With a market share of over 60% and 500+ new websites being hosted each day on the WordPress platform, there is no debate on the dominance of WordPress as a content management system. However, despite being easy to use and having unparalleled functionality, WordPress comes with its own set of security risks.
Did you know that WordPress accounted for a whopping 90% of hacked websites in the year 2018? Harmful backdoor files were found in over 65% of all hacked websites, and SEO spam messages in more than 50% of the them.
These security issues can severely impact your business. Here’s how:
- Customers or visitors would be unable to access your site and you could lose valuable traffic
- Company sales and revenue could be affected
- SEO rankings might drop, and your website could be blacklisted by Google and other search engines
- And finally, your site could lose its reputation and hard-earned brand value.
As a WordPress website owner, it’s critical to implement security measures and take the appropriate steps to fix common vulnerabilities.
But how do you even know what could put your website at risk?
To make your life easier, we’ve put together this list of the 5 most common issues that generally affect WordPress websites and their security. Let’s take a look:
1. Use of Outdated core WordPress & Plugins/Themes on the Website
Just like any other software tool periodically releases the latest version (or update), WordPress also has its share of releases. In fact, the core WordPress version goes for a major upgrade once in every 152 days, with the latest version 5.2 released on May 2019.
WordPress has many plugins/themes that can be installed on your website to improve its functionality. Some of the popular WordPress plugins include Yoast SEO, Akismet, and WooCommerce, while some of the popular themes include Oshine, Divi, and Uncode.
Typically, hackers look for security-related vulnerabilities in your WordPress core and the installed plugins/themes through which they can damage your website. This is the reason why both the WordPress team and a majority of third-party plugin/theme developers release timely updates containing security fixes.
However, the real problem is that most WordPress users do not keep these website components updated. An estimated 52% of WordPress-related vulnerabilities are the result of outdated plugins.
How to fix this issue:
- Download and install the latest WordPress released version.
- Review all the installed plugins/themes on your website regularly and update them. You can do this from your WordPress dashboard (as shown in the sample screen below).
- If you are managing multiple WordPress websites, updating each of the installed plugins/themes can be a cumbersome and time-consuming task. You can use plugins with wordpress management features to simplify your task. They allow you to update all your components (across all websites).
- Follow the practice of downloading your plugins/themes from the official WordPress repository or trusted websites.
- Get rid of all abandoned or unused plugins/themes that have not been updated recently by their developers.
2. Website Hosted on a Vulnerable Web Host
Your web host server can determine the overall safety of your website to a large degree. Let’s look at the two primary types of web hosts and how they impact security:
- Shared hosting
As the name indicates, shared hosting comprises of multiple websites hosted on the same server. The hosted websites share various server resources, including disk space, server bandwidth, and database tables. Compared to other types of web hosting, shared hosting is more cost-effective and budget-friendly for WordPress owners.
However, the flip side is that shared hosting can compromise your website security. For example, hackers could host their websites on shared hosts to gain easier access to the other hosted websites. If a site on a shared host is hacked, it usually leads to the compromise of all the other sites.
- Managed hosting
Although more expensive than shared hosting, managed hosting is a safer option because the entire hosting server is dedicated to your website. All the server resources are available for your website. Some of the security features that managed hosting offers include firewall protection, malware scanning tools, and access management.
How to fix this issue:
- Check with your current web host provider on the security-related services that they provide.
- If you are currently on a shared web host, switch to the more secure managed hosting platform.
- You could also migrate your entire website to a different web host provider or web domain. If you want to perform website migration with minimum impact on your live website, use a free migration tool like Migrate Guru.
3. Weak WordPress Login Credentials
Did you know that even in 2019, online users continue to use weak passwords such as “123456” and “password” for logins? Many WordPress users with “administrator” rights are assigned a default username of “admin” and do not change it. This practice is one of the bad habits of site management. It makes it easier for hackers to gain illegal access to your WordPress account and access your critical website files.
