Let’s talk about wordpress, it is the most common content management solution (CMS) used by websites accross the world today. In fact WordPress has a 60.8% market share in the CMS market. WordPress powers 14.7% of the world’s top websites. 500+ sites are built each day using WordPress! There are over 55,000 plugins in the wordpress directory, and that is a problem for security in itself.
So, WordPress is built using PHP the most popular programming language on the web today. There is nothing wrong with PHP, in fact it is a great backbone for the platform. WordPress itself is also generally quite secure, but there are a number of things that you do (or don’t do) that can contribute to poor security with wordpress, we will examine a few in this article.
SOURCES OF WORDPRESS SECURITY BREACHES:
Dodgy plugins: It’s easy to find and install a plug-in for your wordpress site that will help deliver the functionality you desire, however can you trust it? Check for recent reviews and comments on the plugin page. It’s easily done, and can avoid a nightmare later on. Also use the genuine WordPress plugin directory you get your plugins, and NEVER download them from a standalone website or some dodgy brothers google-drive link. The latter will almost always contain malware or a backdoor allowing other people access to your wordpress install
Dodgy themes: Exactly the same as plugins above. If you download a dodgy, free theme from some shifty looking website, its going to contain malware. Stick with the main trusted repositories for wordpress themes.
Poor passwords: WordPress sites are often targets for brute-force login attempts, with script-kiddies running a PHP script on a compromised VPS that will hit your server over, and over, trying every possible password combination. A lot of people will set wordpress up with a weak password ‘abc123’ for testing and forget about it – and then get their site compromised rather quickly. Choose a very strong password, use a password generator. Make it different to all your other passwords.
Plugin and wordpress vulnerabilities: Even with good plugins, you will sometimes become subjected to a known software vulnerability or backdoor in a legitimate plugin or in wordpress it self. Therefore it is recommended that you update WordPress at least every 3 months, and update all your plugins at least monthly.
In addition to all the above, I strongly, strongly recommend a good firewall plugin application for your wordpress install, such as Wordfence. Wordfence is by far the best wordpress security tool, and when it sends you the daily reports you will be astounded at the amount of attempted hacking attempts that were made on your installation, and how much it has prevented. Wordfence is free, but if you want even more security peace of mind, you can pay for the pro version which contains extra features.
Also, make sure your webhost has extra functionality to block would-be wordpress hackers. Stealth Internet provide web hosting with automatic firewall blocking of IP addresses that fail a number of wordpress logins.
If all else fails you need a consultant to build or secure your wordpress site, we are here for you.