A Step-by-Step Guide to WordPress Security

WordPress is undoubtedly the most popular content management system(CMS) used for website creation today. According to W3techs reports, WordPress powers 63.7 percent of websites built with content management systems. Hubspot reports that WordPress powers 43.2% of all websites on the internet today. Staggering reports of popularity these are. But it also indicates that a vulnerability in WordPress could significantly break the internet and create unprecedented losses for businesses and website owners.

Given this popularity rating, it is no surprise that WordPress has been the target of website attackers and scammers around the world. Being able to exploit a WordPress vulnerability puts a lot of businesses in danger and for whatever reasons, attackers who succeed at WordPress would have achieved their biggest goals. WordPress security is thus a top priority to its developers and bearing in mind that your WordPress website is a target, securing it should also be a top priority.


Why WordPress Website Security is Important

You should wonder why I have not captioned this section "why website security is important". Well, the reasons you should protect your WordPress website will apply to every other website and content management system.

  • Your Business Reputation is at Stake

If your website is hacked, your reputation as a business would have been significantly damaged. This will invariably extend to your person, public image and position in society. You need to take all necessary steps to protect our website from attackers to protect your business and personal reputation.

  • Your Business and Customer Information Needs to be Protected

Sensitive information about your business and its customers will be at risk if your website is not well secured. This information will include, but not limited to, passwords, credit card information, bank transaction information, email communication and many others. Failing to have proper security measures in place could expose this critical information and lead to serious damages to your business operations as well as the consequential effects it could have on customers, the legal implications and losses that could follow are really good reasons to take website security very seriously.

  • Hackers Constantly Target Websites

The mere fact that your website is a target of hackers should be sufficient to protect it from hackers. These activities continue to increase and many websites are becoming victims of scammers and hackers everyday. One report says between 30,000 and 50,000 websites are being hacked daily. The best way to keep yourself protected from these hackers is to adopt the right security protocol and maintain up-to-date software status on your servers and local office machinery.

  • Sales and Revenue Losses

If your website is hacked or there are other security vulnerabilities detected, you are likely to experience significant sales and revenue losses. This will arise from the basic browser warnings and could be terrible as an outright defacement of your website. The long term implication is the damage it does to your reputation and the total blacklist of your website by Google and reputation companies as well as your customers who will adopt measures to be protected. The bottom line is that you will lose sales, revenue and reputation.

  • Cleaning Your Website Can be Very Expensive

Prevention is better than cure, they say. Once a WordPress website is hacked, you may need to hire a WordPress security expert to clean up the codes and get your website to a healthy state. That could take hundreds and even thousands of dollars depending on the level of damage and the size of the website.

Even if you are able to restore your business back to a normal state, you will find out that it would have been far cheaper to take some security measures and may be spend a few dollars to purchase a security plugin that guarantees your website safety instead of the huge expenditure involved with cleaning coupled with the losses discussed earlier. Some hackers will even charge you huge sums to get back your system to be restored to normal and there is no guarantee that some backdoors have not been hidden somewhere to allow them to gain access at any time.

It is therefore far cheaper to keep a healthy website and avoid a security breach than to invest in getting things cleaned up after a security damage is done. We advise that you take appropriate steps to maintain a healthy website rather than spending to clean up a hacked website.


WordPress security: Things You Should Know and Do

WordPress is open source and therefore it's source code can be configured and manipulated for personalization and all that. But because it is open source, it is exposed to lots of security vulnerabilities. There isn't much you can do about its security lapses but there are steps you can take to prevent attacks and enhance the security of your WordPress website. Here are our recommendations:

Update Regularly

When WordPress announces a new update, it is not just fun. These newer versions are actually enhancements and sometimes fixes security issues even before they are announced. By default, running the latest version of WordPress is the surest way to stay safe from security threats. If you do not keep up with the latest version releases and stay updated, then you are leaving your WordPress website at risk of an attack.

Keep plugins and themes updated

Faulty themes and plugins are vulnerabilities in WordPress and will serve as potential entry points. You need to check plugin and theme compatibility as you move to newer WordPress versions. When plugins and themes are not updated for a long time, they begin to become vulnerable and can be a source of an attack on your WordPress website.

You may want to learn more on How to detect a vulnerable WordPress plugin. Being able to detect faulty and vulnerable plugins is fundamental in keeping your WordPress website secure. This should be a sustained and continuous exercise during the life of your WordPress installation.

Maintain a regular and healthy backup for your website:

Many website owners do not take backups seriously and in many cases, when disaster strikes, they do not have a means of restoring their websites back to a healthy state. Backups are important to fix issues when no fixes are available or seem to work. We sometimes recommend that you maintain a downloaded copy to be double sure of your safety.

Maintain strong passwords for your accounts

The easiest way for an intruder to access your website is to break in with a guessed password. This happens when people use dictionary words or their combination, dates, months or some combination of these to form passwords.

It is extremely important to use strong passwords to secure your websites. We have a set of recommendations for password strength which basically should include a combination of capital and small letters, special characters, numbers and should be at least 10 digits long. We will strongly advise that your passwords should not be memorable and you should avoid the trick used by many which involves choosing a long word lie "encyclopedia" and instead of typing the word,, they type the characters above each letter in the word. That is not a safe password practice.

