With WordPress Security, You Don’t Have To Outrun The Bear

NPG1033 Route 46 East, Suite 107 Clifton, NJ 07013Imagine security threats as an angry bear. When it comes to securing a WordPress site, you don't have to outrun the bear—you just have to outsmart it.

With WordPress Security, You Don’t Have To Outrun The Bear

By Avram Sand

With WordPress Security, You Don’t Have To Outrun The BearNew Possibilities Group/site_media/1679/With WordPress Security, You Don’t Have To Outrun The Bear02/02/2017With WordPress Security, You Don’t Have To Outrun The BearTechnology
New Possibilities Group

There’s an old joke: Two guys on a camping trip find themselves in the woods when they run into an angry bear. As the bear rears up on its hind legs, one of the men kneels down and starts lacing his sneakers tightly.

His friend asks, “What are you doing? You can’t outrun a bear.”

He replies, “I don’t have to outrun the bear. I just have to outrun you.”

This is true of camping and equally true of website security. There are situations where your site will become a target with malicious actors looking to compromise your site specifically. To protect against those scenarios, you can read our overall suggestions for hardening your CMS.

But most of the time, you are not the target.

Most recent estimates show that nearly 30% of websites are powered by WordPress. Though WordPress is not inherently less secure than other platforms, it gives hackers a target-rich environment to try out each exploit. Bots can easily identify WordPress sites and attempt the same hacks on each one.

The good news is that you don’t have to make your WordPress site invulnerable; in fact, that may not even be possible. But you can keep yourself relatively safe by outrunning the security laggards among the 15+ million WordPress sites out there.

Don’t Miss an Update

Many WordPress updates install automatically these days, but you should still pay close attention. Minor updates are often released to patch specific security holes.

It’s also a good practice to hide your version number. You can update WordPress’s functions.php file to prevent your current version of WordPress from being exposed. That way, even if you are a bit late on making an update, it won’t be immediately apparent to any bots looking for out-of-date WordPress installations.

Update Your Plugins Too

Each plugin you use brings its own vulnerabilities to the table. Make sure you install updates frequently, especially those that are marked as security updates.

If you no longer use a plugin, consider uninstalling it. Even if your plugin is 100% up to date, it may still be introducing security holes to your site. SQL injection hacks take advantage of exposed form fields to make unauthorized queries of your site’s database; success injection hacks can retrieve user passwords or credit card information. It can also alter or delete data directly from the database without your knowledge. Plugins—especially free ones—may not have practiced proper validation, sanitizing, or escaping techniques to protect against SQL injection hacks.

Hide Your Admin Portal

One of the most common types of hacks on any site (WordPress or not) is a brute-force attack. Hackers will run scripts to try to enter password combinations by the thousands, often starting with dictionary terms. The simplest way to protect yourself is by using secure passwords and by avoiding common usernames (such as admin, administrator, etc.)

However, even if you can keep your own credentials secure, other users may not be as careful. Why not prevent unauthorized users from even knowing what page they are supposed to log in from?

The easiest way to identify whether a site is on WordPress or not is by navigating to /wp-admin/ for that site. Changing this URL (along with other identifiers that your site is on WordPress, such as WP_ table prefixes) is a good way to keep yourself off the “easy target” list.

Prevent PHP Execution

WordPress sites need to have a writable uploads folder to allow the admin to add images and other media assets. You’ll want to make sure the server prevents any PHP files (the language in which WordPress is scripted) from being executed within that folder.

This ensures that if anyone does manage to upload a malicious file, it won’t be able to run and create any backdoors.

Set Up Firewalls

This is a good idea for all sites, whether or not they are built on WordPress. The entire Internet doesn’t need to access your admin areas or file directories, so why not add some security measures around access? You can whitelist only specific IP addresses or even require users to be logged into a VPN in order to access your site admin areas.

Tired of Running?

Maintaining a secure website doesn’t have to be like this. Custom CMS solutions avoid most of these pitfalls and require far less effort to keep safe. Get in touch to learn more about secure, custom content management systems.

New Call-to-action

Managed WordPress Support & Monitoring

You might also like ...

  • The Difference Between Traditional and Modern Web Design Projects

    I've been working in this business since 1998. I started by learning simple web design. Then, I learned...

  • Understanding PCI Compliance: Is Your E-Commerce Website Prepared?

    As consumers, many of us have been victims of data breaches with all that entails: locking down accounts,...

  • Security Protocols for Protecting your E-Commerce Application

    Today, it’s easier than ever to engage in online commerce. Software for handling credit cards or e-check...