Do not take the scare stories about WordPress security too seriously. There are often quotes about how many WordPress websites are infected, but you have to remember that WordPress is the most popular content management system on the planet. By the law of sheer numbers, it is going to have a fair number of websites under attack. Yet, with just a few changes, you can make your WordPress impenetrable to most hackers and online malcontents.
It is less about securing your website behind a big lock. It is more about making your website so inconvenient to hack that most hackers simply give up. Hackers and online criminals are all about low hanging fruit. It doesn’t take much to hang your fruit a little higher.
After all, unless you are hosting a pot-luck draw containing hundreds of people’s financial information, your website is not worth the extra effort of hacking unless you are making it overly easy for people. This article runs you through the “How Tos” of securing your website, but also explains why these methods and tips are important. It is far better to understand what you are doing rather than blithely following the instructions you read online.
Table of Contents
1. Pick a Good Hosting Company
One of the easiest ways to gain access to any website is through the servers that host it. Of all the website vulnerabilities that exist, the most common and easiest is the one you often have the least amount of control over. Unless you are running your own server, or you have bought dedicated server hosting, then the control over your website security is limited by the fact you do not control the servers your website is hosted on.
When you opt for something like Cloud hosting, shared hosting, and free hosting, you are putting your website security in the hands of your hosting company. In these cases, it is very important that you pick the right hosting company. You need to pick a company with a good reputation because they will keep their servers secure in order to maintain their good reputation.
Free hosting is probably the very worst when it comes to website security, with the exception of Google’s own Blogger/Blogspot hosting. A free host has very little incentive to keep your website secure, or to keep your downtime low, or your website speeds fast.
The other side of the coin is that a good-quality shared hosting company has its security benefits. Firstly, they are probably security experts and can do far more to secure their servers than you could if you were running your own server (either in-house or through dedicated server hosting). Secondly, when you are sharing a network of servers with hundreds of other websites, you are a single drop of water in a raging river. Unless the hackers bring down the servers, which is unprofitable, there is less to fear through safety in numbers. If you use a good and reputable hosting company, then keeping your website online and safe becomes a lot easier.
2. You Don’t Have to Give Every Guest Blogger an Account
A common backdoor into a website is not through the administrators, but through the guest posters and other account holders. Hackers will target the other users who have access to your website. Hackers will scan for most common rookie mistakes, such as running through user passwords to see if anything obvious can be cracked, or tricking your guest authors into signing in while spyware is active, or tricking them into signing in through a fake duplicate web pages.
Gaining access to your website through your guest bloggers is not as powerful and/or useful as gaining full control through your admin section, but it still has its uses. In many cases, hackers will add backlinks to their websites, or throw in a little malware or re-directs to their websites and/or adverts. It is simple stuff, but it does your SEO (Search Engine Optimization) no favours, nor does it help people trust your website.
There are several ways you can go about guarding against these sorts of attacks. Firstly, once your guest bloggers have finished working for you, you could take them off the system. Every few months, you could clean house and remove people who have access. Secondly, you can run backlink checkers since many of your malware-linked pages or predatory links often break after a few weeks because the hackers have moved on to the next scam. Thirdly, you can use a plugin like PublishPress Authors that allows you to add guest posts and add in author information without actually giving your guest blogger any access to your website. They submit the content to you, you post it, and you add their details and backlink to the bottom with your PublishPress Author plugin.
3. Keeping WordPress Updated
You have probably seen the update reminders for your WordPress content management system. That is unless you are using a WordPress hosting service that updates your WordPress for you automatically, in which case you probably receive the occasional email telling you that your WordPress has been updated. Keeping WordPress updated seems like an overly simple security measure but it is very effective. The same is partially true for keeping your theme and plugins updated too, since outdated plugins are easier to hack and poorly maintained themes “Can” be easy to disrupt.
Rather than bore you with stories about the varieties of rogue code that can be placed into outdated WordPress websites, look at it this way. You are a hacker, and you and your friends make tools to make hacking WordPress. It takes a lot of work, but you manage to engineer tools that help you hack or crack WordPress websites. Then, WordPress is updated, and suddenly your tools need re-configuring, or they simply do not work any more. As a hacker, you have spent all this time creating and honing your tools, so rather than scrapping your hacking tools, you go on the hunt for WordPress websites that have not been updated yet because your hacking tools still work with them.
Put simply, WordPress updates are a hassle for hackers, so update whenever possible to keep the low-level low-effort hackers off your back. As a side note, people who buy hacking tools will often target older versions of WordPress because they do not want to re-invest in updated tools before they have gotten their perceived value/ROI out of the old hacking tools.
In an odd twist, you can easily buy hacking tools on the dark web, and yet every one of them becomes obsolete every time there is a WordPress update. This is because the easily available tools are bought/stolen by WordPress security testers, who then update WordPress to guard against those very tools.