Among the primary means for exploiting login page vulnerabilities, brute force attacks top the list and are growing stronger by the day. A brute force attack deploys automated bots to try and gain access to login pages by guessing the user credentials. If they gain access, they can damage your website by:
- Stealing confidential data, such as user details and financial records.
- Leaving behind backdoors for re-entry at a later stage even after a complete cleanup.
- Redirecting the web pages to other unsolicited sites.
- Adversely impacting the overall website speed and performance.
How to fix this issue:
- Always choose a strong login password with a combination of special and alphanumeric characters.
- Use a unique username specific to each user instead of generic usernames like “admin” or “user1.”
- Follow a practice of changing the passwords of all your users regularly.
- Deploy the effective CAPTCHA tool for your login. It restricts the number of failed login attempts to thwart brute force attacks. It is also useful in distinguishing between a human user and an automated bot.
- Block all login requests from bad or suspicious IP addresses that are generally used by hackers worldwide.
You can use Word-Based password plugins to create strong passwords
4. Improper User Management
In addition to deploying brute force attacks, hackers try to gain access to your WordPress account by using your WordPress admin credentials. Why? Because with admin access, they can inflict maximum damage. For example, they can corrupt crucial website backend files that are not accessible to other users.
To avoid this issue, WordPress allows you to create 6 different user roles with their own set of privileges. These include:
- Super Admin user who has the complete set of admin privileges on multiple websites owned by the business.
- Admin user who has complete “admin” privileges but is restricted to one website.
- Editor who has no “admin” rights and can only publish and manage user posts on the website.
- Author who has the rights to publish and manage their submitted posts on the website.
- Contributor who can write their website posts but does not have any “publishing” privileges.
- Subscriber who has the least level of user rights and can only create or update their user account or profile on the website.
Assigning “super admin” or “admin” rights on multiple WordPress users can seriously endanger the overall security of your website. The key is to assign user roles and privileges based on careful evaluation of each user’s role and tasks. Through proper user management, even if hackers gain access to user accounts of a “contributor” or “subscriber,” they gain limited permissions and can inflict minimal damage on the website.
How to fix this issue:
- Assign the “Super Admin” role only to website owners (particularly if they are managing multiple websites).
- Restrict the total number of users with “admin” rights. Only assign this role to trusted and experienced users who have prior experience as a WordPress administrator.
- Assign user roles and privileges based on the scope of their responsibilities and work.
5. Lack of SSL Certification
Secure Socket Layer (or SSL) is a prescribed safety standard used to encrypt website data and safeguard the website. An SSL-certified website (for instance, https://<website_name>.com) can secure the communication between the website server and the user’s device or browser.
With the growth of online transactions, users often share sensitive information details over the Internet that can be highly risky. These include information like bank account number, credit card number, or bank details. An SSL certificate encrypts this information, ensuring that the data is only shared with the intended user.
How to fix this issue:
- You can check with your web host provider if they can provide an SSL certificate for your website. Alternately, you can log in to your web host account and check if they have provided you with an “SSL” option. After an SSL security certificate is installed, the website URL will be preceded by “https://” and a padlock symbol will be shown in the browser address bar.
- Ensure that all your “http” webpages are redirected to “https” domain. You can use automated tools like Really Simple SSL to easily configure your website for the “https” domain.
Despite security measures, things can still go wrong with your website. It is imperative to use reliable backup solution which acts as a safety net in this case. We highly recommend investing in an automated backup plugin like Updraftplus or BlogVault so you have something to fall back on in case of a security attack.
A quick recap:
In this article we looked at 5 of the most common issues with WordPress Security and how to deal. Let’s quickly look at what we have learnt.
- Keep the WordPress Core, Themes and Plugin updated.
- Employ a secure managed web hosting provider.
- Use strong user credentials.
- Evaluate and assign User roles carefully.
- Use an SSL certificate to secure your site and keep the website data encrypted.
By resolving these 5 common WordPress issues, you can significantly improve the overall security rating of your WordPress website. While there is never 100% guaranteed security against hackers, we’re all better off safe rather than sorry.