How to Prevent Your WordPress Site From Being Hacked

Is WordPress Secure?

WordPress is one of the most popular CMS systems on the web, now powering over 26.5% of all websites. Despite this, the platform is often heavily scrutinised for being insecure, but usually with little or no evidence to support these claims.

After all, it’s one of most widely used open-source CMS systems in the world, so as a result, this will, unfortunately, make your website more susceptible to hackers as and when new vulnerabilities are discovered.

However, just because there’s a small chance your website ‘might get hacked’, surely this doesn’t mean we shouldn’t use it… right?

There was a study that was conducted quite recently that concluded that if you were going to get bitten by a dog, it would be a labrador. Now, that’s not too say they’re a particularly aggressive breed, that’s just because they’re one of the most common dogs to own; so there’s always going to be a higher risk. The same could be said for WordPress!

WordPress is an extremely powerful, open-source, lightweight and flexible CMS system built with the user in mind, so it’s no wonder it’s quickly become the go-to CMS for most people.

Let’s look at some of the data…

Is WordPress Secure

 

According to WP Scan (a WordPress vulnerability scanner), there have been 4618 vulnerabilities (2,355 unique) reported so far to date.

1. 52% of the vulnerabilities were from WordPress plugins.
2. 37% of these came from WordPress core.
3. WordPress themes accounted for around 11%.

These findings were also supported by Wordfence, that discovered that 55.9% of all vulnerabilities came from plugins.

 

So What Does This All Mean?

Well, put simply, don’t overload your website with loads and loads of plugins and if you are going to use third-party plugins, then make you’re only using plugins built by trusted developers in the WordPress community.

Most importantly, make sure you keep WordPress up to date!

You’re never going to completely prevent your website from getting hacked 100% of the time, but if you love WordPress as much as we do, then here are 5 handy tips that have served us well in the past.

 

Preventing Your WordPress Site From Being Hacked

 

1. Reliable hosting

Make sure your website is hosted on a reliable and secure server. At the end of the day, you get what you pay for so if you only pay £9.99 per month for hosting – what did you think was going to happen! Read more about the importance of good hosting for your website.

 

2. WordFence Plugin

Install the WordFence plugin and stay up-to-date with the latest list of reported vulnerabilities so that your development team can jump onto these as soon as possible. WordFence sends out some great emailers about these, but a more comprehensive list of these issues as when they are reported can also be found here.

 

3. Keep Your CMS Up To Date

Always keep WordPress core and your plugins up to date. We’d advise that you should always try and keep the number of plugins you’re using on your website down to a minimum and if you are going to use plugins, only use plugins that have been trialled and tested by other established third-party developers in the WordPress community. The best way to gauge this is normally by looking at the number of websites that currently have the plugin installed and always make sure that the plugin you’re installing is compatible with the current version of WordPress you’re running.

 

4. Strong Passwords

Ensure all of your usernames are smart and passwords are strong – a lot of WordPress hacks come from brute force attacks where people are using stupid passwords like ‘password’. Also, don’t use obvious usernames like admin or administrator. If you’ve already installed WordFence, make a list of some obvious usernames and add them to the options page. WordFence will then immediately block the IP of users who try to sign in with your prohibited list of usernames.

 

5. Prevent Editing Theme Files

Disable file editing in the WordPress dashboard – this can be achieved by placing the following code in your wp-config.php file (see below). That way if a hacker does manage to get into the backend of the website, they won’t be able to directly edit any of the theme files.

Theme Files

 

Let Us Help You Ensure Your Hosting & Website is Secure

The above list is only a handful of helpful tips and hints which we think are important and can easily be implemented by someone with less experience.

There are of course hundreds of other ways to secure your WordPress website, but you will need the help of someone who is experienced in this area.

If you’d like to talk to us about the security of your hosting and website, we would be more than happy to lend a helping hand.

And if you’ve been hacked before, we can help you come back from the array of negative effects you’re likely experiencing, like a hit on your SEO.

Give us a call on 01962 841 200 for a tailored quote based on your project or need.

Posted by Matt Parkes on 20 Nov 2017