WordPress is running on more than one of every four websites on earth. It is a great tool for communications at all levels from personal blogs to giant enterprise sites serving thousands of even millions of visitors a day.
As open source software, every line of WordPress code has many eyes going over it. This together with its frequent core updates greatly reduces the likelihood of hacking or compromising your site.
Still, WordPress just like any other platform has vulnerabilities and hackers know how to exploit them. Remember, if someone decides that you are a target, then you are definitely a target!
WordPress vulnerabilities can generally fall under these categories:
- Errors in WordPress core. Extremely rare and often caught quickly.
- Plugins and Themes. Developers unfamiliar with basic security practices in PHP and WordPress may not code properly and leave an open door for hackers to walk in. Common risks include forms for users to enter information.
- Server risks. Work with a reputable service provider to ensure that the backend is secure. Some risks include improperly secured “.htaccess” files, FTP accounts and bad passwords
- User risks. This is perhaps the largest security risk and easiest for hackers to exploit. It is also often the easiest to deal with. This includes bad logins and passwords, insufficient updating, and allowing spam into comment. It also includes non-WordPress risks like Free Wifi, phishing and people stealing your stuff.
Learn more
What is Cross Site Scripting and Code Injection?
- https://en.wikipedia.org/wiki/Cross-site_scripting
- https://en.wikipedia.org/wiki/Code_injection
- https://hackertarget.com/attacking-wordpress/
What you can do right now to improve your WordPress security
- Harden passwords
- Limit login attempts
- Hide login page – with caveats
- Two-factor authentication
- Check all plugins
- Limit the number of plugins used
- Admin should not author content
- Admin user should not be called “admin”
- Login and username should be different
- Enable regular backups on your host
- Update PHP on host. If not possible, consider changing hosts
- Take advantage of security tools offered by host
- Do not handle ecommerce or credit cards outside of an ecommerce tool
- Do not use emailing/newsletters outside of a commercial emailing tool
- Should I use a plugin that encrypts its code because they’re selling it?
- Implement HTTPS through your web host
- Never ignore updates! If you can’t, don’t want to, or don’t want to pay, then delete!
- Not using a plugin? Inactive? Delete it
- IP access limits
- Disable directory indexing
- Hover over the link
Tools you can use
- LastPass, KeyPass, iOS Keychain, etc.
- Secure host: WP Engine, StudioPress or SiteGround
- Virtual Private Network
Disclosure: This information is deemed accurate but not guaranteed. By accessing this page you agree to comply with generally accepted security practices and applicable laws, and you hold website owner harmless for damages resulting from information on this page.