13 Biggest WordPress Security Myths
When a CMS tool gets as big as WordPress, there are bound to be more than a few myths circulating about how the system should or shouldn’t be used. However, your security setup shouldn’t be left up to guesswork. If you run any type of WordPress site, you’re going to want to read these WordPress security myths.
1. My themes and plugins are secure because they came straight from WordPress.
Any theme or plugin that is added to WordPress’ repository has to be reviewed by WordPress’ team. It would make sense, then, to trust those plugins for meeting a minimum standard of security. You can, to an extent, but there’s a catch – WordPress doesn’t review updates.
In a perfect world, every single update a secure WordPress plugin or theme receives will make it even more secure. However, those updates are made by people and people make mistakes. WordPress-approved plugins are more secure than plugins from elsewhere, but they aren’t perfect, so don’t operate under the assumption that you’re 100% safe if that’s all you use.
2. That update can wait.
There’s no two ways about it – updating can be a hassle. The downtime is annoying, and you feel like you could be doing something more productive on your blog. However, updating your plugins is key to keeping WordPress secure. Here’s why.
Every plugin, no matter how secure, opens a potential backdoor into your WordPress site. It is the plugin developer’s responsibility to keep that potential backdoor secure, which they do by sending you updates to patch up security vulnerabilities. Plus, when an update is launched to address a security vulnerability, attentive hackers will immediately be notified of its existence. That vulnerability won’t be viable for updated systems, but old plugins will have their doors wide open. If you stop updating your plugins (or worse – if the plugin developers stop publishing updates), you’re practically inviting hackers in.
As long as you keep using your plugin, keep it updated. If you’re not using it anymore…
3. When I don’t need a WordPress plugin anymore, I’ll just disable it.
Disabling a WordPress plugin is supposed to be a temporary change. You can use this setting to troubleshoot your WordPress by seeing if a certain plugin is causing problems. However, disabling is NOT a stand-in for removal.
Because the plugin will no longer update when disabled, it will leave you open to any patched-up security vulnerabilities. Disabling an unwanted plugin is like closing a door – it’s closed, but anyone who knows where to look is free to open it again and walk right in. Completely removing the plugin, then, is like locking the door, throwing away the key, and putting up a new brick wall in its place. Make the secure choice and remove a plugin if you’re not using it! Unlike with the door analogy, it’s always easy to reinstall a plugin if you decide you want it again later.
4. Themes are exclusively visual so they don’t need updates.
It’s easy to understand why a plugin needs access to some of the core elements of your WordPress site, but a theme? Do you really need to update a visual setup as regularly as your plugins? It turns out that you do. Both plugins and themes can leave elements of your site vulnerable if they are left without updates.
Sometimes, WordPress site creators try out multiple themes before finding one they like. However, they’ll make the mistake of not removing the old themes, potentially giving hackers their choice of backdoor. Stick to the theme you’ve chosen, delete the rest, and update it whenever an update is available.
5. My website is too small to hack
This myth gets thrown around pretty often, which is weird because it doesn’t make much sense. Smaller websites and blogs are the perfect targets for hackers.
A smaller WordPress is likely to have fewer top-of-the-line security solutions in place. A smaller WordPress is less likely to have a team of competent system administrators who could rapidly respond to a hacker’s attack. Small WordPress is more likely to make mistakes that would make it an easy target for hackers. Finally, a smaller WordPress is less likely to have the resources and influence necessary to pursue and convict a hacker in the event of an attack.
People with smaller sites might believe in the safety of the crowd, but there’s a problem with that reasoning as well – usually, blog owners go to considerable efforts to get noticed! If you’re working to attract attention to your site, you’re bound to attract some of the wrong type of attention as well, so make sure you’re ready for when hackers come knocking.
Another issue is that modern hacking is often done by bots rather than a man in a leather trench coat and sunglasses typing away at a green terminal. Bots go for quantity over quality, trying thousands of sites until they find one that’s vulnerable. How long will it take until they find your site? When they do, will your site withstand its attempts at infiltration?
6. I have an unguessable password so my WordPress will always stay secure.
Don’t get me wrong – having a secure and unique password for your WordPress is key to staying secure. However, a strong password is definitely not enough. For example, Twitter recently revealed that, due to a bug, they had been storing some users’ passwords in plain-text documents that would have been easily readable in the event of a breach. If one were to occur, millions of Twitter users’ accounts would become vulnerable, and for those who use the same passwords for multiple sites (tsk tsk!), their other accounts would be in danger as well. The point is that it’s not even always up to you whether your password is 100% secure.
