At HubSpot, we talk a lot about delighting customers. We believe that all growing businesses should seek to provide their customers with the best experience possible. So, allow me to spotlight one of the most important forms (if not the most important form) of customer service — cybersecurity.
As your business grows, the number of problems you’ll need to solve and your customers’ expectations for how you address those problems will increase. One of those problems is keeping your customers’ information secure. If you can’t provide this fundamental service from the get-go, it signals that you don’t solve for your customers.
There’s no way around it: If you have an online presence, you need to prioritize security. And if WordPress is your CMS, you definitely need to prioritize security, since hackers launch 90,000 attacks against WordPress websites every minute. Yikes.
The good news is that most of these hacking attempts are easily preventable. In this article, we’ll get into the details of the most common and dangerous security vulnerabilities that come with using WordPress. Then, we’ll cover all the steps you’ll need to manage a safe, secure WordPress website.
Why You Need WordPress Security
Let’s discuss the 3 reasons why every successful website built with WordPress prioritizes security. These apply to businesses of all sizes, reputations, and industries.
To Protect Your Information and Reputation
If attackers attain personal information about you or your website visitors, there’s no end to what they could do with the information. Security breaches open you up to public data leaks, identity theft, ransomware, servers crashing, and the list unfortunately goes on. Needless to say, any of these events is far from ideal for the growth and reputation of your business, and are usually a major waste of time, money, and energy.
Your Visitors Expect It
Your customers need to trust that their information will be used and stored safely, whether it be contact information, payment information (which requires PCI compliance), or a basic response to a survey. There’s a catch-22 here: If your security measures work, your customers will never need to know. If they ever do see news about your site’s security, chances are it’s bad news and most won’t come back.
Google Likes Secure Websites
A safe website is a searchable one. Website security directly affects visibility from a search on Google (and other search engines), and has for a while. Security is one of the easiest ways to boost your search rank. You can read about what other factors affect how Google ranks your website in our Ultimate Guide to Google Ranking Factors.
Clearly, protecting your online properties should be a key concern. Every website needs to ensure safety for their visitors and users, and we’ll go over the steps to do this. But first, you might be wondering...
Is WordPress Secure?
A reasonable question to ask. A challenging one to answer.
There’s no way around it: Websites that use WordPress are a popular target for cyberattacks. A recent study by cybersecurity provider Sucuri reported that out of every ten CMS-powered websites successfully hacked in 2018, nine used WordPress.
This might be less surprising knowing that 36% of all websites use WordPress, which is over 400 million websites. Still, 90% of all CMS-targeted attacks is still quite high, even when taking into account WordPress’ market share.
But before you hard-delete your WordPress account, you should know that these numbers aren’t entirely WordPress’ fault. Or, at least not the fault of the WordPress product itself.
WordPress employs a large security team of world-class researchers and engineers looking for vulnerabilities in its system, and regularly releases security updates to their software. As far as WordPress core goes, we’re covered. Really, the problem lies with how WordPress is made available to its users.
WordPress is open-source software, meaning that the source code is available for anyone to modify and distribute. Because WordPress is open-source, the software is infinitely customizable and optimizable. There are thousands of plugins, themes, and developers with the skills to modify the backend code themselves. This flexibility is a defining feature of WordPress, and a huge part of what makes it so powerful and widely-used.
The downside to all this freedom is that an improperly configured or maintained WordPress website is prone to a myriad of security issues. WordPress gives a lot of power to its users, and with great power (say it with me) comes great responsibility. Responsibility that many are shrugging off. Hackers know this and target WordPress websites accordingly.
Another thing: Asking if any website is really “secure” is a bit of a moot question. The truth is, perfect security simply doesn’t exist, especially online. As WordPress states:
“[S]ecurity...is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”
You can never guarantee complete immunity to online threats, but you can take steps to make them much less likely to occur. The fact that you’re reading this means you probably care about security and are willing to go the extra mile to keep you and your visitors safe. To sum all this up, WordPress is secure, but only if its users take security seriously and follow best practices.
