We sat down with security expert and Incsub CTO Aaron Edwards to learn more about WordPress security and the steps administrators can take to keep their WordPress themes and plugins secure.
1. How can I tell if my WordPress theme and plugins are secure?
There are some great free tools like WP Checkup that can help check your site for plugin and theme vulnerabilities. Scheduling checkups and making frequent updates can keep your site safe.
Because WordPress is open source and many of the themes and plugins are distributed under a GPN or GPL license, it is easy for themes and plugins to be “forked” and redistributed on free WordPress plugin and theme sites with additional malicious code. This added code may simply add hidden linkbacks or redirect your site. However, it could also install a virus or even expose your users to identity theft.
These types of attacks can be avoided in five ways:
- First, when utilizing free plugins, research the author and only download the plugin files from the author’s site or from the WordPress Plugin repository (if listed).
- Ask advice regarding the safety of a plugin or theme from a trusted WordPress community. Ask questions on support forums like http://wordpress.org/support/, http://premium.wpmudev.org/forums/ or Post Status.
- If you are going to use trusted free plugins or themes, check the version compatibility listing and verify the plugin or theme is still supported and updated. Many free themes and plugins are slow to receive updates or are abandoned. Using old plugins or themes can leave you exposed to attack, especially after a security update.
- If you don’t use it, lose it. Code from plugins and themes you no longer use still leave vulnerabilities, even if they are not activated. Remove all unnecessary code, including plugins and themes that you no longer use.
- One of the best ways to protect yourself from utilizing weak or malicious code is to use paid, supported themes and plugins. Companies and communities like WPMU DEV provide 100% guaranteed, time-tested support, updates and plugins that help ensure your site is prepared to stand against attacks.
While using trusted, well-coded plugins and themes will not protect your WordPress site against all attacks, our experience shows nearly all WordPress attacks could be stopped by simply using safe, up-to-date and well-written code.
If you want to save time, setup Automate updates. The Hub site manager will automatically backup and update all your plugins and themes, and uses “Safe Upgrade” technology to provide worry-free update checks and reports.
2. How can I audit my WordPress site’s security? How often should I do this?
You can hire a security professional to do an audit, or you can use a plugin/service created by security professionals to perform an automated audit for you. In both cases, you need to make sure the person or company behind the plugin/service is trusted.
Auditing to check your site for vulnerabilities really needs to be a continuously ongoing task.
This is why we created Defender. It will run the initial audit of your site and offer to fix all security holes it finds. It then continually monitors your site for any further security issues that may arise.
3. Should I use a web application firewall for my WordPress site?
While not necessarily required, a WAF can add an extra layer of security to your site and server. While there are plugins that claim to provide WAF features, they can’t protect your server itself, or prevent your site going down from the load generated by an attack. We recommend a Cloud-based managed WAF like Cloudflare or Sucuri, and properly configuring your server to prevent bypassing. They can help protect against not only specific WordPress vulnerabilities in real time, but also stop DDoS and botnet attacks from taking down your site.
4. Do I need an SSL certificate if my site isn’t an ecommerce site?
Yes, absolutely. Not only is having an SSL certificate a good security practice, but HTTPS is one of Google’s ranking signals. Back in 2014, Google called for “HTTPS everywhere” on the web in an effort to make the Internet safer, and has been encouraging website owners to switch from HTTP to HTTPS ever since.
Not everyone collects money online. Some websites collect information or have membership functionality. Without an SSL certificate, login credentials, cookies and form submissions for your site can be easily intercepted.
5. I have multiple site admins. What should I know about access management (password strength, HTTPS)?
Use HTTPS to prevent eavesdropping during the login process. Putting define( ‘FORCE_SSL_ADMIN’, true ); in your wp-config.php file will do that for you provided you have a SSL certificate installed.
You should also consider disabling the plugin or theme editor to prevent overzealous users from editing sensitive files and potentially crashing your site. Do this by adding define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config.php file. This provides an additional layer of security if a hacker gains access to a well-privileged user account.
Encourage site admins to use a password manager with strong, random passwords, and/or use a plugin like Defender to require two-factor authentication for specific roles.
6. How can I scan my WordPress site for vulnerabilities?
There are a number of tools out there to scan your site for vulnerabilities. Earlier I mentioned our WordPress Checkup tool and also our security plugin Defender. Both are available for free. WP Checkup provides a black-box scan and overview of your site’s performance, security and SEO, while Defender will go more in-depth with security scanning and offer to fix the issues for you.
