It is more important than ever to have a solid WordPress security strategy implemented. It’s also very important to note that security is a risk reduction, not an elimination.
Here is a scary statistic for you. Did you know that on average 30,000 new websites are hacked on a daily basis? That translates to roughly one website being hacked every 39 seconds. Those are some staggering statistics right? Every single website, regardless of whether it is a simple blog, a portfolio showcase, a small online business, or a dynamic e-commerce platform, is always at risk. Regardless of the kind and scale of security defenses that have been put into place, the website can still be attacked as hackers are constantly evolving and innovating new ways to hack websites. If you are consistent in website security checks and proactive about website security, you will be more prepared to minimize the risks and prevent the hacking attempts from being successful.
Confused as to why a hacker would target your website? To be honest, most of the time, it isn’t you, your business, or your site specifically that the hackers care about. Hackers are typically targeting the software or plugins that are used on your website. I’ve often sat back and asked myself as I watch live firewall logs, why are you targeting something like a food truck website and man you are seriously persistent. Don’t you have anything better to do? Are you practicing for something bigger, or are you just looking for a good street taco recipe? Seems like a lot of effort to spoof yourself from 25 different countries and just pound away. Then after about 4 days and 12,000 attempts to gain access, just as mysteriously as they showed up, they go away… But do they really just go away?
Sometimes the answer is yes and sometimes it’s no, majority of the time it’s the latter of the two answers. They just embed themselves and hangout, sort of like that friend that ends up sleeping on your couch for months, yes I’ve seen that one as well. Sometimes I’ve wondered which one is harder to get back, the website or my couch.
Let me just warn you, here’s how it’s going to play out when it happens.
If the hacker did find a way in and their plan was just to embed links in your content. I doubt that you as business owner are looking for these things on a daily basis, but then you get that phone call from a customer who is typically very pleasant, but for some reason not today, then they ask you why does your website have blog content about mail order brides or something much worse? When I say worse, I mean potentially game ending for your online business.
Your first response is one of disbelief and this has to be some kind of joke. Then you look at the page or blog that the customer referenced and then the disbelief and shock sets in. After you’re able to think clearly for a second the first question you ask yourself is how long has this been on my site, who else has seen it and then you immediately think, what else has been done? If your site was compromised, the odds that they only left you with one digital present are pretty low. There will be more, now it turns into a game of hide and seek, but the hacker forgot to let you know the game had already started.
You start finding blog posts that they were kind enough to write and publish for you, comments on already published posts, and then that strange hyperlinked text in your content that first and foremost I don’t ever suggest clicking. Here is where the safest thing to do would be to just stop immediately. This is when I would advise that if you are not technically very well versed in WordPress, or any platform for that matter, immediately call your developer, your agency, or your hosting provider. Hopefully there is a backup strategy in place that can recover the site or they can scan for malware and hopefully have it cleaned. This might get you back online but the question still remains, what digital crack did they crawl through?
Basically what I am saying is the game isn’t over yet, you’re friendly neighborhood hacker is likely either still entrenched or left the backdoor unlocked just in case he needed a place to crash again. Sorry about that joke, but in times like this humor might just be the only thing that keeps what is left of your sanity intact.
I’ll get an email or a phone call and the person says someone told me to reach out to you because I need some help with my website. I think, oh how nice, nothing better than a customer referral. Obvious next question I ask is how can I help you? Then comes the dreaded response of I think my website has been hacked or I unknowingly started selling mail order brides on my site, or even worse when I go to my website all I see is a white screen. For me, it’s a pretty tight race on which response is the worst. But, I’ve seen them all happen and fortunately our team has been able to recover them all, some much more unpleasant than others, but a win nonetheless with another happy customer. Let me be clear here, even though a hacked site is able to be recovered, that does not mean the customer is in the clear. There may be additional damage that has been done financially and to their reputation.
I repeat this again later in the article, because it’s just one of those things that deserves repeating and mostly because I have seen this happen more than I care to count.