4. Hide Your WordPress Version
As an extension of the previous tip, you should also hide your WordPress version. The people who buy hacking tools from security testers will know which versions of WordPress work with each tool. For example, the wannabe hacker may have ten hacking tools, and each one works with a single version of WordPress. When you hide your WordPress version, the hacker has to try each tool in turn to see which work with your website and which do not. It is a hassle for the hacker, which is good for you.
It is possible to edit your WordPress code and/or WordPress theme to hide your WordPress version. Alternatively, there are many WordPress plugins that allow you to hide your WordPress version. Do not pick a subscription-based security plugin just for this function, especially since there are often plugins that will do these simple tasks for cheap and/or for free.
5. Longer and More Complex Passwords Changed Every 72 Days
A brute force attack, also known as a brute force cracking, is very simple. You build a program that tries a username and hundreds/thousands of passwords until one is successful. The NSA in the USA once published, during the Obama years, that they receive over 1 million brute force attacks per hour from China alone.
Yet, even though brute force attacks are easy to perpetrate, and contrary to the scare stories, you can genuinely cut the legs off any brute force attack with long passwords and by changing your passwords every 72 days. You may have to take more precautions if your website is receiving 1 million attacks per hour, but that is very unlikely unless you are running a website like Amazon or PayPal.
Letters, numbers, upper case, lower case, and symbols, mix them up, and have at least eight characters in your password. You are playing a numbers game, and if your password has these elements, then the numbers are in your favour.
It was Microsoft that first said a password should be changed every 72 days, and there is no reason to disbelieve them. If your website is suffering from repeated and perpetual brute-force attacks, the hackers have to start from square one again whenever you change your password. What’s more, since they do not know you have changed your password, they have no reason to reset their brute force programs, which also works in your favour.
As a side note, do not bandy your usernames around the Internet. Also, create a new email and use that with your WordPress website, rather than using your regular email address. If the hackers do not know your WordPress email and/or WordPress username, then they cannot crack your WordPress passwords.
Things like two-factor authentication and limited-login plugins are often overkill when good passwords and frequently changing your password do the job just fine.
6. Use HTTPS for Encrypted Connections With an SSL Certificate
Since having your website run as HTTPS (Hyper Text Transfer Protocol Secure) is now seen as more search engine friendly, you should probably add an SSL certificate into your WordPress website too. Many hosting companies allow you to do this for free, and some charge you a subscription fee or a one-off fee.
The change will damage many of your internal links, which means you may need to do a little changing here and there. But, besides a short blip in your traffic numbers, and a few funky numbers on your analytics, your search engine ranking and search traffic doesn’t take a big hit from the change over.
When information is passed from a web browser to a server, that information is passed over as plain text. When you have an SSL certificate, it is passed over as encrypted text. It simply makes it a little harder for hackers to gather information about you, your users, or how your website is being used by whomever visits. It is not a big deal, and you can live without it, but again, since it is becoming a SEO must-have, you should probably do some research into turning your WordPress website into a HTTPS website rather than a HTTP website.
7. Protecting, Moving and Modifying Your WP-config.php File
Your WP-config.php File is a file with semi-sensitive information inside. It is not the sort of information that hackers could immediately use to break into your website, but the rule of thumb is that the less hackers know about your website–the better.
Should the wp-config.php really be moved? The long answer is yes, in that it would probably be irresponsible to say no. However, there are a few problems that come with protecting, moving and modifying your wp-config.php file, the first being that you could easily mess it up and damage your website and/or your WordPress security.
Even on a very simplified level, it is easy to follow online instructions and do something like move your wp-config.php file, only to move it in a way that defeats the purpose.
There are a great many instructions online about how you may protect, move and modify your wp-config.php file, but you have to remember that many of the instructions you see online are simply rewrites of rewrites of rewrites. Most of what you read online, even from large and popular websites, are simply instructions that some underpaid writer rewrote from his or her research on Google.
In order to advise you in the best possible way, here is our advice that you should maybe take with a pinch of salt. The first is that if you run a small and seemingly unpopular website, don’t worry too much about your wp-config.php file, and perhaps worry about it at a later date when your website becomes more of a target for hackers.
The second piece of advice is that if you have the technical knowledge to do it correctly, then you yourself should consider moving, securing and modifying your wp-config.php file.
The third piece of advice is that if you are not 100% sure what you are doing when it comes to the technical, programming, security testing side of things, then you should consider using a plugin to secure, move or modify your wp-config.php file. We do not suggest you use a subscription-based security plugin for this sort of thing, and we do recommend you do a lot of research before you choose the security plugin for this task. You do not need a full security suite for this simple task.