For more on how to scan your site, we’ve got a great guide on our blog.
7. I’m a small business. Why would hackers bother with my site?
Hackers aren’t necessarily interested in you. In fact, it’s very unlikely (unless you are a large corporation or government agency) that hackers are targeting you specifically at all.
Instead, they are looking for sites they can hack in order to run phishing scams, malicious redirects or even to try to game Google by inserting links.
Our members often contact our support team after activating Defender’s IP Lockouts feature. Instantly they notice a steady stream of IPs already trying to access their new website with failed login attempts and 404 errors from scanning for vulnerabilities to hijack. It’s a fairly common issue for WordPress-based websites.
8. I’ve been hacked. What should I do next?
Make a backup of your site right away. You might be thinking, “Why? It’s already hacked.” Some hosts will delete your site immediately when they find out it has been hacked; this is to avoid anything malicious affecting the rest of the network. The only thing worse than having your site hacked is having it deleted.
Now that you have your hacked site backed up, you can focus on cleaning it up. If you know approximately when your site was hacked, restore it using a pre-hack site backup, run a security audit and fix any vulnerabilities to avoid the same hack happening again. Or just install a security plugin such as Defender that will do both the security audit and close up vulnerabilities for you, along with the important task of ongoing monitoring.
Sometimes you might not have backups, or can’t roll back far enough. In those cases, you will need to manually clean up your site, which is a bit more involved. You can learn how in our website clean-up guide.
9. How important are theme and plugin updates?
Incredibly important. In fact, they are the number-one cause of WordPress hacks. Keeping them up to date should be at the top of your to-do list.
But, not everybody – especially if you have lots of sites – has time for this. It’s a pain logging into all the sites to check, and then takes forever to do.
Which is why we created Automate.
It detects when an upgrade is available for a trusted theme or plugin (you can select all of your plugins and themes, or just the ones you trust), takes a screenshot of your site, automatically backs it up, performs the upgrades, pings your site to make sure it’s not down or broken and then takes a second screenshot and compares it to the original one to make sure the update caused no significant visual changes.
And then, it immediately sends you an email (although you can have a digest if you like) letting you know what went down.
10. Do I need to install WordPress updates? Should I install them immediately?
Absolutely, and of course, Automate updates WordPress itself.
11. Should I host my own WordPress site?
If you don’t, then much (if not all) of the advice in this post isn’t relevant. If you use a platform like WordPress.com or CampusPress, security measures and updates will be taken care of for you. Whereas if you host WordPress yourself, then this post is definitely for you as security should be your number one priority.
If you do host WordPress yourself, you get far greater flexibility and the capacity to more easily (and more affordably!) meet you and your clients’ needs.
12. How often should I backup my WordPress site? Why?
As often as possible. Although realistically, you should be good with a weekly backup and keeping the last three backups, especially if your site is actively monitored.
You could also choose to have a separate monthly backup and retain the last six or so files, just in case something happens and you don’t immediately notice.
Good WordPress security tools should alert you to any issues. So generally, a weekly backup is fine. And excellent WordPress security tools will back up your site automatically before every upgrade.
13. How can I secure my hosting server? Are there certain actions I should take?
If you use shared or managed hosting, then that is generally the responsibility of your provider. Just make sure you use a strong random password for your SFTP/control panel login, and enable two-factor authentication if they support it.
If you manage your own server or VM (Digital Ocean, AWS, etc.), then it is important you properly configure your firewall rules, SSH access and filesystem permissions, and stay on top of package and kernel updates.
14. What are the most common WordPress vulnerabilities?
Nine times out of 10, when a WordPress site is hacked, it can be traced back to a vulnerability in a theme, plugin or old version of WordPress core. That is why the single most important thing you can do to protect your site is use themes and plugins from trusted providers who care about security and actively provide updates, and then keep your themes, plugins and core updated! Defender can tell you if you have a version of a theme, plugin or core installed that has a published vulnerability, and our Automate tool can keep them all updated.
15. Should I remove my deactivated plugins?
Any plugin or theme on your server, whether or not it is active, can be a potential security vulnerability, so you must stay on top of updates for all of them. To lower your attack surface, it is best to remove unused plugins or themes.
16. What WordPress security tools should I use?
Well, naturally I’ll say Defender first and foremost, but of course there are a range of other security tools you can use. For example, we use Cloudflare extensively, especially on our education products, and there are a wide range of other WAF and SSL providers, such as the absolutely awesome Let’s Encrypt.