Know who you’re going to call ahead of time if you yourself are not a WordPress expert. It’s like the digital version of break glass in case of emergency or the list of emergency phone numbers your parents left on the fridge for the babysitter when you were a kid.
Do you have a freelancer or developer on standby? If so, make sure you have an agreement in place and they are dependable when it comes to availability.
Do you have an agency that maintains your website and actively monitors for issues? Do they have an after-hours or weekend support model in place for emergency issues?
If you’re not a WordPress expert and the answer to those questions is no, then do your research now because more than likely if you just call your hosting provider, you’re sense of urgency and theirs are likely light years apart. Don’t take that as a knock against hosting providers, there are some great ones out there, but they have no intimate knowledge of your business or your website and if you don’t have a backup and security service in place, getting your site back online may have just become a little more challenging.
In our experience when it comes to hosting providers, some by default will offer full and incremental backups of your site, some have add on services that cost extra. Some have great support teams that can help you out and get things back online, but then what? Now you are constantly worried about it happening again.
As a business owner, if you don’t have experience in this area, you may not have thought about this just due to the fact that you were so excited to have your website. So here is the advice I am giving you, do your homework when you are looking to have your website built. If you are using a freelancer, they typically design, build, and will help you get it deployed and then they move on to another project. If you are using an agency, there are some that offer hosting along with support and maintenance plans, and some that do not. If you have the skillset to maintain and support your site, then this isn’t going to be a problem for you, but that’s not typically the case.
This article aims to show you why you, as a business owner, should invest in WordPress security. It also explains the solutions that we believe can help you create your own WordPress security strategy that will reduce your exposure from hackers that exploit common WordPress security flaws to gain access to your site.
Why it’s important to ensure your WordPress site is secured
It’s crucial as a business owner to understand the significance of having your WordPress site secured. Every planned step that you implement towards hardening the security of your WordPress website directly contributes to the success of your online business. Investing in WordPress security will always be beneficial and the results will be evident the next time a hacker decides to execute a cyberattack against your site.
The Credibility of Your Business
The credibility of your business is earned through years of hard work building customer relationships and brand trust. It is built on the values that you, as the business owner, set and follow. Even a small DDoS attack, or brute force attempt, can cause your most loyal customers to question your business’ credibility. Why shouldn’t they, after all your customers depend on your products and services to meet their needs.
When your website crashes or is compromised by hackers, your business loses hard earned credibility and is not able to serve your customers or the customer experience is degraded. After a breach, your customers will lose their trust in your business and begin considering options offered by your competitors.
When your WordPress website is the target of a cyberattack it affects its efficiency and could potentially make it non-operational. This is not just limited to the potential or returning customers visiting your site but could impact the way to your internal operations such as order and product management. Now take a quick second and think about the damages such interruptions can make during a busy holiday season or when you are running sales campaigns.
According to a report published by IBM, Cost of a data breach 2022, “ A data breach in the US costs over twice the global average. For the 12th year in a row, the United States holds the title for the highest cost of a data breach, USD 5.09 million more than the global average.”
This report shows that cyberattacks are still the key players behind damaging businesses financially. Despite these staggering losses, regrettably, a large number of online business owners don’t even understand the dire need of reviewing their existing security strategy and implementing a more sophisticated solution that can withstand today’s cyber security challenges.
Now that you understand the importance of a secured website, let’s look at some of the common security vulnerabilities that impact WordPress.
WordPress Common Security Vulnerabilities
What happens if you ignore all the stats and do nothing to secure WordPress? It turns out that a lot of things can go wrong very quickly, so here are the most common ways that hackers will use to gain access to or crash your WordPress site that you should deal with now rather than later.
Brute Force Login Attempts
One of the most basic forms of attack is brute-force login attempts. This is when hackers use automation to quickly enter multiple username-password combinations and eventually guess the correct credentials. Brute-force hacking is able to access password-protected information in any form, not just logins.
