- WordPress powers 30% of the Internet and shows no signs of slowing down.
- Cyber crime is expected to reach trillions of dollars in damages in a few years.
- Boosting site security falls on everyone including IT, design, marketers, and authors, not just security professionals.
- Education on security best practices has to be a fundamental part of all courses at all levels.
- Threats evolve and it’s not always clear how an infiltration can be damaging to the site owner, and its visitors.
If you haven’t heard, WordPress powers nearly one-third of the entire web and that number is still growing. It offers a range of benefits for everyone from writers and content publishers to marketers, developers, and IT professionals. In fact, it’s so easy to launch projects that you might have ignored some of the simple steps you can take to enhance site security for you and your visitors.
The time to take these steps is now. With greater adoption of WordPress and growing access to the Internet also, there’s going to be a staggering rise in cyber crimes. Not taking these steps can mean something as small as spammy links on your site, or redirects, or something more serious like data theft or even being turned into a phishing site. And it all matters, a lot.
It should be no surprise then that security vulnerabilities can exist on multiple layers, and that every organization will approach security differently. An effective disaster policy will look comprehensively at understanding every layer to ensure responsibilities are clear for prevention and mitigation of threats. Some of these layers include:
- Software native to your hardware
- Users who access your systems
- Internet Service Providers
- Installed applications (like WordPress)
- Third party plugins
While not everyone will lose a ton of money if their site gets hacked, you should still take actions to protect site security. This article aims to illuminate some of the behaviors you can adopt to maximize your defense right now with respect to WordPress using straightforward manageable steps. Whether you work for an enterprise company whose WordPress site drives significant revenue, or you’re a small independent business owner and you drive the occasional customer through a phone call, adopting a few key behaviors is all it takes to improve site security. And doing so early can help you scale your business responsibly.
Hacks can happen on many different levels and through many different points of entry. From the computer you use to update your site, the server you host on, the passwords you use to access your files, the WordPress version you currently run, the theme, and the plugins you use to enhance your site, it can feel overwhelming trying to stay on top of security. The fact remains, skipping any one of these potential entry points can make you vulnerable to an attack.
There’s good news though. WordPress is a vibrant community with a strong commitment to sharing best practices, so we’ve developed this guide to give anyone running WordPress a powerful advantage over digital threats. These practices are what enterprise level companies employ to ensure security, and you can adopt them as needed with little time spent executing.
Hackers go after sites for different reasons.
The type of site you have matters. A standard WordPress install with no contact forms and nowhere for visitors to submit their info is going to have fewer liabilities than a transactional website.
WordPress is scalable though in many scenarios. You can use it up to an unlimited number of sites, as a platform for driving advertising revenue, or as an ecommerce store. WPMU DEV hosts over four million WordPress sites, and we’ve learned a lot about WordPress security. You can start implementing these enterprise best practices and claim superhero status in your organization today.
So, let’s start small, and let’s start with what a hacker stands to gain. From the informational site, all the way up to the ecommerce store, the big-time publisher, and the enterprise marketing page, we’re going to cover what the hacker wants from you, how they try to get it, and what you can do to secure your site for you and your visitors.
The Informational Site or the Standard WordPress Install.
This could be a mom-and-pop shop, a personal brand site, a cat blog, or a published paper, but its functionality is limited to reading words on the page. It’s a WordPress blog straight out of the box.
If you’re running one of these sites with commenting disabled and you don’t have a contact form, then primarily, a hacker is limited to the login page as a point of entry.
But even with just this point of entry, a hacker may input suspicious links, malicious code, pixels for targeting your site visitors, they may monitor your visitors’ locations, or obtain their IP addresses. That’s a big deal. Even if your blog chronicles your cat’s behavior, and you’re not posting very frequently, you should still take a few steps to protect your site.
Basic WordPress security starts here:
- Update WordPress. Always. This is the most important step you can take to ensure site security. When an update comes out, previous versions are left vulnerable. Update as soon as a new version is released.
- Don’t allow user names to be discoverable and get rid of the admin user immediately. Discoverable usernames mean a hacker only has to guess your password to login to your site. If he has to guess the username as well, then it’s that much harder to get into your site.
