WordPress is now used by approximately 26% of the websites. The fact that WordPress is popular target for hackers is not surprise. Many website owners choose this CMS mostly because of its user-friendly environment, but the truth of the matter WordPress is vulnerable therefore users should pay a lot more attention to security. More likely, security is not often one of the top priorities. You only realize it once your website would be attacked by hackers or spammers.
In this article by web designer & WordPress expert Viktor from webcreate.me, you can read more about the issue and easy tips how to prevent WP attacks.
WP White Security has published an interesting research. As stated, more than 70% of WordPress installations are vulnerable to hacker attacks. In addition, in 2012 the total number of attacked WordPress websites leaped to 117 000 and continues growing every year.
The research has been executed between 12th and 15th September on a representative sample of 42 106 websites from Alexa’s 1 milion top websites. Just 1 day after the release of WordPress 3.6.1 which solved crucial vulnerabilities.
Surprisingly, the statistics that came up from the research were shocking:
- 74 different versions of WordPress were identified.
- 11 of these versions are invalid. For example version 6.6.6.
- 18 websites had an invalid non existing versions of WordPress.
- 769 websites (1.82%) are still running a subversion of WordPress 2.0.
- Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
- 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
- 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.
Your website doesn’t need to be one the top in ranking or has mind-bending traffic to be attacked. In the most cases hackers only want to use your server to send spams.
Prevention is always better, so let’s have a closer look how you can protect your website from malicious parties.
1. Use reliable hosting service
When it comes to choosing a hosting service users have different requirements and needs. Security should be one of the top things on the radar. Before you make a final decision consider these few things which every good provider have to have:
- Support the latest versions of PHP and MySQL
- Scanning and detection of malicious files
- Compatibility with WordPress and WP optimized firewall
Good companies also offer daily scanning and backups although it doesn’t mean you can turn off your external backups.
2. Update WordPress version and plugins
As mentioned above, updated version of WordPress and all installed plugins is essential to keep your website secure and protected from hackers. Older versions contain several vulnerabilities and as the security requirements are developing in time, WordPress team has to react on security needs. Every released update contains fixes of bugs. Along with security enhancement you improve performance.
The same rule applies to plugins. Rely on reliable sources and always download plugins from trusted repositories. Read the reviews, comments about the author, the support and ALWAYS backup your website before the installation.
3. Login information
The most common mistake done by users is choosing “admin” as a login name. However, this is number one rule you would be surprised how many people still stick with username “admin” so hackers only need to get your password.
Therefore it is necessary to fortify your login information by changing username and creating strong password which contains capital letters, numbers or signs and often change them. For this matter, you can try free generators such as Strong Password Generator or Norton Password Generator and then store them by password manager, for instance One Password or KeePassword.
Another level of protection is enabling 2-factor authentication. For many apps or websites it quickly became a reliable way how to protect accounts of their users.
WordPress doesn’t have built-in two-factor authentication but there are few handy plugins such as Google Authenticator or Clef.
One of the techniques is also limited number of logins for a particular IP address. Some plugins (e.g. Login LockDown) allow you to set a number of failed login attempts. You can also define a time to log out the user from your page.
4. Correct values of file permissions
To protect your website make sure you have the right permissions to the folders and files. WordPress sets permissions to 640 or 644; and 600 for wp-config.php. These values indicate who can modify them.
Set them up to 755 or 750. Also, never use 777 to any of folders or files because it means anybody can modify them or make changes.
5. Disable the version of WordPress
It is set by default that WordPress shows which version are you using hence makes it easier for hackers to attack your page. If you are confident enough you can add a code to your php file. For those less skilled in programming, there is a plugin called Remove version that might be handy.
These are very basic tips that every WordPress user should follow. You may also search for some less-known tips which need few changes in PHP file but make your WordPress a little bit more secure.