The primary opportunities for hacker to compromise a website are in plugins and in user access (hacking usernames and passwords). Happily, there are a few things you can do right out the gate to help keep your site secure.
In part because of its robust support and provided it is kept actively updated, WordPress – along with its plugins and themes – is one of the more secure CMS available. The WordPress core is difficult to hack, and most vulnerabilities in the core and in the well-supported plugins are discovered and patched quickly. Attacks are more common and likely in poorly-maintained or abandoned plugins
Themes and plugins are always a vector of risk, as they may not have the same code review and security standards as the core. It is not unknown for even a popular plugin to have a security flaw that can potentially put thousands of WordPress sites at risk. For this reason, a regular theme and plugin audit is essential. Before adding a plugin, evaluate it for popularity, support, and security.
Over 55% of WordPress sites hacks are done through vulnerable plugins, followed by brute force attacks, which make up around 16% of hacks. You can help protect yourself from 70% of your areas of risk by keeping your site updated and staying vigilant on plugin and password security.
Here are four ways to get started.
1. Guard Your User Access
Good Usernames and Passwords are like locking your front door. The Number Two favorite tool of the Bad Guys is the Brute Force Attack, with which they attempt to break in by trying different combinations of usernames and passwords. A good start on protection here is to stay away from usernames like “admin” or the name of your site. Likewise, don’t pick obvious passwords like “password1”. One good way for creating strong passwords is using a unique and memorable sentence. A password like ShrinersRideTinyMotorcyclesInParades is going to be A) hard to forget and B) hard for both attackers and password cracking tools to decipher.
You can also limit the amount of login attempts by adding a captcha and blocking an internet address from making further attempts after a specified number of retries. Security plugins will likely include this feature.
One of the strongest ways to secure your site is to use two factor authentication , or Cellphone Sign-in. This requires the user to both know their password and to verify their login on their cell phone. While it is a little more of a hassle to require this, it is worth it, as it is 100% effective in preventing brute force attacks.
2. Consider adding a security plugin
Good security plugins provide a firewall and malware scanner, along with additional protections.
Your hosting provider may already provide a good level of cloud security, particularly if you have a WordPress hosting package. In that case, you will want to check with them before installing any security plugin, to ensure that it does not conflict with their built-in security setup.
A few of the reputable and well recommended security plugins:
3. Update, Audit, and Evaluate your Plugins
Plugins are a powerful “plug and play” resource for adding features and extending the capabilities of WordPress, so nobody is saying “do not use plugins”. What is important is carefully vetting each plugin both before installing and then again quarterly (in a perfect world) or at least annually. Installed plugins should be updated ideally when the developer updates them but if that is not possible, then at minimum monthly.
When checking for vulnerabilities and exploits, do not panic if you see results come up for the plugin: this is not uncommon or unusual, because hackers can be very busy people, and fixing security issues can feel a lot like playing whack-a-mole. Most plugins will show a history of a few vulnerabilities. What is important is the severity and type of the result, if the vulnerability has been patched, and in what version of the plugin. You will often see reports showing a history of vulnerabilities. If the vulnerability was fixed, then it is only a concern if your installation has not been updated to the current version.
Popular plugins will often have a laundry list of patched issues, simply because a hacker is more likely to go after a plugin that has millions of installs, as that gives them more potential websites to hack!
Questions to ask:
- Do I actually NEED the plugin, and if so, is it the best option for my site? Each plugin installed offers another potential vector of threat and additional problems, so it is worth assessing for value-vs-risk.
- Is the plugin or theme built by a professional team that updates it regularly, or by a single developer who is doing it as a side project and who may end up abandoning it?
- If the plugin you are downloading is not in the official WordPress repository, is the plugin site reputable?
- How often is it updated? Anything that has not been updated in a year has likely been abandoned. If it has not been updated in over six months it is likely that it will have issues that have not been fixed.
- Has it been tested against your version of WordPress?
How to check plugins and themes for security risks:
Always check the plugin against multiple sources, as no one resource is guaranteed to list all known vulnerabilities and exploits.
Always check using any known variations of the plugin and developer name, especially when it is a plugin that has a common phrase for its name. “YOAST SEO plugin vulnerabilities” is unique and will give accurate search results. “Event Manager vulnerabilities” will bring up results for several different plugins along with links for wildly unrelated content.
If you do see a vulnerability listed, don’t immediately freak out. Reputable authors update and fix their plugins very quickly when an issue is discovered. Also, vulnerabilities differ in severity, with some being minor. The databases rank them in severity, with Cross-site Scripting and SQL Injection Attacks being of the most concern.
- Google is your friend. Search for “(Plugin / Theme name) plugin exploits and vulnerability (current year)”.
- Visit the page for the plugin on WordPress.org as well as the homepage for the plugin, if it exists. This will show the current version, the most recent updates and the WordPress versions it has been tested for. Also review the changelog on the development tab to get details on recent updates. https://wordpress.org/plugins/
- Check the plugin against security databases, including:
- The WPScan Vulnerability Database: https://wpvulndb.com/
- CVE Details Database: https://www.cvedetails.com/
- The National Vulnerability Database https://nvd.nist.gov/search
- The Exploit Database https://www.exploit-db.com/
4. Uninstall Plugins and Themes if You Are Not Using Them
Deactivated plugins and themes still take up resources and can have vulnerabilities. You can always reinstall them if you need them again in the future.
The above steps barely scratch the surface of the topic of cyber-security. Check out these articles and blog posts for some further reading.