Cross-Site Scripting (“XSS”)
The XSS attack is next. This attack is when an attacker injects malicious code into the target website’s backend to extract data and cause havoc. You can either insert the code in the backend using more sophisticated methods or simply submit a response to a user-facing page.
This attack is also known as SQL injection. An attacker submits harmful code to a website via user input, such as a contact form. The code is then stored in the website’s database. The website then stores the code in its database, just like an XSS attack.
A backdoor is another common attack. Backdoors are files that contain code which allow an attacker to bypass WordPress’ standard login and gain access to your site at any moment. Backdoors are often hidden among other WordPress source files making it difficult for inexperienced users to locate them. Even after the backdoor is removed, attackers may create variants and continue to use them to bypass your login.
WordPress limits the file types that users can upload in order to minimize the risk of backdoors. However, it is important to protect your website from such attacks.
Attacks on Denial-of Service (DoS).
Next comes a more common attack: the Denial-of Service attack. These attacks block authorized users from accessing their websites. DoS attacks involve overloading servers with traffic and causing crashes. Distributed denial-of service attack (DDoS) is a DoS attack that involves multiple machines attacking a single server.
Phishing is something you might be familiar with. Phishing is when an attacker pretends to be a legitimate company or service to contact a target. Phishing attempts often prompt targets to provide personal information, download malware, or visit dangerous websites that could cause harm to their computers. An attacker could access your WordPress account and coordinate phishing attacks against your customers, posing as yourself. It’s not good for your business reputation, as you can see.
Hotlinking is when another website owner links to an image hosted on another site instead of uploading it to their server, makes the content appear like it’s theirs. This can result in bandwidth theft, decreased page load times, and could have a negative impact on your SEO. There are security plugins available that can detect and prevent hotlinking, or inline linking, from happening. As always make sure you do your research before you just start installing new plugins, there are potential performance implications there as well. It is additional code after all, and if not coded correctly or extra steps taken to ensure they only load when they are needed, extra code execution when not necessary can be very costly to page load times. As if the hotlinking was not bad enough right?
Plugins: The majority of WordPress security vulnerabilities are caused by third-party plugins. Some plugins can be great add-ons to your site, but they are not essential. Be aware of their potential dangers. Hackers can easily access plugins because they are created by third-parties and have access to the backend of your website.
Again, for the most part, it isn’t you, your business, or your site specifically that the hackers care about. Hackers are typically targeting the software or plugins that are used on your website.
Old WordPress versions: WordPress releases updated versions occasionally to fix security flaws. Hackers often target vulnerabilities in older versions of WordPress when they are fixed. This issue can be avoided by updating your website regularly.
The login page: By default, the backend login page of any WordPress website is the main URL. Add “/wp_admin.php” or “/wp_login.php” to the end. An attacker can find this page easily and attempt to enter brute force. You can reduce the chances that hackers will correctly guess your passwords by making them varied and complex.
Themes: Your WordPress theme can make your site vulnerable to cyberattacks. Old themes can be incompatible with the latest version of WordPress. This allows easy access to your source code files. Many third-party themes don’t follow WordPress’ code standards, which can cause compatibility issues and other vulnerabilities. Do your research before adding a theme or plugin to your website.
Now that we’re done with that, let’s talk about how you can minimize the risk of a cyberattack against your WordPress site.
How to Secure Your WordPress Website
While there is no guarantee that you won’t experience an issue, the chances of you having one are much lower if you follow these best practices. These best practices can be applied to all websites (e.g. strong passwords, two-factor authentication and SSL), but others are specific to WordPress websites (e.g. using secure themes and plugins).
It is essential that you follow the best practices to ensure safety on your site. Let’s start with the basics. We’ll then share additional steps that you can take to ensure your site’s safety if your site is at particular risk.
- Secure your login procedures.
This is the first step to ensure your website is secure. Protecting your accounts from malicious login attempts is the most important step in protecting your website. This is how you do it:
Use strong passwords. Strong passwords are essential for all users who have access to your WordPress website’s backend. Any one user could be in trouble if they use a weak password. One of our suggested password managers might be a good choice to help you generate strong passwords and keep track.
