There’s an old joke: Two guys on a camping trip find themselves in the woods when they run into an angry bear. As the bear rears up on its hind legs, one of the men kneels down and starts lacing his sneakers tightly.
His friend asks, “What are you doing? You can’t outrun a bear.”
He replies, “I don’t have to outrun the bear. I just have to outrun you.”
This is true of camping and equally true of website security. There are situations where your site will become a target with malicious actors looking to compromise your site specifically. To protect against those scenarios, you can read our overall suggestions for hardening your CMS.
But most of the time, you are not the target.
Most recent estimates show that nearly 30% of websites are powered by WordPress. Though WordPress is not inherently less secure than other platforms, it gives hackers a target-rich environment to try out each exploit. Bots can easily identify WordPress sites and attempt the same hacks on each one.
The good news is that you don’t have to make your WordPress site invulnerable; in fact, that may not even be possible. But you can keep yourself relatively safe by outrunning the security laggards among the 15+ million WordPress sites out there.
Don’t Miss an Update
Many WordPress updates install automatically these days, but you should still pay close attention. Minor updates are often released to patch specific security holes.
It’s also a good practice to hide your version number. You can update WordPress’s functions.php file to prevent your current version of WordPress from being exposed. That way, even if you are a bit late on making an update, it won’t be immediately apparent to any bots looking for out-of-date WordPress installations.
Update Your Plugins Too
Each plugin you use brings its own vulnerabilities to the table. Make sure you install updates frequently, especially those that are marked as security updates.
If you no longer use a plugin, consider uninstalling it. Even if your plugin is 100% up to date, it may still be introducing security holes to your site. SQL injection hacks take advantage of exposed form fields to make unauthorized queries of your site’s database; success injection hacks can retrieve user passwords or credit card information. It can also alter or delete data directly from the database without your knowledge. Plugins—especially free ones—may not have practiced proper validation, sanitizing, or escaping techniques to protect against SQL injection hacks.
Hide Your Admin Portal
One of the most common types of hacks on any site (WordPress or not) is a brute-force attack. Hackers will run scripts to try to enter password combinations by the thousands, often starting with dictionary terms. The simplest way to protect yourself is by using secure passwords and by avoiding common usernames (such as admin, administrator, etc.)
However, even if you can keep your own credentials secure, other users may not be as careful. Why not prevent unauthorized users from even knowing what page they are supposed to log in from?
The easiest way to identify whether a site is on WordPress or not is by navigating to /wp-admin/ for that site. Changing this URL (along with other identifiers that your site is on WordPress, such as WP_ table prefixes) is a good way to keep yourself off the “easy target” list.
Prevent PHP Execution
WordPress sites need to have a writable uploads folder to allow the admin to add images and other media assets. You’ll want to make sure the server prevents any PHP files (the language in which WordPress is scripted) from being executed within that folder.
This ensures that if anyone does manage to upload a malicious file, it won’t be able to run and create any backdoors.
Set Up Firewalls
This is a good idea for all sites, whether or not they are built on WordPress. The entire Internet doesn’t need to access your admin areas or file directories, so why not add some security measures around access? You can whitelist only specific IP addresses or even require users to be logged into a VPN in order to access your site admin areas.
Tired of Running?
Maintaining a secure website doesn’t have to be like this. Custom CMS solutions avoid most of these pitfalls and require far less effort to keep safe. Get in touch to learn more about secure, custom content management systems.
