As you may already know, WordPress is a powerful tool for building websites. It provides website owners with a learnable and intuitive interface (the Dashboard) for publishing and managing content. It also provides developers and designers with a robust system for building feature-rich and beautiful websites for their clients (the website owners). But how secure is WordPress?
WordPress is actually very secure.
With all of the security news surrounding WordPress on a daily basis, you might get the impression that WordPress is vulnerable to hackers and spammers. However, WordPress itself is a very stable and secure platform on which to build websites. The problem lies not with WordPress itself, but with how it is used. This article will focus on the top ways you can allow hackers and spammers to take advantage of your WordPress-based website.
What damage can a hacker do?
If a hacker breaks into your website, what kind of havoc can they wreak? Once a malicious hacker gains access to your website, he/she can take possession and use it for nefarious reasons without you even realizing it. They can cover their tracks so you can’t tell they’ve hacked your website and then run nasty scripts or perform other tasks to put you, your visitors and other websites at risk. A hacker can:
- Use your existing account or create new accounts with admin privileges
- Reset the passwords of other accounts so they no longer have access
- Change the content of your posts and pages by injecting them with malicious code
- Tamper with core WordPress files, adding malicious code such as backdoors
- Use .htaccess files to redirect your traffic to malicious websites
As you can see, the repercussions of a hacked website can be dangerous to anyone who visits it. You have to put yourself in the mind of a hacker to fully understand why they would want to do it. The point is, it doesn’t matter if you are a solo operator or a large company, a hacker knows that even the smallest of websites could lead to a big payload. This is why it is imperative that you keep your website secure, no matter who you are.
Top 11 Ways To Make Your WordPress Website Hackable
- Use an insecure hosting provider.
Are you hosting your website with one of those cheap web hosting companies? Saving a few bucks a month on hosting can cost you a lot more in the long run. You might think that you have nothing those hackers would want, but they don’t necessarily know what you have until after they’ve hacked you. To make things worse, your hosting company can shut your website down without notice if they discover you’ve been hacked or infected, plus it’s your responsibility to clean the mess or hire someone that can. In 2013, 41% of hacked WordPress websites were hacked through the hosting provider — make sure your hosting provider cares about security.
- Use “admin” as your administrator username.
By using a typical username such as “admin”, you are basically taking one extra step out of the hacking equation. Using a common username just makes it that much easier for a hacker to “guess” your login information.
- Use a weak password.
You might be surprised how many people use a basic password such as “password123” on their WordPress websites. In 2013, over 8% of WordPress websites were hacked because of weak passwords. Check out this article for a list of the most popular passwords.
- Install bad plugins and themes.
Before installing WordPress plugins and themes, do your research. Make sure the plugin(s) you want are developed by reputable developers and have great ratings. Ensure that they receive regular updates and have a good track record. Check the reviews by other users and be very careful. In 2013, 29% of hacked WordPress websites were hacked via a vulnerability in a theme, while 22% were hacked via a vulnerability in a plugin.
- Install a bunch of themes.
You might have browsed the themes available in the WordPress theme repository. And you might have installed a crapload of them so you could test them, to see which one you really want. Once you settled on one, you probably just left the rest of them installed. All of those themes you aren’t using are just one more potential way for a hacker to find a way in to your site. If you aren’t using those themes, remove them.
- Don’t update WordPress.
WordPress is software, just like the programs you install on your computer. The WordPress team is constantly working to stabilize and secure WordPress as much as possible, which is why updates are released often. Hackers are always looking for a way to get in, so software developers have to stay as far in front of them as possible. WordPress updates are as important to the security of your website as Windows updates are to the security of your computer. Keeping WordPress up-to-date is critical to the security of your website.
- Don’t update plugins and themes.
Plugins and themes are addon software for WordPress. Just like any other software, they need to be kept up-to-date.
- Don’t use security plugins.
A firewall plugin such as WordFence can help catch and block hackers before they get in. There other plugins that can block spammers and check online databases for bad guys before they even have a chance to break anything. In addition, there are plugins from well-known security companies like Sucuri that can scan your website for malware infections.
- Don’t use two-factor authentication.
Logging in to your WordPress website using a basic username/password combination is so yesterday. Plus it’s really not that secure. If you really want to make things tough on hackers, you need two-factor authentication. This means that you login using a combination of your username/password and then verify using a physical device, such as a smartphone or tablet. Clef and LaunchKey are great examples.
- Don’t move your wp-config.php file out of the root directory.
The wpconfig.php file contains pertinent information that WordPress needs to function properly. By default, this file is in the main directory (often referred to as the “root” directory). There are some protections built-in to WordPress to deny outside access to this file, but there are better ways to secure it. One of these methods is to move the file outside the root directory, where it’s not in plain sight.
- Don’t use a third-party service to manage and monitor your website.
There are a lot of factors to keep up with when considering the security and maintenance of your website. You don’t have to go it alone — heck, you don’t have to deal with it at all. Reputable service providers can provide you with peace of mind so you can focus on your business. These services can beef up your security and keep your website up-to-date and if something goes wrong, they take care of it for you.
This list doesn’t cover every aspect of security related to your WordPress website, but it does cover some of the most popular ways that a hacker might try to exploit your website. You can’t just implement a series of security tips and then walk away — malicious hackers are always looking for a way to get around the protections you already have in place. Using a reputable third-party management system is the best bet because they stay on top of the latest security trends and implement them as they become available.