8. Prevent Hotlinking
When you create a post, you can add your own image to your hosting service and display it on your website. Or, you can hotlink an image. This is where you insert an image link into your website, and the image shows up on your website so long as it is live on the other end. This is hotlinking, and where it may be good news for the people adding hotlinks, it is bad news for the hosts of the images.
Now, let’s say that you upload an image of a car, and other people find it interesting, so they hotlink to your image so that it shows up on their websites. Every time somebody looks at their websites, they are seeing your image of the car, and your bandwidth (Internet) is being used to display the image. Your car image may be getting hundreds/thousands of views per month, but these views exist on other websites, and you are receiving no actual traffic from these hits.
In order to stop people from hotlinking to your images, you need to prevent hotlinking. How you do this depends on your website and on several other factors, so you will have to do a little research yourself and perhaps even contact your hosting company for advice.
There are several plugins that will help you prevent hotlinking, but we suggest you hop on the search engines and look for ways to prevent hotlinking on your own website. There is a wealth of information online about the various ways to stop hotlinking on WordPress websites.
Before you run off on a crusade to prevent this problem, try going over to the Google Images search engine, and use this snippet of code:
inurl:yourwebsite.com -site:yourwebsite.com
If you see no good results, then try adding the www part, as in this example:
inurl:www.yourwebsite.com -site:www.yourwebsite.com
The results are not foolproof, but it will give you an idea of how many people are using your website images on their own websites through hotlinking. If many of your images are being used, then it is time to take action.
9. Backup Your Website Yourself and With Subscription Services
There are several reasons why you should be backing up your website and your content. There is always the small chance that the server holding your website will go down and wipe your website completely. Or more likely, there is a chance that you will download and use a plugin that breaks your website, or that your website theme will be updated and ruin your website.
There is a chance your website will be infected and have to be deleted, perhaps because of ransomware, in which case you need to wipe your website and reinstall it back to how it was before it was infected. There are three ways to save backup your website.
1 – Saving Content As You Make It
One of the most low-tech ways of saving your website is to save your content as you make it. Whenever you create a new piece of content, you should save it on an external hard drive. Save it as you create it, and then save it when it is uploaded.
For example, if you have created a blog post, then save the text you wrote on the word processor and save the images you wish to add to your blog post. Save them into an external hard drive so that you can store them away somewhere safe where they may gather dust until you need them.
Once your blog post is uploaded onto WordPress, you will see the tabs that say “Visual” and “Text” in classic WordPress mode, or in Gutenberg, you need the setting that says “Code Editor” rather than “Visual Editor.” In the code editor, copy all of the code on the screen and paste it into your notepad. This is your second manual backup.
Saving your content as code makes it easier to re-add the backup. For example, if your blog post is lost because somebody accidentally deletes the page. You could re-create the page using the content you wrote on your word processor, or you could copy and paste the code into the “Edit HTML in WordPress” section, and your content is back, along with the formatting, images, links, etc.
If you want to make things a little quicker, you could also open a new notepad and save all the meta data, tagged words, etc. This also makes it quicker and easier to re-add your content after it is lost.
This method is very time-consuming and labour-intensive, but it is a solid, reliable, and free way to backup your website. Also, if you save your URLs, you can re-add your content using the same URLs so that your website doesn’t lose any search engine friendliness that it built up over the years.
2 – A Full Backup
Many people use subscription services for this, but it is what it sounds like. You take the entire website, all of its code, including all of the WordPress structure, and you make a backup. On its own, it is a large set of files. But, if you needed to, you could use that backup to re-install your website.
Let’s say your website is taken down by a virus. You wipe your website from head to toe. Everything is gone, and all that is left is empty hosting space. You then take your backup, you install it into this space, and your website is back and fully functional. In simple terms, this is what making a full backup is all about.
From its simplistic description, you may think this is the best option, but it can be expensive. Making a full copy of your website is not easy, especially if you want to save it in a way that makes it easy to re-install at a later date. That is why people pay subscription fees to have full backups of their websites made.
When you pay a subscription service, they take a backup at set intervals, perhaps once per month, and they save all the information on their servers. When your website needs re-installing, perhaps after a massive server crash, then the subscription service helps you wipe your old website and reinstall your backup
3 – A Snapshot of Your Website
A cheaper service, and perhaps one considered by people who can afford to have their website down for a little while, is a sort-of snapshot service. Instead of taking a full backup of every file and every piece of text in your website, this backup service simply takes a snapshot of your settings and where everything is in your website.
If your website went down and had to be wiped, you would reinstall WordPress yourself, and your theme, and plugins, and then you apply your snapshot to your website. It re-adds the pages you had (without the content), and configures your website settings to what they were the last time you backed up. You would then have to go through your website and re-add the content and media that you used to have before your website was wiped.
