domain, identity and location. It is used to serve a secure connection between you and the server – the message is encrypted and can only be accessed via a key that only your browser has, therefore being un-interceptable and unbreakable.

This is why SSL certificates have become a staple technology widely used on the World Wide Web.
They are also publicly available for FREE under most shared hosting plans.
NOTE: If your hosting company doesn’t provide free access to SSL certificate installation (via cPanel installation or automatic), find a new one who does immediately.

Sites with SSL certificates also get higher SEO ratings.

#4 Hide WordPress folders & login pages

Since WordPress infrastructure is well-known to security threats, some tricks can single-handedly save you from many automated bots.
WordPress has a certain folder organisation that can be easily rewritten by FREE plugins.

This is an example of a plugin that will allow you to run a simple setup to rename your WordPress folders to random strings (you can also do it manually). Be sure to hide & rewrite your /wp-admin page as well!

#5 Firewall

A firewall is a vigilant feature, and you are probably familiar with the name due to the Microsoft Windows Firewall.

It serves to protect your site/server from security threats.

When we talked about the hosting providers, I have mentioned that firewalls can be a security feature offered with your hosting plan.

The firewall here is another layer of security, now being the one that secures your website and it’s directories from brute force attacks, mass login attempts or DDOS attacks. It comes in the form of a cloud firewall feature via CDN (Content Delivery Network).

Take Cloudflare for an example. Our server uses Cloudflare’s service for two reasons, first being security, and the latter caching.

If you are wondering if or which CDN a site uses, you can check it on CDN Planet. Be sure to type in domains in the form of “www.domain.tld”. TLD stand for Top Level Domain, such as .com or .org .

Two other popular options are all-in-one security plugins, such as Sucuri or WordFence.

#6 Backups

Backups are an important digital strategy part, added security being just one of the benefits.

Automated backup service is critical to your online missions, as they are doing the job for you, saving the incremental database backups on external storages.

This is where your hosting provider also comes into play. Do they offer incremental backups that are easy to access? Again, if the answer is no, you should change your hosting provider.

The standards change rapidly, and you shouldn’t be paying for a service that no longer meets the demands of the 203rd decade.

 

#7 PHP updates on the server

Your hosting server will most likely run on a certain PHP version.

PHP is a programming language on which WordPress is built. WordPress is a system of thousands of PHP loops.

PHP updates are almost regular, delivering speed improvements and security updates. Did I mention SEO rankings?

Be sure to update your PHP version in the cPanel or any other software your provider is using, when a new one rolls out. The new version will be mostly backwards-compatible and will not cause any problems with your current WordPress installations.

#8 Disable comments if not necessary

Bots love spamming. Your website doesn’t necessarily have to get the spammy comment published for you to know that there are spam bots around.It has probably been filtered by your, hopefully by now, multiple security layers. Disabling the comments via your theme options or plugins will save tons of bandwidth on your server.

#9 Limit bot crawling/login attempts

Another wise option to turn on a STOP bad bots feature. It usually comes in the form of a lightweight plugin, or along with other security of SEO plugins on the market.

Also, the best practices dictate to limit login attempts to your site, to stop unwanted attackers or bots accessing your files.

Final Thoughts

We use all of the aforementioned strategies and security layers to provide maximum security to our partners. When making a new website, all of these features come included, be they for large eCommerce sites or simple company brochure sites.

WordPress itself is only, excuse me here, a means to an end. The overall security of your website and data is only regarded as safe as the security bases covered. Be sure to implement everything you can to be properly safeguarded.

If you have any questions, comments or have found an incorrect statement, send us a message via email or social media.