WordPress Security – Is Your Site Secure?

July 19 2015

James Hipkin

Every day there is another news article regarding WordPress security, a hack, a phishing attempt, malware, all sorts of nasty stuff.

But this couldn’t happen to my site. No way. I don’t have to worry, my site is small, I don’t get much traffic. WordPress security isn’t something that I need to worry about.

We see banned IP notices from even small sites, two or three a day. These are IP addresses that are trying to access non existent files, usually probes looking for plugins with known security issues, or looking for wp-admin, we harden the site by changing the default login URL to /something-unexpected for this reason.

The truth is, unless you have taken steps to protect it and are actively managing the site, your WordPress security is likely not very secure.

Here at Red8 Interactive we take WordPress security seriously. For us WordPress security is like a HHAM sandwich:

  • Hosting – top of the list because it’s most important – cheap and cheerful is not the way to go
  • Hardening – simple steps that can harden your site against hacker bots
  • Access – only as much as is needed and require strong passwords
  • Maintenance – keep the software up to date, WordPress and plugins

Each of the above is important, each must be considered if your site is to be safe from hacker bots.

Context Please

Do you understand how hackers gain access?

This is of course super over simplified, but still… Hackers watch for software updates, be it WordPress, a plugin or even server software. They analyze the update to see what was changed. If the change was made to close a security hole, even if they didn’t know about it before, they do now, and program their bots to look for sites still running the old software. When they find one, the bot is programmed to exploit the hole, since they know exactly what was closed, and execute whatever the hacker has planned.

And don’t think that because your site is small they won’t be bothered. It’s not personal, it doesn’t have anything to do with size. They will use your site to launch new attacks so if their efforts are uncovered, your site gets black listed, not theirs.

Fun isn’t it.

Hosting

Do not go cheap for hosting. Find a managed WordPress host, pay the price, you will sleep better at night.

We use and recommend WPEngine. The thirty plus sites we host and maintain all use our WPEngine account. We haven’t had a single site hacked, not one. There are other managed WordPress hosts, Pagely for example. But don’t skimp on hosting. Get the best.

In addition to excellent performance, something that’s important in the search engine algorithms, a managed WordPress host is solely dedicated to WordPress, it will will have protections in place to block known attack vectors, protections that a cheap and cheerful shared host can’t afford to support.

  • Backups are made nightly and all site are scanned for malware nightly. Lots of the things you should be doing, they will do for you
  • Known vectors are identified and blocked
  • Core software is updated automatically
  • Plugins that are not being supported and/or have security weaknesses are not allowed

There are other things, things that the host don’t wish to publicize, but believe me when I say this, a managed WordPress host is on top of security.

You should also consider adding a website firewall. We use and recommend CloudFlare. A firewall blocks traffic from known bad actors before it gets to your site. It also has an excellent Content Delivery Network that will improve your website’s performance.

Hardening

WordPress security isn’t hard, there are excellent plugins available that you can use to harden your site. We use iThemes Security. It’s very powerful but it needs to be set up correctly. iThemes has an excellent tutorial, Getting Started with iThemes Security, that will, you know, get you started. There is also a Pro version that’s well worth the cost. Consider it.

And take advantage of Brute Force Protection. It helps your site and helps the community protect all sites.

Network Brute Force Protection takes brute force protection to the next level by further banning users who have tried to break into other sites from breaking into yours. The iThemes Brute Force Protection Network will automatically report IP addresses of failed login attempts to iThemes and will block them for a length of time necessary to protect your site based on the number of sites that have seen a similar attack.

Access

This is probably the easiest thing to control and may, pound per pound, have the most impact.

Everybody who needs to access the dashboard does not need to be an admin. There are a full range of user levels. Give people the access they need, no more, no less.

content-secure

Does a user need special access? Tools like User Role Editor let you create custom user roles. We do this on the sites we manage. We create a Manager role. it has all the same capabilities of an admin except it cannot manage plugins and themes, the two most common vectors for hackers.

Do not use admin as a user name. Recent updates of WordPress don’t allow this by default, but if you have an older site, then you may still have an admin user name. Delete it. If you leave it then a brute force attack only needs to solve for one thing, the password.

Speaking of passwords, enforce strong passwords. Seriously, this is important. We understand it’s a pain to keep track of strong passwords but don’t make it easy for hackers, don’t let the hackers gain access because you are lazy.

There is so much more that can be done here, and iThemes security makes it easy to set up, but don’t skimp, if hackers can’t access the dashboard, you are a long way to achieving WordPress security.

Maintenance

So easy to do, so important for WordPress security, so often ignored.

Keep your software up to date. This is all you really need to do.

If it’s a major WordPress release wait a week or so to let plugin developers get caught up, then update the core software and any plugins that need updating. If it’s a minor release, 4.2.x, it’s likely a bug fix and/or security release, update immediately.

We update plugins monthly. This is usually fine unless there’s a security update. Plugin developers usually announce these and a good managed WordPress host will be all over this, they will be sending you emails telling you to update the plugin, don’t ignore these, update right away.

Need to Sell Your Boss or Client on the importance of WordPress Security?

You can use this handy presentation, it was developed with input from the security experts at WPEngine, Chris Wegman, the author of iThemes Security and Tony Perez, Founder and CEO of Sucuri. We give it at WordCamps and WordPress Meetups.

Profitable Website Projects – The Oreo Cookie Strategy from Red8 Interactive

Want to have your WordPress security managed by pros?

Contact us and we will move your site to our secure WPEngine server, and take care of WordPress security for you.

No Comments