WordPress is a highly popular, powerful blogging and website-design platform; web statistics show that it runs on one in five websites. Although it is a very effective tool that is used by millions, it is notorious for falling short in strong security – either due to lack of security knowledge on the developer’s part, or because of the vast number of potentially insecure plugins that are available. This therefore makes WordPress sites an attractive target for all kinds of hackers, as well as vulnerable to the installation of malware. In 2013, 90000 WordPress sites were hijacked for use in a botnet.
The following are 10 basic steps that can be implemented to tackle some security issues or malpractices that are present in thousands of WordPress Sites.
1. Run the Latest Version of WordPress
Over 86% of WordPress installations are running outdated versions. Each update will bring new features plus security fixes and bug patches that will ensure better security against many threats.
2. Run the Latest Version of Themes and Plugins
Site plugins and themes could still be vulnerable despite WordPress updates. This is evident when, recently, an older version of the widely-used Slider Revolution plugin, allowed malicious users to steal database credentials.
3. Prevent Directory Listing
When the web server cannnot find an index file, and directory listing feature is enabled, the server will show an HTML page with its contents which can be used to exploit any present vulnerabilities in a WordPress theme, plugin or web server.
4. Remove Inactive Users
Users, particularly administrators and those who can edit or change content, form part of the weakest points of any site. This is because users tend to make passwords that are not strong enough. If it is very necessary to retain inactive users in your database, changing their role to ‘subscriber’ will restrict their abilities.
5. Turn on HTTPS for Logins and wp-admin
HTTPS should be used in all cases where a user is providing and receiving private information to and from the web server. It is not necessary for use across the whole site, as TLS/SSL may use a huge amount of server resources based on the amount of traffic.
WordPress’s login form and admin area are considerably the most sensitive areas of a site and, it is therefore here that TLS/SSL should be enforced.
6. Restrict Direct Access to Plugin and Theme PHP Files
There is potential risk in enabling direct access to PHP files. It may lead to release of information, as some plugins can hold PHP files that are not supposed to be directly called.
Furthermore, limiting direct access to PHP files makes it more difficult for hackers to get through security measures (ie. authentication) when the coding is divided into littler files.
7. Use Complex Security Keys
WordPress makes use of long, random and complex security keys. Security keys function similarly to a very strong password. and should contain elements that make it more difficult for hackers to crack it. Although it is often more tough for users to remember, it plays a key role in establishing maximum security of your site. You can implement this strategy by creating your own set of random keys, or by using WordPress’s online key generator.
8. Choose your Plugins and Themes Wisely
Hackers can easily determine the plugins that are installed on your WordPress site through Plugin enumeration. The risk of attacks on your site can be significantly reduced by avoiding unnecessary plugins. Remember to check the number of times they were downloaded and their last update date.
9. Limit Access to wp-admin Directory
Another way to prevent attackers from cracking the password is to enable password protection on your WordPress admin area with a layer of HTTP authentication.
10. Turn off File Editing
In many cases, the first thing a hacker looks for is PHP files of plugins and themes. WordPress allows admin users to edit these PHP files of plugins and themes inside the account; since this functionality allows code execution to the server – disabling it will improve security.
It is highly recommended to implement all of these security measures in order to keep your WordPress sites attack and threat-free. They form an ideal foundation on which to begin building your site’s security.