Posted on by

Securing WordPress

Introduction

WordPress is most likely the most popular way websites are run these days. In 2016, Forbes wrote this report claiming that over 25 % of the websites online today, are run by WordPress.

A lot of HostKoala customers often ask us, how to secure their WordPress installations. So today, we are going to talk about, securing WordPress. Before we begin, we need to understand why securing WordPress is essential.

Why do I need to secure WordPress ?

Like Android and Windows, when a product has a major marketshare in any environment, bad people ( hackers ) will always look to exploit these products. We have all heard about Android and Windows viruses and malware, and WordPress is no stranger to these issues.

How are hackers hacking WordPress websites ?

Hackers are constantly looking for exploits in WordPress websites. Thankfully, WordPress is updated very often. However, this does not prevent zero day exploits ( Hackers that hack the latest WordPress version ), or prevent an old WordPress installation, or a poorly written or old WordPress plugin/theme.

Why would anyone want to harm my personal or small time blog/website ?

Most users will say, but I’m just hosting a harmless blog/website, why would anyone want to hurt my site ? The truth is, hackers are not specifically targeting your site, they are just targeting all WordPress websites.

There are most likely over 300 million WordPress installations worldwide, hackers aren’t personally trying to hack each of them one by one, they do so by using bots, who are automatically programmed to search for vulnerabilities in WordPress sites.

What do hackers gain by hacking my site ?

There are numerous reasons for this. Among them are :

  • Gaining personal information from you, or your users
  • Selling that information online
  • Sending out spam mail after gaining access to your account
  • Putting malware in your website, to redirect to their website
  • Using your website as a bot to do DDOS attacks
  • To gain fame ( Some hackers just don’t care, they just want to prove that they can do it, that is all )

Securing WordPress

Now that we have identified how and why hackers hack WordPress websites, we are ready to learn how to secure your WordPress installation.

STEP ONE – UPDATE WORDPRESS

Under your WordPress Dashboard, you can actually see an update option

There is the update button

If there is an update, update it . Update it until you see there are no more updates left

This is a happy WordPress installation

STEP 2 : Update your WordPress Theme/Plugins

Updating Plugins : Go to Plugins / Installed Plugins; the list of all your plugins will appear. If a certain plugin is not on its latest version, WordPress will let you know

Updating Themes :Go to Appearance / Themes, and you’ll see all your installed themes there. The outdated ones will be marked just like plugins were. Simply click on “Update now.”

BEST : Update every day. Your WordPress core software and plugins should be updated every 24 hours. This will protect you from “Zero-Day” hacks. Hackers are busy attacking websites every day, so you need to be equally vigilant defending yours.

STEP 3 : Using a good admin username/password

Try to be creative and do not use admin as your administrator username. Use hard and long passwords with combinations of both upper/lower case letters, symbols, and numbers. Change them every now and then.

BEST : Use only strong passwords. 32 characters is a good length. 64 is great. This should apply to both your username & password.

STEP 4 : Only install reputable themes/plugins from WordPress itself

It is best to avoid plugins/themes that are not available from WordPress itself. This includes themes/plugins that you can download randomly from the internet that is not from WordPress.org itself.

Secondly, it is important that we only use good and reputable plugins. A simple way to filter out good plugins, is to use those who have been updated recently, and have a high rating.

This looks like a good plugin, recently updated, 900K+ Installations and 5 star ratings from 1,053 WordPress users !
Fun fact, all HostKoala customers get the benefit of being hosted on LiteSpeed Web Server, and get to use LiteSpeed Cache for free !
Uh oh, this plugin has no ratings, 30 installations and was last updated 6 years ago. These are all red flags. Do not install at all costs !

STEP 5 : Using a security plugin

Installing a security plugin is an extra layer of security on top of the steps you have already made. One such plugin is called Wordfence, which has a free version ( which is sufficient ).

Another good example of a good plugin. Recently updated and well reviewed

STEP 6 – Always have backups

It is always recommended to backup your WordPress site as often as you can ! You can achieve that with plugins such as WP All in One Migration , or backing up your entire hosting account. This is an extra safety net, in case your site does indeed get hacked, you have a safe and sound restore point

Conclusion

With a few simple steps, one can secure their WordPress website. If you have further questions you can leave comments below

Published by hostkoala