5 Security Mistakes That Could Leave Your WordPress Site Open To Attack
Why do we hear about hacked WordPress sites so often? Is there something about WordPress that makes it more likely to be hacked? In reality, WordPress is as secure as any other content management system in its class, and a good deal more secure than many of its competitors. But it can be made insecure through neglect and bad management. When you hear about a hacked WordPress site, the attack could almost always have been repelled had the site’s owners followed a few simple security precautions.
Online crime is a fact of life on the web, and websites are regularly probed for vulnerabilities. Some sites fall quickly, and others last for many years without an attacker finding their way in. What are the insecure sites doing wrong? Before we discuss five mistakes that can lead to a WordPress site being hacked, I’m going to highlight one mistake that is extremely common: failing to update. Updates fix security vulnerabilities. If you don’t install new versions of WordPress when they are released, eventually, your site will be hacked. But, even if you do update your site regularly, other mistakes can allow criminals to compromise it.
Mistake #1: Installing Plugins And Themes From Unverified Sources
I have a friend who spends his weekends fixing up old cars. His goal is to get them running as good as new without investing a lot of money. So he spends hours in junkyards searching for parts. He doesn’t mind where the parts come from, doesn’t care about their history, as long as they are in good condition and are the right part for his current project. That’s fine for car parts, but it’s a catastrophic approach to take to software. Software can be tampered with in ways that physical objects cannot. And, unless you are a programmer, there is no way to be sure that it hasn’t been tampered with.
WordPress plugins and themes are software. If a bad actor wants to infect a WordPress site with malicious code, the easiest way is to buy a premium plugin, add malicious code to it, and give it away for free. WordPress users in search of a bargain download the plugin and install it on their site. Once the malicious code is installed, the site is completely compromised.
Plugins and themes should only be installed if you trust the source. The WordPress repository is trustworthy, and so are the major theme and plugin marketplaces. You can also trust the sites of prominent WordPress developers, but be suspicious of software from any other source.
Mistake #2: Not Using A Web Application Firewall
Ordinary firewalls can’t protect your site against this sort of attack. They see legitimate web requests and let them through. A Web Application Firewall, also known as a WAF, is designed to work at the level of the application, catching malicious requests before they get to WordPress. When an attacker attempts an SQL injection attack, for instance, they have to send an unusual-looking request. The WAF knows what this type of request looks like and blocks it.
There are several WAF’s available for WordPress. The Sucuri and WordFence plugins include WAF functionality. ModSecurity is a dedicated Web Application Firewall that you can install on your WordPress server. The best WordPress hosting providers include a WAF like ModSecurity on their WordPress hosting accounts.
Mistake #3: Choosing a Bad Hosting Provider
WordPress site owners enter a partnership with their hosting provider. They are responsible for the site itself and, to a certain degree, its security. The hosting provider is responsible for the security of the data center, the servers, and the software on which WordPress depends. The best hosting providers go to great lengths to hold up their end of the security partnership. But many hosting providers do the bare minimum, mainly where keeping software up-to-date is concerned.
In 2017, a WordPress hosting provider was forced to pay a huge ransom after criminals encrypted the sites of thousands of its customers. The hosting provider’s software was woefully outdated and riddled with vulnerabilities.
When choosing a hosting provider, it is rarely a good idea to opt for the cheapest. Engineering a secure and reliable hosting product is not inexpensive, and you can guarantee that the lowest-priced hosting providers are cutting corners.
Mistake #4: Not using two-factor authentication
Most users cannot be trusted to choose secure passwords or to look after them properly. That statement may sound judgmental, but a quick look at the most popular passwords should convince you of its truth. A WordPress site with easily guessed user passwords is vulnerable to brute-force and dictionary attacks. Brute—force bots trawl the internet looking for WordPress sites and making repeated login attempts with different passwords. This shouldn’t be a successful strategy, but so many users choose bad passwords that it’s a reliable source of compromised sites.
Two-factor authentication forces users to provide extra proof that they are who they claim to be, typically a one-time code sent to a mobile device. Two-factor authentication plugins such as WordPress Two Factor Authentication integrate with a variety of two-factor authentication services.
Mistake #5: Improper Use Of User Roles
WordPress provides several user roles, including administrator, editor, author, and so on. Each user role grants users a different level of access to WordPress’s functionality. There are two common mistakes where user roles are concerned. First, giving too many people Administrator permissions. Second, using the same account for more than one person, especially if it’s an Administrator account. Users should always be given the least access they require to complete their tasks. Administrators have total control over a WordPress site and giving too many people that privilege is a recipe for disaster. Every user should have their own account so that they can be given the right user role, and so that when they no longer need access, the account can be deleted immediately.
WordPress site owners who avoid these common mistakes aren’t immune, but they are protected against all but the most targeted and determined attacks.
About Graeme Caldwell – Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured on top publications across the net, from TechCrunch to TemplateMonster. For more content, visit the Nexcess blog and give them a follow at @nexcess.