WordPress Security Issues
So, what could happen if one chooses to push all these numbers aside and do nothing to secure their WordPress site? As it turns out, a lot. The most common types of cyberattacks on WordPress websites are:
Brute-Force Login Attempts
This is one of the simplest types of attacks. A brute-force login occurs when attackers use automation to enter many username-password combinations very quickly, eventually guessing the right credentials. Brute-force hacking can access any password-protected information, not just logins.
Cross-Site Scripting (XSS)
XSS occurs when an attacker “injects” malicious code into the backend of the target website to extract information and wreak havoc on the site’s functionality. This code could be introduced in the backend by more complex means, or submitted simply as a response in a user-facing form.
Also known as a SQL injection, this happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code on its database. Similarly to an XSS attack, the harmful code runs on the website to fetch or compromise confidential information stored in the database.
A backdoor is a file containing code that lets an attacker bypass the standard WordPress login and access your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find by inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.
Denial-of-Service (DoS) Attacks
These attacks prevent authorized users from accessing their own website. DoS attacks are most frequently carried out by overloading a server with traffic and causing a crash. The effects are worsened in the case of a distributed denial-of-service attack (DDoS), a DoS attack conducted by many machines at once.
When an attacker contacts a target posing as a legitimate company or service, this is known as phishing. Phishing attempts typically prompt the target to give up personal information, download malware, or visit a dangerous website. If an attacker accesses your WordPress account, they could even coordinate phishing attacks on your customers while posing as you.
Hotlinking occurs when another website shows embedded content (usually an image) that is hosted on your website without permission, so that the content appears like it’s their own. While more akin to stealing than a full-blown attack, hotlinking is usually illegal and gives the victim serious issues, since they have to pay every time content is retrieved from their server when displayed on another website.
For these crimes to occur, hackers need to discover holes in a site’s security. Common vulnerabilities that hackers look for when targeting WordPress websites include:
- Plugins: Third-party plugins account for the majority of WordPress security breaches. Since plugins are created by third parties and have access to the backend of your website, they're a common channel for hackers to disrupt your site’s functionality.
- Outdated WordPress versions: WordPress sometimes releases new versions of their software to patch security vulnerabilities. When fixes come out, the vulnerabilities become public knowledge, and problems with old versions of WordPress are often targeted by hackers.
- The login page: The backend login page for any WordPress website by default is the site’s main URL with “/wp-admin” or “/wp-login.php” added to the end. Attackers can easily find this page and attempt a brute force entry.
- Themes: Yes, even your WordPress theme can open your site up to cyberattacks. Outdated themes may be incompatible with the most recent version of WordPress, allowing easy access to your source files. Also, many third-party themes do not follow WordPress’ standards for code, causing compatibility issues and similar vulnerabilities.
For a deeper look at WordPress security issues, see our article on WordPress security issues you should know about.
Now that we’re past the scary part, let’s discuss what you can do to reduce the threat of a cyberattack on your WordPress website.
WordPress Security Best Practices
- Secure your login procedures.
- Use secure WordPress hosting.
- Back up your website.
- Update your version of WordPress.
- Install security plugins.
- Use a secure WordPress theme.
- Enable SSL/HTTPS.
- Install a firewall.
- Never trust user input.
- Limit WordPress user permissions.
- Use WordPress monitoring.
- Change the default WordPress login URL.
- Conduct regular WordPress security scans.
- Disable file editing in the WordPress dashboard.
- Consider deleting the default WP admin account.
Secure Your Login Procedures
The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. This do this:
- Use strong passwords: We used to think there would be flying cars in the future. Now, in 2020, people are still using “123456” as a password. Make sure that all users with accounts on your WordPress backend are using strong passwords to log in. You might want to use one of our recommended password managers to generate strong passwords and keep track of them for you.
- Enable two-factor authentication: Two-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest, yet most effective tools to secure your login.
- Don’t make any account username “admin”: Chances are, this will be the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username, or run the Username Changer plugin.
- Limit login attempts: Placing a cap on the number of times a user enters the wrong credentials in a certain amount of time will prevent hackers from brute-forcing a login. Some hosting services and firewalls might take care of this for you, but you can also install a plugin like Limit Login Attempts for the job.
- Add a captcha: You’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. Again, plugins are your friend for this. reCaptcha by BestWebSoft is one we recommend.