A good way to solve this problem is to implement two-factor authentication (2FA) for your WordPress login. This would make it so that logging in to your account would require not just your password, but access to your phone as well. Again, your password page isn’t the only way for someone to access your account, but that’s no reason not to make life easy for potential hackers! For more DYI security tips, click here.
7. I’ve added an SSL certificate, so now everything is encrypted.
An SSL (Secure Socket Layer) certificate creates a tunnel of encrypted traffic from your site to the visitor’s browser. The average browser may not notice, but a vigilant browser will appreciate the effort, as encrypted traffic is difficult if not impossible to read.
An SSL certificate is definitely a powerful and effective tool, but there’s a significant shortcoming that some WordPress admins may forget – it only encrypts traffic, not the data held on your site! It will prevent traffic from being infiltrated, but all of your site’s vulnerabilities will otherwise remain untouched.
8. In the unlikely event that my WordPress gets hacked, I’ll notice immediately and take action.
How would you immediately notice a hack? What would the signs be? If your site is targeted by prank hackers whose sole aim is to deface your site, then yes – you’ll probably notice the immature image or heading scrawled across your homepage.
However, if the hacker is looking for something more damaging, like financial details or user data, they’re going to make every effort to remain undetected for as long as possible. You’ll probably never know what happened until they actually use what they gained by hacking you, in which case the damage is already done. Just imagine – if the end result of the hack was that someone was able to read a document where you store user data or financial details, how would you know that that document was opened and read? How often would you check that document?
9. OK, I added a security plugin. NOW I’m 100% secure!
Good job! Unfortunately, though, no, you aren’t 100% secure. Having the right security plugins is important for keeping your site secure, but WordPress can’t do everything. There are a number of different tools outside of WordPress that you should use to keep your site secure. These include encrypting your files, maintaining a strong password, and using secure remote access tools if you ever want to work on your WordPress site from abroad.
10. WordPress is inherently insecure because its wide usership makes it an attractive target.
Some people believe that WordPress’ popularity is a security issue. The reasoning is that it makes sense for hackers to focus their efforts on breaking into WordPress because there are so many potential targets that use it. The reasoning makes sense, but it doesn’t give you the full picture.
The number of people that use WordPress also means that there are thousands of vigilant developers around the world reviewing the code and various plugins to ensure that they remain secure. It also means that updates in response to new vulnerabilities are more likely to appear quickly, and that you’ll be more likely to find helpful articles about WordPress like this one!
11. Now that I’ve secured my WordPress, I can rest assured that it’s completely secure.
First of all, no site is ever 100% secure. All you can do is deter hackers by making it increasingly difficult to compromise your site.
However, there’s another thing wrong with this myth. WordPress security, just like for any site, is a constant process. It never ends. You have to keep updating your WordPress and your plugins to get the latest features and protect your site from known vulnerabilities. As someone responsible for a site, you have to stay up to date on the latest cyber-security trends to learn about new vulnerabilities as they emerge. Even if you forget about your site for a while, you can be sure that hackers won’t!
12. Working on my WordPress on the go is a good way to monitor it and keep it safe.
In certain cases, this is actually true. If you get used to working on your WordPress site on the go, you can always keep it updated and will always have some idea of what’s going on. However, it’s also important to make sure that you access it securely. If you don’t, you may expose yourself to more problems than it’s worth.
First of all, it’s important to avoid connecting via public Wifi connections whenever possible. These are incredibly easy for hackers to compromise, so you shouldn’t use them for anything – whether running your site, checking your bank account, or uploading a photo of your cocktail with an umbrella to Instagram. At the very least, you should use a VPN to encrypt your traffic and keep it secure when you’re accessing your website from afar.
Better still is end-to-end encryption, but that will require a more involved security tool that will forge an encrypted connection between your laptop and your WordPress site. As with an SSL certificate, such a connection wouldn’t keep your laptop or your site secure, but it would virtually guarantee that nobody could compromise your site using your remote connection.
13. I’ll hide my login page and limit login attempts to prevent brute force attacks.
Advice like this may have been relevant once upon a time, but hackers are getting more and more clever. Finding your login page certainly won’t be an issue. If you have a weak password, a determined hacker will make their way in. If you have a strong password and provide limited login attempts, the hacker will simply look for any one of many other potential vulnerabilities in your site.
The point is that it takes more than simple tricks to evade the modern hacker. These changes will do more to give you a false sense of security than they will to actually protect your site from hackers. Your responsibility as the owner of your WordPress site is to stay educated about potential vulnerabilities and about the tools you can use to secure them!