As many as 26.9% of all websites live on the internet today are powered by WordPress, which makes it the most popular CMS by far. A CMS or...
As many as 26.9% of all websites live on the internet today are powered by WordPress, which makes it the most popular CMS by far. A CMS or content management system like WordPress serves as a web-publishing tool, helping you create not only blogs (for which WordPress was originally known) but also websites and even mobile apps. It is popular with users because it is free and also because it offers a wide range of plugins and customization features. In fact, this platform is so versatile and trusted that even top corporations like Sony, Disney and CNN use it!
Perhaps even you are using WordPress and have loved it for all its features and plugins. But you may also be troubled by reports that WordPress has repeatedly been targeted by hackers. In fact, a BBC article from February 2017 reported that as many as 1.5 billion webpages had been defaced by hackers in a recent spate of attacks, taking advantage of a zero-day vulnerability.
In fact, this has happened quite a few times in the recent past. Hackers have broken in to hijack sites for their own ends by using them to spread malware or redirect and siphon off visitors to their own sites. Most users remain unaware of the risks until they are themselves targeted.
There are hundreds of sites that actually explain how to identify webpages built on WordPress and how to hack them! This, despite the fact that the WordPress team takes care to promptly put out patches for bugs and that they hire top security firms to comb their code for leaks.
A fully secure website is a myth. There is no such thing. Any website on any platform can potentially be hacked if the attacker is persistent enough. To beat hackers, the trick is to stay one step ahead of them. In order to do this, you need to first understand where the weak spots are. Here’s a checklist:
- Weak passwords.
- Common or easy to guess usernames and passwords like ‘admin’ and ‘pswrd’.
- Running an outdated version of WordPress.
- Displaying your WordPress version on your website or blog.
- Plugins from unreliable sources.
- Using outdated plugins.
- In default mode, WordPress has no restriction on the number of login attempts allowed.
- Vulnerabilities in your admin’s browser or computer.
- Using outdated browsers.
- Failure to report bugs or a time lag in reporting them.
- Using free themes.
- Failure to scan the website.
You will notice that some of these are generic practices that could apply to any CMS. However, these are still important to remember. So what can you do to ensure that your WordPress website remains secure and immune to hacker attacks? There is no one-time magic trick to make this happen. Hackers are constantly coming up with newer ways to probe websites for chinks. Often, they just use brute force. What gives them added reach is the ability to automate hacking. Programs can be written to crawl the web to identify websites with known vulnerabilities so hackers don’t even have to do much of the hard work. This might explain why, on average, as many as 30,000 sites are hacked every single day!
WordPress is highly popular with businesses. This means that customer banking details, email addresses and other precious information is liable to be compromised as a result of poor website security. As a business owner, it is your duty towards your clients to ensure maximum security on your site. You may also hire an experienced web design firm to engineer your website in such as way as to minimize vulnerabilities. However, the best safeguard is to ensure that you yourself are constantly vigilant and follow these smart measures on a regular basis:
- Update to the latest version of WordPress.
- Report bugs immediately.
- Upgrade plugins.
- Upgrade your OS and browsers.
- Do use security plugins like WordFence or Sucuri.
- Use a plugin to hide your admin page.
- Do not display your WordPress version number on the site.
- Use paid themes.
- Use strong user credentials, particularly complex alphanumeric passwords. The longer, the better. Special characters will strengthen your passwords even further.
- Use a password manager.
- Better yet, use two-factor authentication.
- Set a fixed number of login attempts.
- Set your email address as your username.
- Backup everything.
- Use SSL for data encryption.
- Get rid of data you don’t need like old log files and duplicated backups.
- Disable file editing.
- Use WPScan to identify vulnerabilities and report them.
- Use trusted hosting services.
- Moderate comments and remove irrelevant ones.
The hard reality is that none of these measures can guarantee complete protection. However, your website will certainly be immune to all but the most dedicated of hackers. And unless your site holds information that is valuable enough to merit such persistent efforts on the part of hackers, there is good chance that you are safe. But that is only as long as you continue to closely monitor your site and faithfully follow the steps listed above.