webgranth
If you own a website powered by WordPress or are considering using this content management system, you’re probably concerned about potential security issues. Yes, WordPress is vulnerable but it isn’t such an insecure platform as many would think. There are several most common WordPress security issues that may occur, but by performing appropriate actions and steps, you can protect your website based on WordPress.
If you type “How to secure a WordPress site” on the Internet, you’ll get hundreds of pages. Not all are useful. A lot of advice out there is even potentially harmful. In this article, we’ll outline tips to avoid the most common WordPress security issues. Important Note: WRITE DOWN everything you do or change. If something goes wrong, you’ll know how to get everything back to the beginning and find the cause. Make one change, test, and only then make the next change. Otherwise, you’ll have great difficulty finding out where it got stuck.
The basic thing about security is that it’s like a chain – as strong as its weakest link. Good antiviruses and firewalls aren’t the only things that matter, behaviors and habits are also very important. Metaphorically, what is the best alarm if you leave your keys out there? Each type of protection has certain “impracticality” when used. If you lock the house door, you must remove the key and unlock it to enter. Two locks mean stronger security, but also a lot of work on locking and unlocking.
Recommended Tips for Prevention
Before we dig into the most common WordPress security issues, here’s a taxative list of essential things that aren’t closely related only to WordPress, but also apply to it:
● Use safe and secure computers (and mobile phones) to log in and work on the website.
● Use a secure Internet connection. If you are on wi-fi of a coffee shop or public wifi, you should use a VPN.
● Don’t leave saved passwords for access in browsers and devices.
● Your computer. Yes, it may sound strange, but the first link in the chain, the computer from which you visit the website should be secure. So: security patches if using Windows, with a good firewall and antivirus program. Make sure that your browser is updated and with new patches.
The following security issues most frequently occur in WordPress.
1. Bad Hosting
Not all web hosting services are the same, and choosing a hosting solely for the price can cost you a lot in the long run because of security issues. There’s one hosting type that provides a balance between features and prices – the MySQL hosting. The MySQL hosting can be affordable but its price depends on basic and extra features are included in their plans. Given that MySQL databases power almost every CMS, including WordPress, it perfectly fits in with sites operating on this platform.
Many hosting sharing environments are secure, but some don’t properly separate user accounts on their servers. Your host should be up-to-date with the latest security patches and other important security practices (server, database, a scan of uploaded files, etc.).
For those using VPS, or dedicated servers: If you aren’t 100% sure what you are doing, consider a managed hosting server. Shared and reseller hosting packages are certainly on a server that others maintain. In any case: choose a hosting company with a good reputation, quality service, and good protection. Most of the successful protection from DDoS and brute force attacks are performed at the level of the hosting server, firewalls, and WAFs.
The use of a hosting server that isn’t well secured is like living in a ground floor house with glass doors and windows: it’s easy to intrude by implementing simple force. Finding a secure and reliable hosting provider you can trust is the first of the must-haves that positively affect the vulnerability of your site.
2. Insecure WordPress Login Page
Your WordPress login page is the most common target of an attack on your WordPress website, as it provides the easiest access to the administration. A brute force attack is the most common method of attacking your login page. A brute force attack is an attempt to accurately guess the combination of username and password to access administration. These attacks can be effective because WordPress doesn’t limit the number of login attempts.
You can strengthen the security of your WordPress login page by using some of the available WordPress security plugins to limit the number of login attempts. Restricting login attempts is only the first step in protecting your site. Next, you should use strong and random passwords and keep them in a safe place. Forcing every WordPress user on your website to use a strong password will reduce the effectiveness of the attack.
3. Out-Of-Date Core Software
When there are outdated versions of plugins, themes, or an entire WordPress on your website, you run the risk of hacking into your site. Updates aren’t only important for new features or bug fixes; they may also contain patches for known security vulnerabilities. While this is the simplest prevention for WordPress security, most successful hacks use “holes” found in outdated software.
You can automate updates on your WordPress website through the server or by using known plugins. Automatic updates provide you with critical security patches that protect your website from WordPress security vulnerabilities, and as a bonus, reduce the amount of time you spend maintaining a site.
4. PHP Exploits
The PHP code on your WordPress website should also be included in the list of security vulnerabilities for WordPress. Exploiting PHP code is a common method used by hackers to access your WordPress site, so it’s crucial that you reduce your risk by limiting your exploitation capabilities. Uninstall and completely delete unnecessary plugins and themes on your WordPress page to limit the number of access points and executable codes.
In addition, avoid using abandoned WordPress plugins. If any plugin installed on your WordPress website hasn’t received an update for six months or more, it may no longer have support or new updates and is, therefore, vulnerable and open to PHP intrusions into your site. Of course, a plugin without the latest updates may not necessarily be unsupported, it can only mean that it’s complete and will only receive an update to ensure compatibility with the latest version of WordPress and PHP.
5. Installing Software From Unreliable Sources
Install WordPress plugins and themes from trusted sources only. You should limit yourself to installing software that you download from WordPress.org, known commercial directories, or directly from trusted and reliable developers. What you need to avoid are “nulled” versions of commercial plugins, as they may contain malicious codes.
If the WordPress plugin or theme isn’t distributed on the development team’s website, check everything well before you download the plugin or theme. Contact the developers to see if they are in any way related to the website that offers their product at a free or discounted price.
6. SSL/TLS Certificates and Encryption
There are still websites that don’t use this or at least allow access through an unencrypted HTTP protocol. If you don’t have a strong reason to do so, implement and force the HTTPS protocol for your site. The same goes for FTP, email and other channels of communication and access to the site. Let’s Encrypt certificates are free and easy to install, usually with one click at many hosting providers.
When you access the website through unprotected HTTP, it’s possible to see what you are sending – including your username and password. HTTPS should be mandatory at the server level without leaving visitors (and you) the choice of using unsecured HTTP. Accessing the site without HTTPS and TLS encryption is like leaving confidential documents freely on the reading room table so that anyone who’s interested can take a peek at it. SSL/TLS encryption runs on the principle of asymmetric encryption.
Unlike SSL/TLS (and HTTPS), HSTS is something which, still, isn’t recommended for most websites. What is HSTS? To put it simply: it’s the announcement that your site only uses HTTPS, practically forever. In the case of any certificate issues or the need for any reason to use a non-encrypted protocol, the website will be inaccessible via unencrypted HTTP.
HSTS is like a concierge at the entrance of a building that takes all your guests to one apartment only. If you change the apartment, for whatever reason, a concierge will still escort your friends to the door of the same apartment, and only there. Because of this, using HSTS needs to be well thought out and planned before being introduced. If the website isn’t a “high-risk target”, it’s better to skip the HSTS until further – it can create more problems than solve them and requires the hiring of an expert to fix them.
Bad Pieces of Advice
All of the above-mentioned safeguards aren’t implemented on many websites. However, those people who haven’t implemented these measures have heard of some other security actions that aren’t so good:
● Hiding the WordPress login URL from the default wp-admin or wp-login.
● Changing the WordPress database prefix so it’s no longer wp_.
Why are these tips bad?
They can make complications: immediately, which is a better option, or in the future with the work of some themes and plugins, while at the same time, even altered, they can be detected by the attacker.
To conclude: If all other security policies listed in the article ARE applied, no change to the login URL and database prefix is required. If all the other security policies listed in the article AREN’T applied, changing the login URL and database prefix won’t help.
Comments
0 comments