Websites play a pivotal role in the success of most small businesses. From informational sites to e-commerce, membership sites and magazine sites, the website is at the centre of the relationship between the business and its customers.
As WordPress is the most popular platform for running a business website (upwards of 42% of all sites run on WordPress), ensuring the security of your WordPress website is of paramount importance.
WordPress is tried-and-tested over many years, and being an open-source system its code is available for a huge number of people to examine and test.
However, it is not immune to potential threats. From data breaches to malicious attacks, the risks are real.
To help you safeguard your online presence, here are Dotwise’s top five essential practices you should adopt to keep your WordPress website secure:
1. Keep your WordPress core, themes, and plugins updated
Regular updates are not just about getting new features; they often contain critical security patches. Hackers are quick to exploit vulnerabilities in outdated software. Make it a routine to update your WordPress core, themes, and plugins as soon as new versions are released.
Enabling automatic updates is one way to ensure you’re always up to date with the latest security fixes. However this should be used with caution as some automatic updates can break your site. If your site is updated automatically and breaks, you might not know about it until a customer tells you (awkward).
Our recommendation is to avoid automatic updates except for certain very robust plugins. An example would be WordFence, which is an extremely robust plugin and also plays a key role in your security strategy (see tip 3 below).
However if you choose to avoid automatic updates, then keeping on top of manual updates is a must. How often? We recommend at least once a month – never leave it any longer.
2. Strong authentication
Enforce robust login credentials to prevent unauthorized access. Never use “admin” as a username – and delete the automatically-created “Admin” account. Create strong passwords that combine letters, numbers, and special characters.
2FA – 2 Factor Authentication
2FA has become quite standardised now for many platforms and users are quite used to it. It ensures that even if someone guesses your password, they can’t access your website without the secondary authentication step such as an authentication code via their app, or responding to an email.
2FA can be implemented in WordPress in a number of ways. There are a number of 2FA plugins available for WordPress. Some of the best include the 2FA included in WordFence and iThemes Security. These plugins are a safe bet if you use web hosting companies such as 123-Reg, Fasthosts, 1&1 or GoDaddy.
If you use a specialist WordPress hosting provider such as SiteGround or WP Engine, check to see if you have 2FA available through their offering. For example, SiteGround offers 2FA as part of their own SiteGround Security plugin.
3. Security plugins
There’s a number of security plugins available for WordPress, such as Wordfence, Sucuri Security, MalCare and iThemes Security. These plugins offer various features like firewall protection, malware scanning, and login attempt monitoring.
Install a reputable security plugin and configure it according to your website’s needs to add an extra level of defence against common threats.
There’s really no substitute for a paid subscription to one of these plugins. Paid subscriptions can raise the bar of security for your site by giving you access to near real-time threat prevention.
4. Regular backups are non-negotiable
No security measure is fool proof. In the event of a successful attack or a website malfunction, having recent backups can be a lifesaver.
Schedule automatic backups of your entire WordPress, including the database and theme, plugin and content files. Store these backups in a secure location, not on the same server or hosting facility that your website lives in. This way, you can quickly restore your website to a functional state should anything go wrong. Offsite storage could be Google Cloud, AWS or there’s a large number of WordPress backup plugins that can provide offsite storage as part of their offering.
How often should a website be backed up? Its depends on what content it stores and how often that content is updated.
If you have a busy e-commerce store then you will want to back it up as often as once per hour, or even implement an incremental backup system which keeps a copy of every event that occurs in the website’s content.
However if your site is an informational website which only gets a couple of new articles per month, then your need for incremental backups is far lower.
The regularity of new data is the answer to often a website should be backed up.
5. Harden your website’s environment
Harden your website’s environment by taking measures to protect your server and database. This includes setting up a web application firewall (WAF) to filter out malicious traffic, using secure protocols (HTTPS), and restricting access to sensitive directories. Regularly audit and remove unnecessary themes, plugins, and user accounts that could potentially create vulnerabilities.
Prioritize your WordPress website’s security
Maintaining a secure WordPress website is an ongoing process that demands attention and vigilance. By following these top five practices, you can significantly reduce the risk of falling victim to cyberattacks and keep your online presence safe.
Remember that while no security strategy can guarantee absolute protection, a combination of proactive measures, regular updates, and a cautious approach will go a long way in safeguarding your valuable website from potential threats.
The Panama Papers: a classic WordPress hack explained
In 2016, the so-called “Panama Papers” shocked the world by revealing millions of documents from Panama-based legal firm Mossack Fonseca. The documents contained financial and legal information about politicians and celebrities around the world.
Although there is some doubt as to how the data breach occurred, many say that it began with the hackers gaining access to the firm’s WordPress website by exploiting a vulnerability in the then-popular “Slider Revolution” plugin.
This gave the hackers access to the WordPress site and all the files within in. One such file is called the “wp-config.php” file, which contains the database username and password stored in plain text. Once the hackers had access to that, they could access the entire database.
Another plugin known as WP SMTP was in use on the website. This plugin is used to override WordPress’s default email-sending capabilities. For example, it’s commonly used to store the usernames and passwords of the email server through which form-fills on the website should be sent.
Again, this plugin stores these usernames and passwords in plain text within the database, so the hackers were then able to gain access to the Mossack Fonseca email system. From there the data breach of the company’s email system was easy.