This is our third article in this series on WordPress security. Earlier we covered best WordPress security plugins and wrote a piece on how to secure wordpress site. In this article, I am going to discuss the wordpress security issues in detail.
As also briefly touched upon in previous articles, WordPress secuirty has multiple layers.
- At the Web hosting level
- Application level
- User level
Web hosting security
There are a number of options when it comes to WordPress hosting. However, we need to be clear where the web host’s responsibility ends and our own responsibility begins. It is the responsbility of the web host to keep the underlying infrastructure (Operating system, web server software, PHP software and other allied basic software) updated and patched against the latest security vulnerabilities. A security conscious and quality web host will:
- Will be knowledgeable and willing to discuss your wordpress security issues and be forthcoming and transparent about what they offer.
- Will be running the latest stable versions of all software
- Will be taking sufficient measure to take backups and will be willing to restore your backups in case of any issues.
Why WordPress Websites Get Hacked
Website hacking is very common. To put things into perspective, consider that out of an estimated 1 billion websites, around 9 million are hacked at a given time which is around 2-3 percent. And out of these more than 2 million are WordPress websites. In fact even more. This number surely makes you curious that how websites get hacked? There are basically three broad areas of hackers access:
- Access Control ( passwords are either weak, known or compromised in any way).
- Software vulnerabilities ( software includes operating system, applications installed, web servers, themes, plugins etc)
- Third party integration services ( like payment gateways, third party plugins etc. These are mostly beyond the control of website owners).
Major WordPress Security Issues
Here is a list of major issues that affect WordPress security.
- The web hosting environment ( we have discussed it above).
- Running old wordpress version makes your site vulnerable to bugs and exploits that have been discovered in the older versions.
- Network vulnerabilities are also a cause. For example, using wordpress admin dashboard in cafes is not safe.
- Using weak passwords for WordPress admin as well as for your email are the biggest risk that is exploited?by hackers.
- Using FTP instead of SFTP for transferring files to your hosting
- Not setting proper file permission ( we covered this in our previous article).
- Using same database passwords for different wordpress installations on the same server makes it easier for the hackers to hack all the websites if even a single site is compromised because of WordPress security issues.
- Security wp-config.php file is also important. It is a file that has the database credentials saved in it. It is recommended to move this file one level above the wordpress root directory.
- Once hackers get access to a WordPress backend, the first thing they try to do is to edit files and write their own backends into files. In order to protect against this, it is advisable that you make the WordPress files unwriteable from the dashboard. This can be easily achieved by adding the below line to the wp-config.php file.
- All plugins should be updated and any unused plugins must be deleted.
- Use a first line of defense with a WordPress firewall like WordPress Firewall 2, Wordfence, iThemes security etc.
- Do not use the admin username while creating the administrative user during installation. It can be anything obscure and not easily guessable.
- And most importantly, always keep your own regular backups without completely relying on the web host backups. It is very easy and cheap to use a plugin like My WP Backup to automate wordpress backups.