You may want to learn more in this post on WordPress Security: The Complete Guide

Change Passwords Regularly

Updating your passwords for strength and in line with current best practices can be safe and is advisable. For example, working with 6 digit passwords was once considered to be safe practice but today, most systems recommend a minimum of 8 digits and some take a minimum of 12 digits. We will recommend that when you have to change our website passwords, automatically generating them will be better than just doing it yourself - this is not a rule but a recommendation.

Limit the number of failed login attempts

Limiting failed login attempts can help you keep hackers at bay. This is important because once you fail to set a limit,, you are actually encouraging unrestricted attacks on your system. You can keep allowable failed login as low as 5 before a ban is triggered. These actions should be guided by the security of your website and not the convenience of users. Legitimate users will always reset their passwords if they are unable to get them right and so you need to stay focused on safety when making password considerations.

Adopt access control measures

You need to control access to your website dashboard especially when you are not the only one with permission to access the dashboard. Set permissions to ensure users get access only to the sections they need and every user should not get permission to perform unlimited tasks. So when creating users, make sure you set permissions to control what they can do.

While this is not a perfect security measure, it can protect the errors made by legitimate users when they are allowed permission to sensitive areas like modifying template and plugin behaviour.

Enable two-factor authentication

This is quite an effective security measure. Apart from your strong login password, when the password is correct, enabling two-factor authentication (2FA) allows you to still permit the login by sending you a code that requires further authentication. If the code is not provided correctly, then login will not be permitted.

2FA works excellently when you are the only one with login permission but can also be an added security against abuse by other users who may have been granted access permission.

Consider plugin reputation before use

We have earlier mentioned that vulnerable plugins are an entry point to attack and hack your WordPress website.

To fully understand this point, you may want to read this article on How A Plugin Installation Can Crash Your Wordpress Website.

You will also need to read this very helpful guide: Before You Install a WordPress Plugin, Ask These Questions

We suggest that you properly review the plugins you use or intend to use to verify their integrity because they could go a long way in protecting your website. Here are a list of our recommended WordPress Security Plugins Compared to Find Which Works Best

For login purposes you can use your email id:

By default, for logging in to your WordPress you need to provide your user. So, instead of using a user name if you log in with your email id, it will be a much-secured approach. This is because one can predict the username very easily rather than the email id. And also, if a unique email id is used to create a WordPress account, it will make a valid identifier to log in.

Make use of a firewall protection

A firewall automatically places a barrier between your website network and an attacker. This can prevent illegal traffic and lots of attacks because firewalls prevent a direct connection between the network hosting your website and eternal networks. One of the best firewall protection is offered by Sucuri. You can read more about the steps to clean and harden your Wordpress website Security with the Free Sucuri plugin

Choose WordPress hosting for WordPress websites

WordPress is very light but resource intensive. We always recommend that you host your WordPress website on platforms that have been prepared for WordPress hosting. These hosting solutions are usually more expensive but they enhance the performance of your WordPress website especially in terms of speed and security.


How do you recover from a WordPress hack?

A lot of WordPress users are new to the internet and may be running their first WordPress sites. Not conversant about the security measures they need to take to protect their websites, they can be hit and this is usually very devastating. If you find yourself in this situation, here are our recommended actions.

Stay calm and contact your web host

It's not over. Be calm and immediately contact your web host. Most web host provide technical expert WordPress support. They may help identify the problem and fix it for you within hours.

Set your website’s maintenance mode on

If you are still able to access the dashboard, then set the website on maintenance mode. That will alert visitors that you are undergoing maintenance because something needs to be fixed while you review the situation and decide on the necessary actions you should be taking.

Create an incident report

You need to put down what happened and the information should include the following:

  1. What you were doing when the error occurred.
  2. When you become aware of the problem.
  3. Any changes you made to your website when you noticed the problem.
  4. What steps have you taken to address the problem?
  5. You will submit this report in the complaint to your web host or to a senior admin responsible for your website.

Update access passwords

To halt any access to your website while this problem is being sorted, you should reset your account passwords immediately.

Brief your customers and colleagues

Email your clients, colleagues and other stakeholders about the problem and the steps you are taking to address them.

Restore a backup

If all other efforts fail to address the problem, then you need to restore your most recent healthy backup.

You may learn more on how to Maintain a Healthy WordPress Website. Once you have a healthy backup, you can restore it and your website will be back working normally. Remember to change all applicable passwords after restoring a backup.

Final Words

WordPress is a great web development tool but it can be vulnerable to attacks. The first thing you need to do to keep your website safe is to maintain it by keeping it updated. Also ensure that all plugins and themes are updated and compatible with your WordPress version.

To further protect your WordPress website, implement a security firewall, use a good security plugin, enable tow factor authentication, limit the number of allowed failed login attempts, amongst others.

Finally, if your WordPress website comes under attack and you are unable to fix it, consider restoring a safe and healthy bacup and change all passwords associated with your WordPress administration including password reset emails addresses.


Comments (0)

Leave a comment

Powered by Simple Blog