Enable two factor authentication This is one of most efficient and simple ways to protect your login. This is how you add two-factor authentication to WordPress.
Avoid giving any account the username “admin”. This is because it is most likely that attackers will use Admin to log in during brute force login attempts. You can create a new administrator account using a different username if you have already created this user. We also recommend automatically blocking any IP address that attempts to login with the admin username.
Limit login attempts: You can protect your site by limiting the number of times that a user can use the wrong credentials. The CMS will block people from logging in more than once, which prevents brute-force logins. You might be able to have this done by firewalls or hosting services, but you could also use a plugin such as Wordfence or iThemes.
Add a Captcha: This security feature is common on other websites. These captchas add security to your login by verifying you are a real person. You can add a captcha plugin to your website.
Enable auto logout: Last but not least, be vigilant about log out, especially if your computer is public. If you forget to log out, auto-logout will prevent strangers from accessing your account. The Inactive Logout plugin can be used to enable auto-logout in WordPress.
- Secure WordPress Hosting
Let’s now discuss the role of your hosting provider in WordPress security. There are many things to consider when choosing a hosting provider for your website. But security should always be the first priority. To find out more about the company’s security measures and how they recover from an attack, do your research. We would recommend checking out Kinsta and WP-Engine, we’ve had great experiences with both providers.
- Upgrade your WordPress version
Older versions of WordPress software are a big threat. This issue can be avoided by regularly checking for updates and installing them as quickly as possible.
First, make sure that you take a backup of your website and verify that your current plugins have been tested against the latest version of WordPress.
- Upgrade to the most recent version of PHP.
For WordPress security, upgrading to the latest PHP version is a must. WordPress will notify you via your dashboard when an upgrade is available. Some hosting providers will let you test PHP version upgrades before making the update to your live site. We highly suggest you verify the new PHP version doesn’t cause any conflicts or impact user experience. If you do not have access to your hosting account, contact your web developer to ensure all updates and maintenance are taken care of. If you do not have a developer and are not sure how to perform the upgrade, just reach out and we will be more than happy to get the required updates and testing taken care of for you.
- Install one or more security plug-ins
WordPress website security is something you can do on your own, but you don’t need to. You can use a security plugin, we recommend doing your research before you install any plugin. We would recommend that you install one or more trusted security plugins on your site. (Emphasis on trusted!)
These plugins take care of most security-related manual tasks for you. They scan your website for possible infiltration attempts, alter source files that could make your site vulnerable, reset and restore WordPress, and prevent content theft such as hotlinking. These plugins are trusted and can cover most of the items on the list.
No matter what plugin you choose to install, whether they are security-related or non-security-related, ensure that they are legitimate and well established. You can also download any other plugins at your own discretion.
- Secure WordPress themes are recommended.
You shouldn’t install any questionable plugins on your website. Resist the temptation to choose any WordPress theme that just looks cool. Why you ask? It could actually make your site more vulnerable to serious issues. Choose a WordPress theme that conforms to WordPress standards to avoid vulnerabilities.
Copy your URL to your WordPress website (or any WordPress site URL) and paste it into W3C’s validator. If your theme is not compatible, you can search for a suitable theme in the official WordPress directory.
SSL (Secure Sockets layer) is the technology that encrypts the connections between your website’s web browsers and those of your visitors. This ensures that your visitors’ traffic is protected from unwanted interceptions.
WordPress users can choose to either manually set up SSL or to use a plugin. It will not only improve SEO but also make your website more appealing to visitors. Google Chrome will warn visitors if a site isn’t following the SSL protocol. This directly affects website traffic.
Visit your WordPress website’s homepage to see if your site uses the SSL protocol. Your connection is secure if your homepage URL begins with “https ://”” (the “s”) in the URL. You will need an SSL certificate if your URL starts with “http ://”,”.
