WordPress is the most popular content management system (CMS) on the Internet today. There are around 74,652,825 sites running on WordPress and around half of those are hosted on the free WordPress.com site. The rest are hosted on private servers.
There is a reason so many CMS-based sites use WP. WordPress is a smart and intuitive platform that nearly anyone can learn to use. There are numerous plugins and themes available to help website owners customize the look and features of a site. Plus, those who understand coding can easily customize their sites even further.
However, WP is also susceptible to a few security threats. Hackers love to go in through the backdoor of your WP site and attempt to set up residence there. Fortunately, if you are aware of the most common security threats, then you can easily fix them and prevent hackers from taking over your site. Below are the top 5 WordPress security threats and how to fix them.
You’ve probably noticed that most sites requiring a password now require you to create a strong password with capitals, lower case, numbers and special characters. The more complicated you can make the password (but still remember what it is), the less chance hackers have of breaking into your site.
Understand that hackers often use bots and can try dozens of passwords in seconds. If your password is easy to crack, you can be certain they can and will crack your password. Creating a strong password includes tips such as:
- Not using the same password for everything
- Making the password at least 12 characters long
- Making sure all your devices used to sign in are secure (two-factor authentication helps)
Because WordPress runs on a database, it also uses PHP server-side scripts. While this works well to deliver content quickly and create a WYSIWYG environment, it also makes your WP site open to URL insertions.Basically, hackers embed malicious commands within a URL and the database responds and reveals sensitive information that could even allow the hackers to change the content on your site. A few methods to help prevent SQL injections include:
- Update to the latest version of WordPress. Any versions below the most current may be vulnerable to SQL injections.
- Use a site such as WordPress Security Scan to find vulnerabilities in your site and then fix them. The basic scan is free and will identify common errors, but you can also upgrade to a premium scan to check for lesser-known vulnerabilities.
- Update to the latest version of PHP that your web hosting server allows. The more up to date the PHP, the less vulnerable your WordPress site will be to hacking.
- Update plugins. Many vulnerabilities are found in plugins and themes, so make sure you update to the latest version. Also, pay attention to the last time the creator updated the plugin or theme. If they no longer offer updates, switch to a different plugin that does.
Because MySQL is the most common database used, it is also a target for hackers. When you use your server’s one-click or easy install features, the default database prefix is wp_. Using this prefix means that the hacker knows the prefix of your database.If you are just setting up your WP site, it is simply a matter of changing the database prefix. However, if you already have an established WP site, you’ll need to go in and make some changes to use a different prefix. You can change the prefix to your database fairly easily, though, by following these steps.
- Backup your database in case there is an issue when making changes. This allows you to easily restore the site if there is an error.
- Go to your root directory for your WordPress installation (you can use PHP or some servers allow access to files via the control panel) and open the wp-config.php file.
4. Brute force attacks
Brute force attacks are when a hacker goes to the login page for a website and simply starts trying the word admin as username with dozens of password combinations. Fortunately, this is a pretty easy security threat to stop.
- Install the plugin Limit Login Attempts Reloaded. This plugin not only stops someone from a brute force attack, which can also slow down your website and eat up bandwidth, but it will completely lock an IP out of your site for attempting too many passwords in a short amount of time.
- Install a security plugin. Many of today’s security plugins come with a firewall that blocks anyone attempting suspicious activity on your site. One good one is All in One WordPress Security and another is Wordfence. However, there are a number of options, so choose the one that works best for you and is affordable.
- There are some more advanced tactics you can use, such as htaccess password protection, but start with the plugins and if that doesn’t stop the attacks you can get more in-depth with your protection levels. You can also change the default admin name to better protect your site.
- You can also change your username using the tutorial at Hostinger.
Hijacking an open user
If multiple people work on your site, there is a security risk for each one. If the person logs in and then walks away from their computer, it is vulnerable to anyone in the vicinity. This could be a problem in a shared workspace, for example. If that person’s computer gets hijacked, your site could be vulnerable as well.