JavaScript is not enabled in your browser. Please enable it and refresh the page.
WordPress Security Tips and Tricks | Clear

WordPress Security Tips and Tricks

Security is one of the most important aspects of web development, particularly across WordPress, which as of October 2023 powers over 43% of the web. With millions of sites powered by the platform, it’s all the more attractive to online attackers who, given the opportunity, may take advantage of the sheer number of sites using the same core codebase. Sneaky.

WordPress logo on a dark blue and red background

That may sound a little worrying, but don’t panic! We’re here to give you the rundown on security for your WordPress site, helping you understand why attacks happen and most importantly how to help prevent them from happening in the first place.

Why do online attackers hack websites?

There’s a whole host of reasons why an attacker would hack your website: some of them may be obvious and some may surprise you. This list isn’t exhaustive, but it’s usually for one of the following reasons:

  • To boost SEO for their own website – online attackers may target your site to inject backlinks and redirects to malicious websites.

  • Data theft – Data is very valuable to online attackers. Think credit card information (e.g for a WooCommerce site), email addresses and more.

  • Promoting and spreading malware - software that is specifically designed to disrupt, damage, or gain unauthorised access to a computer system.

  • For fun?! - “Hobbyist” attackers may hack a website just to prove it can be done

  • Disgruntled Employees - Although not as common as the other reasons we’ve listed, there have been cases where employees have hacked sites maliciously.

What’s The Impact of A Website Hack?

A website hack is almost like an online burglary. Not only is there a very valid psychological reaction to your website being hacked, there are a few other damaging issues that you could be vulnerable to:

  • Service disruptions – Depending on the nature of the attack, this may include website outages (either as a result of the attack or during the clean up process), negative SERP ranking due to spam backlinks and redirects, performance issues due to malicious code and more.

  • Damage to reputation and loss of trust - You’ve worked hard to build a reputable and trustworthy brand. Unfortunately website hacks can wreak havoc on the trust your customers have, and any negative publicity around your brand can be really difficult to repair.

  • Legal Implications - Due to theft of personal information, there may be a few legal implications of a hack. We advise you to seek legal advice in this case.

  • Financial impact - Loss of revenue, legal fees and recovery costs are just some of the potential financial impacts of a hacked website.

How Secure Is WordPress?

WordPress’ core is itself pretty secure and has a strong community of contributors, meaning the security of the platform is constantly improving and evolving to keep up with threats. More often than not code vulnerabilities that result in a WordPress site being hacked are due to third party plugins installed on your site rather than WordPress itself.

Recent statistics show that the WordPress core itself is only responsible for about 3% of all vulnerabilities, themes are responsible for 4% and plugins are responsible for a staggering 93% of all vulnerabilities.

Tips and Tricks

So, now that we’ve scared you silly on the thought of a cybersecurity attack, here’s our advice to help you minimise any opportunity for attack on your WordPress site. Here’s a few of our best practices:

  • Ensure WordPress core, themes and plugins are all kept up to date

o Ensuring everything is up to date goes a long way to minimise the risk of attack. WordPress core frequently receives security updates and third party developers usually fix security vulnerabilities in their plugins via plugin updates. These vulnerabilities are often made public after the fact so it’s wise to ensure everything is running the latest version wherever possible as the older versions often become targets for attackers.

  • Update your username

o Avoid using common and easy to guess usernames such as “admin”. Online attackers will attempt commonly used usernames so using something unique and difficult to guess can go a long way in reducing the threat of brute force attacks

  • Use a strong password

o Ensure you are using a strong password that is unique and changed on a frequent basis. A good password manager can make a big difference here. WordPress does provide advice for how strong your desired password is, pay close attention to this and keep your login details safe.

  • Setup a ReCAPTCHA on all your forms

o As well as helping to reduce the risk of spam, ReCAPTCHA can help identify and reduce the intensity of brute force attacks by bots. You can go one step further here and limit login attempts so that user accounts are locked after a defined number of failed login attempts.

  • Don’t share user accounts, and make use of user roles and permissions

o Where possible, every user of your site should have their own user account. This makes it easier to manage access to your site (e.g. ensure that previous employees can have their access revoked), control who can see what in the WordPress admin through the use of user roles and permissions (and by extension, potentially minimise the risk of how much damage a compromised account could cause), and be able to see an audit trail of who's doing what on your site (very difficult if everyone is using the same account!).

  • Change the WP Login page URL

o By default, the WordPress admin is located at /wp-admin and this is very common knowledge. Changing the login page URL provides security through obscurity. You can go one step further with this and ensure that the admin is only accessible to certain IP addresses.

  • Regularly audit the plugins in use on your site and remove any that aren’t required.

o As previously mentioned, plugins are responsible for a significant number of vulnerabilities on your site so minimising the number of plugins in use is always ideal. Where possible, you should uninstall rather than deactivate unused plugins.

How Can We Help?

Here’s some steps we can take to help you keep your security risks low, get in touch with our friendly team if you need our help with the following:

  • A Plugin Audit - where we can remove any that are not in use or required

  • If suitable, we can also set up your website so that it automatically updates when new versions of plugins and themes are released.

  • Installation and configuration of security plugins

  • Adding ReCAPTCHA to your login page as well as two factor authentication.

  • Moving your WordPress login URL

Get in touch to find out more :)

Up