- Enable auto-logout: While you should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping in your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
Use Secure WordPress Hosting
When choosing the service that hosts your website, there are many factors to take into account, but security should be a top priority. Consider services that have taken steps to protect your information and promptly recover if an attack occurs. See our list of recommended WordPress hosting providers.
Back Up Your Website
Being hacked is bad. Losing all your information is even worse. Make sure you have your website information backed up by WordPress and your host in the event of an attack (or any other incident) that causes data loss. We recommend backups be automatic as well. See our list of the best WordPress backup plugins available.
Update Your Version of WordPress
Outdated versions of the WordPress software are a very common target for hackers. Make sure you regularly check for and install WordPress updates as soon as possible to eliminate vulnerabilities found in older versions.
To update WordPress to the latest version, first back up your site and check that your plugins are compatible with the latest version of WordPress, updating plugins accordingly. You can reference our guide for how to update your WordPress plugins.
After updating your plugins, follow the update instructions on WordPress’ website.
Install Security Plugins
We highly recommend installing one or more reputable security plugins on your website. These plugins do much of the security-related manual work for you, including scanning your website for infiltration attempts, altering source files that might leave your site susceptible, and preventing content theft like hotlinking. Some reputable plugins cover almost everything on this list.
Whichever plugin(s) you decide to install, security-related or not, make sure they’re well-established and legitimate. See our list of recommended WordPress plugins.
Use a Secure WordPress Theme
Just like you shouldn’t install a sketchy plugin on your site, resist the urge to use just any WordPress theme that looks good. To prevent vulnerabilities caused by a Wordpress theme, choose one that is compliant with WordPress standards.
To check whether your current theme meets WordPress’ requirements, copy your website URL (or the URL of any WordPress site or any theme’s live demo) into W3C’s validator. If you find your theme isn’t compliant, search for a new theme in the official WordPress theme directory. All themes in this directory are safely compatible with WordPress software. Alternatively, see HubSpot’s list of recommended WordPress themes, or search another credible theme marketplace.
SSL (Secure Sockets Layer) is the technology that encrypts connections between your website and visitors’ web browsers, ensuring that the traffic between your site and your visitors’ computers is safe from unwelcome interceptions.
Your WordPress site needs SSL enabled. Not only will it boost SEO, but it also plays directly into your visitors’ first impression of your website. Google Chrome will even warn users if the site they’re visiting doesn’t follow the SSL protocol, which directly reduces website traffic.
To see whether your WordPress site follows the SSL protocol, visit your WordPress site’s homepage. If the homepage URL begins with “https://” (the “s” stands for “security”), your connection is secured with SSL. If the URL begins with “http://”, you’ll need to obtain an SSL certificate for your website, which you can learn more about in our beginner’s guide to SSL. Consider purchasing a wildcard SSL certificate if your website has many pages.
Install a Firewall
A firewall sits between the network that hosts your WordPress site and all other networks, and automatically prevents unauthorized traffic from entering your network or system from the outside. Firewalls keep out malicious activity out of your site by eliminating a direct connection between your network and other networks.
We recommend installing a Web Application Firewall (WAF) plugin to protect your WordPress site. As with everything else on this list, carefully deliberate which type of firewall and which plugin works best for your needs before making your choice.
Never Trust User Input
If any part of your website accepts a response from visitors, be it a payment form, a contact form, or even a comment section on a blog post, this is an opportunity for an XSS or database injection attack. Attackers could enter malicious code into any of these text fields and disrupt your website’s backend.
To avoid this problem, make sure you filter out special characters from user input before it is processed by your site and stored in a database. Alternatively, you can use a WordPress form plugin to get the job done.
Limit WordPress User Permissions
If your WordPress site has multiple user accounts, we recommend changing the roles of each user to limit their access to only what they need. WordPress has six roles to choose for each user. By limiting the number of users with administrator permissions, you reduce the chance of an attacker brute-forcing their way into an admin account, and limit the damage that can be done if an attacker does correctly guess a user’s credentials. See our guide on how to change WordPress user permissions.
Use WordPress Monitoring
Having a monitoring system in place for your website will alert you of any suspicious activity that occurs on your site. Ideally, your other measures would have prevented such activity, but it’s better to find out sooner rather than later.