- Install a firewall
To protect your WordPress website, we recommend installing a Web Application Firewall plugin. Before you make your decision, consider carefully which firewall and plugin is best for you. We recommend Wordfence or Sucuri based on our experiences.
- Backup your website.
Being hacked is a very stressful experience. If you lose all your data, it can be even more distressing. You can prevent this from happening by making sure that your WordPress website is backed up regularly with a plugin or via your hosting provider. We would recommend BlogVault given our experiences, easy to use with a one click restore option. Backups should be done frequently and automatically, given the nature of your site there are options to backup in-flight e-commerce transactions.
- Regular WordPress security scans are recommended.
Last, but not least, we recommend that you conduct routine checks on your website. This can be done a number of ways but we would recommend an automated scan with a notification going to an administrator or developer that can take immediate action. Remediation immediately following detection of malware may just save you a lot of time and money.
After you have completed these steps, you can move on to the more advanced security measures for your WordPress website.
Advanced WordPress Security Best Practices
- Filter special characters from user input.
There is a possibility of an XSS attack or database injection if a part of your website receives a response from visitors. This could be a payment form or contact form or a comment section on a post. An attacker could insert malicious code in any of these fields to disrupt your website’s backend.
- Limit WordPress user permissions
Multiple user accounts are common on WordPress sites. To limit access to what they need, we recommend that each user be assigned a different role. WordPress offers six roles for each user.
Limiting administrator permissions to users will reduce the likelihood of attackers brute-forcing into admin accounts. This will also limit the damage that could be done if attackers correctly guess user credentials.
- WordPress monitoring
You should have a website monitoring system. You will be notified of suspicious activity on your website. Although you can prevent such activity with your existing measures, it is better to know sooner than later. A WordPress monitoring plugin can be used to receive an alert in the event of a breach.
- Log user activity.
Another way to avoid problems is to keep a log of all activities on your website. You can then check the log for suspicious activity periodically. You’ll be able to see if someone is doing something suspicious (e.g. changing passwords, altering plugin files or installing plugins without permission). Logs can also be useful in cleaning up after hacking, providing details about what went wrong and when.
However, this doesn’t mean that every file modification or password change is a sign of hacker activity within your organization. It’s a good idea, however, to monitor external contributors you employ and give them access rights.
Many WordPress plugins can create activity logs. There are many logging plugins available for WordPress like WP Activity Log and the free Activity Log plugin.
- Modify the default WordPress login URL.
We’ve already mentioned that the default URL for WordPress’ login page is easy to find. There are ways to change it to increase your security. You can use plugins such as iThemes and other hide login plugins change the URL of your login page.
- You can disable file editing from the WordPress dashboard.
WordPress allows administrators to edit the code in their files with the code editor. If an attacker gains access to your account, this gives them an easy way to modify your files. This feature can be disabled by a plugin if it has not been disabled. You can disable it yourself by doing some light programming. The code below should be added to the end of wp-config.php.
- Change your database file prefix.
Your WordPress database’s file names begin with “wp_” default. It’s true: Hackers have the ability to use this setting to locate your database files and perform SQL injections.
Simply change the prefix to something such as “wpdb_”, or “wptable_”. This setting can be set up even during installation of the WordPress CMS. We recommend being very careful if this is not done during the initial configuration, especially if you have already gone on a plug-in install spree. One wrong step and all of the sudden the screen goes white and you get the dreaded email saying your site may be experiencing issues. Not that I have ever seen that email of course. 🙂
- Disable xmlrpc.php.
XML-RPC allows the WordPress CMS to communicate with other web and mobile applications using a communication protocol called XML. It is still used by some to launch devastating attacks against WordPress sites.
Because attackers can submit hundreds of commands to XML-RPC technology, it makes it easier for them to execute brute force login attacks. XML-RPC has a lower security than REST, as it contains authentication credentials that can easily be exploited.
You can disable the xmlrpc.php if you don’t use XML-RPC. Check first whether the file is being used by your site. To check if your site is using the protocol, enter your URL into the XML-RPC validator. You can disable XML-RPC with WordPress security plugins such as Wordfence.
