How to Protect Your WordPress Website

With the recent WannaCry ransomware cyber attacks, security is yet again at the top of the agenda. There seems to be an upward going trend here, so time to protect your web applications!

In February 2017, Wordfence reported that the top 25 attacking IPs were responsible for more than 80 million different attacks on WordPress websites. This massive figure reflects how WordPress turns out to be a privileged target for hackers all around the world. How come?

Feb 2017 - @Wordfence report: Top 25 attacking IPs responsible for over 80M attacks on #WordPress Click To Tweet

WordPress is open source. This is what makes it so popular but it also involves its source code being visible for everyone. Think about it – if a hacker manages to break into a WordPress website by spotting a security hole in the theme code, it is likely that he will be easily able to strike again against other websites using the same theme as they have the same weakness. If the theme is popular, a smart hacker may take control of a huge number of websites.

Here we listed some common risks related to hacking:

  • Having your hosting account suspended (especially if you benefit from a shared hosting solution, your host will want to prevent infection spreading to other websites on the same server)
  • Seeing your website crash
  • Losing control of your website
  • Getting your data stolen (no joke, even the big ones are vulnerable!)
  • Having your data deleted or edited
Image of a lock with data behind
http://vinciworks.com/blog/8-principles-data-protection-act-gdpr-guide/

Locking the access to your data is the main problem for WordPress websites

The aftereffects can be terrible for your reputation. The relationship of trust that you have been building with your customers or readers can be wiped off within a matter of hours. What are they going to think if they start receive uncontrolled spam messages on your behalf? Realize that your website has not been accessible for more than a week? Notice that you are now displaying popups to porn sites?!

Sure. We might be presenting you some of the most disastrous consequences. But never say never. Let us take a look at the main protection issues.

What common attacks you may face?

  • Brute-force attacks

Brute-force attacks are among the most common attacks. As a matter of fact, Wordfence counted more than 63 millions of them coming from the top 25 attacking IPs during past February. They are basically login guessing attacks. Hackers have automated bots that will be constantly trying to guess your admin password by entering various username and password combinations on your WordPress login interface. At some point, they may crack the right one and take control of your website. Do note that even if brute-force attacks turn out to be unsuccessful, your website can still undergo a slowdown as your server faces too many login requests.

Image depicting how botnets proceed to attack a computer
http://www.helpsec.net/malware-infected-home-routers-used-to-launch-ddos-attacks

Brute-force attacks are generally undertaken by botnets, powerful networks of computers, controlled by an attacker!

  • PHP code cracking

Those are more complex attacks but still very common ones. Wordfence reckons that more than 18 million of them were coming from the top 25 attacking IPs in February. They imply hackers spotting weaknesses in the PHP code of your website, including themes and plugins. They are indeed likely to contain security holes in their conception. A report by wpscan.org estimates that 52% of the code vulnerabilities come from WordPress plugins against 37% from core WordPress code and 11% from WordPress themes.

To have your code broken may lead to file inclusion. Hackers will try to load specific code lines that will eventually give them control on your website.

  • Malware

Malware is the short name for malicious software. It consists of a piece of code injected into your website’s files enabling hackers to gain access to sensitive information such as your login credentials. Username and password are sometimes contained in temporary files that are created after editing the wp-config.php file (one of your core website files). And these are what malware would generally be looking for.

  • Cross-Site Scripting

Cross-Site Scripting attacks account for 84% of all security vulnerabilities on the web according to iThemes. As far as WordPress is concerned, this kind of weakness is commonly found in infected plugins. Basically, hackers will try to get a user to load pages containing corrupt javascript scripts. Without you knowing, the data that your browser has collected (login cookies, etc.) can be stolen.

How can I protect my website?

You get it, WordPress is an easy victim. Protecting your website is not an option, it’s a must. WordPress websites are not necessarily insecure. Prevention is better than cure they say and as long as you conscientiously follow security best practices, you should be fine!

  • Stay aware & updated

WordPress, as well as theme and plugin editors, are constantly looking for security holes in their core code and learning from previous attacks. As a consequence, they regularly release patches in order to fill in the security gaps that they have detected. Therefore, it is crucial that you follow the update release pace. As soon as they are available, updates will appear in the dashboard. Outdated versions of WordPress, themes and plugins leave the door wide open for hackers.

Moreover, there is no point keeping unused and unmaintained web applications on your website. They are acting as entry points for attacks. Finally, be aware of sensitive temporary files that could be created following a reconfiguration and delete them.

  • Protect your website’s access

With frequent brute-force attacks trying to guess usernames and passwords, your login credentials undergo a huge pressure. There are very simple actions you can take to maximize the confidentiality. On the one hand, use a STRONG password. That involves mixing capital and lowercase letters as well as numbers and symbols and containing more than eight characters. On the other hand, change it twice a year at minimum. And finally, keep your password specific to your WordPress account.

Image of a person setting a password
http://www.jfk-binding.co.uk/blog/wp-content/uploads/2016/03/privacy-computer-e1458303666447.jpg

Protecting your credentials is crucial in order to prevent brute-force attacks

  • Make sure your website benefits from the best security plugins

You also require anti-intrusion programs. Plugins, such as iThemes Security, WordFence or Sucuri, are among the most popular and recognized security plugins. Malware detection and eliminations, brute-force attack blocking, PHP attack protection, etc. They are undoubtedly must-have prevention tools in order to keep control of your website as well your data safe.

  • Pick secure hosting solutions

There are two things you should bear in mind when choosing a hosting solution. At first, check the reputation of the hosting provider: how many websites does it power compared to others? Is users’ feedback positive or negative? Secondly, if you decide to go for a shared hosting solution, make sure that websites are isolated from each other in order to avoid attacks spreading on the whole server.

  • Always download from trustworthy sources

With so many attractive downloadable themes and plugins, installing any of them can be very tempting. However, as stated previously, they are main sources of security breaches if their code is poorly-written or outdated. As a result, make sure you only install them from trustworthy sources (WordPress Plugin Directory for instance) or from websites belonging to editors that have been in the industry for a while.

  • Save your data

Sometimes, despite all the prevention measures that you have been taking, data loss cannot be avoided. One way of recovering it is to regularly proceed to backups that you can easily upload to your website. Many plugins such as BackupBuddy or UpdraftPlus can take care of it.

Conclusion

Bear in mind that even though security is one of the biggest challenges that WordPress has to face right now, your website will remain insecure only if you do not take appropriate actions. Your website’s safety depends on you. Taking into account the pieces of advice mentioned above will give you a 99.99% protection against any ill-intentioned entity!

At Wiredelta®, we are very much aware of WordPress security issues and we take them quite at heart. In particular, we have developed a hosting solution providing you optimal safety as it is managed by an AI. The latter is scanning your website 24/7 in order to spot malware, checking for security updates and blocking brute-force attacks. Not to mention that our coming-soon platform’s plugin directory will be giving you access to the best security plugins. Check out our demo at wiredelta.com/signup!

Recent Comments

2 Comments

  1. Sam Bhatt
    June 15, 2017

    A very informative blog post on how to secure your WordPress website. A must read for definite knowledge to have for attacks to your WordPress site. Good one! 🙂

    • The Wiredelta Team
      August 4, 2017

      Thanks Sam! Glad you liked it 🙂

Leave a Reply