Change the Default WordPress Login URL
As I’ve mentioned, the default URL for the WordPress login page for any WordPress site is easy to find. Plugins like WPS Hide Login change this login page URL for you.
Conduct Regular WordPress Security Scans
It’s a good idea to run routine check-ups on your site. Aim for at least once a month. There are multiple plugins that can scan your site for you. Here are the seven WordPress scanner plugins we recommend.
Disable File Editing in the WordPress Dashboard
By default, WordPress lets administrators edit the code of their files directly with the code editor. This gives attackers an easy way to alter your files if they gain access to your account. If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the file wp-config.php:
// Disallow file edits
define( 'DISALLOW_FILE_EDIT', true );
Consider Deleting the Default WordPress Admin Account
We’ve discussed changing the “admin” username for the default WordPress admin account, but if you want to take things a step further, get rid of this default account altogether, and make a new account with the same administrator permissions.
What To Do If You’re Hacked
So, you’ve implemented some or all of the measures above, and now you want to be extra prepared in case something goes wrong. Or, something has gone wrong. Either way, here’s what to do:
It’s natural to panic in these situations. Just remember that a security breach can happen to anyone. It’s necessary to keep a clear head so you can locate the source of the breach and begin to resolve it.
Turn On Maintenance Mode On Your Website
Limiting access to your site keeps visitors away from your side and safe from the attack. Only open your website when you’re confident the situation is under control.
Start Creating an Incident Report
Record all relevant details that can help solve the issue. These include, but are not limited to:
- When you discovered the problem.
- What led you to believe you were attacked.
- Your current theme, active plugins, hosting provider, and network provider.
- Any recent changes you made to your WordPress site before the incident.
- A log of your actions while finding and fixing the issue.
Update this document as more details become available.
Reset Access and Permissions
All account holders should also strongly consider updating passwords on their work and personal devices, as well as personal accounts, since you can’t know for sure what the attackers were able to access beyond your WordPress site.
Diagnose the Issue
Either search for the problem yourself with a security plugin, or, depending on the scale of the attack, hire a professional to diagnose the problem and repair your site. Regardless of what method you choose, run a security scan on your site and local files to clear any remaining harmful files or code the attackers might have left, and to restore any missing files.
Review Related Websites and Channels
If you have accounts for any other online platform linked to your website, such as a social media account or another WordPress site, check these platforms to see if they were affected. Change your passwords for these channels as well.
Reinstall Backup, Themes and Plugins
Re-install your theme and plugins (double-checking that they’re safe). If you have a backup in place, restore the most recent backup prior to the incident.
Change Your Site Passwords Again
Yes, you did reset all WordPress passwords before, but these credentials could have been compromised while you were fixing the problem. You can never be too careful.
Alert Your Customers and Stakeholders
After your site is up and running again, strongly consider reaching out to your customers alerting them of the attack, especially if personal information was accessed and leaked. It’s the right thing to do, and be prepared for negative responses from customers.
Check That Your Website Is Not Blacklisted by Google
If your website was blacklisted by Google as a result of the attack, Google will not-so-subtly warn users about entering your website:
While blacklisting is necessary to keep users away from harmful websites, it will also scare most traffic from your legitimate site. Sucuri has a free tool to scan your website for Google blacklist status.
Follow the Best Practices Listed Above
Taking all possible precautions to limit the possibility of another attack will give you some peace of mind. Let’s hope something like this doesn’t happen again. But if it does, you’ll be in much better shape.
Don’t Take Security for Granted
I know I might have come off a bit preachy in this article. I apologize, but I promise it’s for good reason. If you don’t believe me, take it from former IBM CEO Ginni Rometty:
“Cybercrime is the greatest threat to every company in the world.”
And it will continue to be. Cybercriminals are constantly evolving new ways to leverage companies’ online presence against them, and security engineers are always developing new methods to stop them. This is the ever-turning cycle of security on the internet, and we’re all caught in the middle. Always keep your customers’ safety in mind, so they have one less thing to worry about.
Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.
Originally published May 25, 2020 7:00:00 AM, updated May 29 2020