These services are often cheaper, and snapshot backups can be made daily. Also, since they take up far less server space than you average full-website backup, it means you can save several older snapshot versions of your website. This is the happy middle ground between paying a bigger subscription fee to have your entire website backed up, and the free version of doing all the content saving yourself.
10. Staying Out of the Viper’s Nest
If your website is very large and very successful, then you are going to attract predators. They are going to spam attack your website comments, they are going to try to blackmail you with threats of taking your website down, and they are going to threaten to copy your content and spread it around the Internet to maybe damage your SEO (Search Engine Optimization).
Yet, even if your website isn’t large, you can attract the wrong sort of attention. For example, if you are paying spammers to post backlinks to your website, then their actions alone will attract other spammers, who will do everything from stealing and selling your content, to spamming your comments with adverts.
If you pay sub-par SEO companies to market your website, do not be surprised if you find your website is experiencing more hacking attempts that usual, or if your website starts seeing big lags at certain times of the day. The fact is that you can attract the wrong type of attention, and this often leads to long-term problems that are hard to shake off.
If you decide to start spamming links to your site on YouTube comments, on other people’s websites, and if you start paying for links from guest posting companies, then do not be surprised if you receive trackback spam, if your website links start appearing on nasty websites, and if your online reputation starts to drop. Predators have hundreds of ways to force you into paying, from spamming links in poor quality places and then asking you to pay to remove them, to cloning your website and trying to trick your viewers into signing up to their services.
11. Limit Your Use of Plugins
Just because a plugin is on the legitimate WordPress store doesn’t mean it is good. It doesn’t mean the plugin is safe or well made. Most WordPress plugins are of a poor quality, be it because they are bait-and-switch plugins, or be it because they are almost impossible to fully remove once they have been installed.
Even seemingly legitimate plugins may have their secret flaws. Some may be used as back doors into your website, and for all you know, their parent company may be been bought out by a hacking company yesterday, which is perhaps why the last update was such a website breaker.
The point is not to scare you away from using plugins, but to warn you that installing code into your website is no different from adding unknown parts into your car. You have to be careful which plugins you choose, and do not be fooled by high review ratings, lots of active installs and lots of clever marketing; these are things that can be easily faked.
Remember that less-is-more. Many of the security measures listed in this article can be done manually. Yet, there are plenty of plugins out there that will happily charge you to complete these simple tasks, and then bloat out your website with lots of unnecessary tools and functions that slow down your website and make it more vulnerable.
12. Use Free Themes…Or Don’t
Contrary to what you may read online, there is nothing inherently unsecure about free themes. There is also nothing particularly secure about paid themes. This is only an opinion, but perhaps spend as much money as is needed.
For example, if you have a very small or new website, then using a free theme seems like a good idea. If your website grows, scales up, or becomes dramatically more popular, then consider having a custom theme built for your WordPress website.
If your small, medium, or large website has no user accounts, doesn’t deal with money, and doesn’t have a great deal of user interactivity, then you can easily stick with a free WordPress theme. On the other hand, if your website handles user accounts, contains user data, or deals with money, then perhaps go for a paid theme or a custom theme with added security.
Feel free to believe the scare stories about free hosting, or those free themes that insist on streaming the owner’s adverts over your website. But, when it comes to free WordPress themes from the WordPress platform, the free themes are often as secure/unsecure as the paid ones.
13. Using Security Plugins
We do not want to encourage or discourage you from trying security plugins, but allows us to offer these words of warning. Their marketing is often very sophisticated, and they make a lot of money convincing people that their do-little security plugins do a great deal. Think of it as the umbrella company that guarantees their product protects against skin cancer.
Some security plugins do very little, and some are built with back doors in them. One of the easiest ways a hacker can get into your website is to offer a top-quality security plugin with a back door for them to wander in whenever they please. For this reason, do not become complacent once you have your paid security plugin because sometimes the enemy lies within.
Understand the Security Plugin’s Functions
Try your double best to understand what each security function does. We haven’t found many security plugins that we trust, but the ones we do, it is because they are very transparent. They explain exactly what each function does, and if they fail to fully explain what each function does, there is a chance it does nothing.
Them being transparent offers two benefits. Firstly, it allows you to see exactly what is happening within your own website, so you know you are not paying for bloatware or do-nothing functions. Secondly, if you understand what each function does, then you can activate and de-activate the ones that are not needed and/or are unnecessary. This is important in our case because many security plugins have eCommerce-centric functions, but we at Vertanet are not an eCommerce website, so we would deactivate such functions. If the security plugin is transparent and shows you what each function does and allows you to activate and deactivate each function, then it allows us to avoid other plugin clashes and analytic clashes.
Again, we are not trying to discourage you from using security plugins, we are just advising that you fully understand what each function does, why each function exists and perhaps find a security plugin that allows you to disable and enable certain security features to avoid clashes and/or redundant functions.