- You might want to delete the default WordPress admin account.
While we have discussed the possibility of changing the username of the default WordPress admin account (“admin”), it is worth considering deleting the default account and automatically blocking any IP address that attempts to gain access to your WordPress website with a security plugin. This is standard practice with every site that we build and support.
- Consider hiding your WordPress version.
Hackers won’t be able to find out your WordPress version if you hide it. You must always upgrade to the most current version of WordPress, as we have already explained. It is important to conceal any potential vulnerabilities if you have not yet done so.
How to Respond if You Are Hacked
You’ve taken all the steps above and are now ready to go in the event of an emergency. Or something went wrong. Whatever the reason, here are some things you can do.
- Try to remain calm.
Even those who worked hard to secure their sites, security breaches can still happen, remember security is a risk reduction, not an elimination. Know who you’re going to call ahead of time if you yourself are not a WordPress expert. If not, do you have a developer on standby? Do you have an agency that maintains your website and actively monitor for issues? If you’re not a WordPress expert and the answer to those two questions is no, then do your research now because more than likely if you just call your hosting provider, you’re sense of urgency and theirs is likely light years apart. No offense to hosting providers, there are some great ones out there, but they have no intimate knowledge of your site and well, like I said, try to remain calm.
- Your website should be in maintenance mode.
Next, if you are able to access the administrative console, you need to restrict access to the site. This keeps visitors away from the site and protects them against attack. You should not reopen your website until you feel that the intrusion has been fully remediated and the situation is under control.
- Start creating an incident log.
Next, gather all the facts that you can use in an incident report. These facts can be used as clues to help you solve the problem. Pay attention to:
- When you discovered the problem.
- What made you believe that you were being attacked?
- Your current theme, active plug-ins, and hosting provider.
- Any recent modifications you made to your WordPress website before the incident.
- A log of all actions taken during the investigation and resolution of the problem.
As more information becomes available, be sure to update this document.
- Reset permissions and access.
To prevent website modifications, change all passwords on your WordPress site. Next, force-logout all users who are still logged into your WordPress site.
It is highly recommended that account holders update their passwords on work and personal devices as well as personal accounts. You don’t know what the attackers could access beyond your WordPress website. It’s not easy, but it can reduce the damage caused by the attack.
- Find the problem.
You may be able to search for the problem using a security plugin in some cases. You may need to hire someone to diagnose the problem and repair your site depending on how severe the attack was. No matter what your method of attack, you should run a security scan of your site and all local files. This will allow you to remove any malicious code or files that the attackers may have left behind and restore any files that are missing.
- Check out related websites, especially on shared hosting.
Are you linked to any other platforms through your website? You should also take steps to secure any accounts linked to your website from other platforms.
- Backup, themes, and plugins can be reinstalled.
Double-check that your plugins and themes are safe before you re-install them. You can restore any backups you may have made before the incident.
- Change your site passwords again.
WordPress security is a delicate matter. Although you have already reset your passwords and fixed the problem, it is possible that the credentials were compromised. It is impossible to be too cautious. Consider changing them again.
- Notify you customers.
Once you have validated that the issue is clear and your website is back online, you should notify your customers of the breach, especially if customer personal information was potentially accessed and taken. This is not an easy thing to communicate as a business owner, but your customers trust your business. If your information had been leaked from such a breach, would you want to know? As you can imagine, you will probably get varying reactions, but you should be prepared for some less than positive responses. The sooner you notify your customers, the better.
These best practices have been defined for a reason and if you think you will never be the target of a hacker, you just might get lucky. Implementing these standard WordPress security practices will surely lessen the chance of a hacker being successful, which in turn will help protect the credibility and continued growth of your online business. As a business owner, you should discuss your options with your web developer, hosting platform, or the agency that you trust your WordPress site to. If none of those options are available, just reach out and we will be more than happy to give you an assessment that includes steps to remediate any vulnerabilities that we may uncover.