- Use a complicated password. Everyone knows this and it might seem obvious, but it’s worth repeating. Use longer passwords with a combination of numbers and special characters. The WordPress interface shows you the strength of your password as you create one, but there are tools available to require strong passwords of your users.
- Use two-factor authentication to log in. If your strong password somehow still gets compromised, two-factor authentication can put a stop to the potential breach. This is an included feature for the free version of Defender or you can use any number of other free two-factor authentication tools. This is something we at WPMU DEV require for every user role above subscriber.
These steps take almost no time, but they immediately offer you boosted security since you’re no longer advertising your site as open for business. Think about it, would you use “admin” as the username for your bank account? Probably not. You shouldn’t use it for anything. Ever.
Okay, so this is just a blog, so what can a hacker really do if they get in? Most likely they’re trying to game Google by adding links to boost their rankings in search. This isn’t the most malicious thing in the world, but it can hurt your site if you’re not paying attention, and do you really want to let someone post spammy or inappropriate website links on your blog? No. Probably not. Take the above steps, and you’re off to a good start.
Contact Forms and Commenting add an extra layer of threats along with inviting user feedback.
Hackers love intercepting information for various purposes. They might do something as minimal as planting spam comments with links to a product page, or they might steal whatever information your user is giving you over a form submission.
The value to the hacker depends not only on what your site is asking for, but what answers your visitor submits. It probably won’t contain a social security number, but there’s technically nothing stopping the visitor from surrendering important information.
Steps that can make a difference:
- Use SSL (httpS://). This is cheap, or most likely free. WPMU DEV has been working with Enterprise WordPress projects for years, and we’re one of the early adopters of SSL. Not only does the green lock protect you and your content, but it also secures any transactions or customer info if you run an ecommerce store, and using it is beneficial to your site’s search visibility. When we started using it, SSL had a cost associated with it, but now you can get setup free with Let’s Encrypt depending on your host.
- Research your plugin developers. Find their reputation on WordPress.org, read reviews, download plugin guides, find anything you can to make a judgment. If a plugin has no reputation, proceed with extra caution.
- Update your plugins. Websites have been hacked because of an outdated plugin. Updating doesn’t take much time, and there are even plugins that automate the process. Occasionally an update might break something, so be sure to backup your files. There are hosts and plugins who can take care of this for you. Yes. Plugins for your plugins. And in case you want to take this one step further, we built Automate to automatically back up, update, test and report on the process to you.
The nightmare scenario: a hacker gains access to the WordPress database because you left your usernames public and they cracked the password, and now they have access to all the information in there, including (depending on the plugin) form submissions. This isn’t good for you, or your site visitors.
The commerce site.
Maybe you sell antiques, or guitars, or online courses, and your customers not only give you their information—name, address, phone, email—but they even give you their credit card information. First… congrats!
This is a big deal, and it’s much higher stakes. Hackers love credit card info and personal details about people. They love it so much that there’s a whole black market out there for stuff like personal information on the dark corners of the web.
And this is something you can’t take lightly. Not only will your customers be affected directly by something like this, but it’ll affect potential customers’ perception of you when they find out you didn’t do everything in your power to protect the people already paying you.
In this case, you have to worry about the points of entry mentioned above as well as the following:
- Payment Processing
- Order Info
- Customer info
None of the above should be in the WordPress database, so it boils down to researching the right third-party solutions with trusted security measures in place. You can look for reviews, communities behind each plugin, and any case studies you can find. The WordPress community is eager to share information about each plugin developer, so if nobody seems to have heard of them, that could be a warning sign.
You did it all, and you still got hacked.
You took every step in the book, and something still happened? That’s a bummer, but it happens no matter what kind of system you use. The abilities of hackers are continually evolving, and threats are not exclusive to the WordPress community. Even if you lock everything down, something can happen to your host and the hardware powering your system that’s entirely out of your hands. Sites on shared hosting are especially at risk because a server can be brought down by an attack on one site, affecting everyone else in the shared environment.
To prepare for this scenario, it pays to have a good disaster recovery process in place. That means taking regular backups of your site, and monitoring user activity beyond WordPress logs so you can see every time someone logs into the site. Having a system like this allows you to isolate how you were compromised, and to quickly revert to the clean version. This will keep you in business when the unexpected happens.
There are any number of ways you can manage backups and, naturally, we’ve got our own. Check out a few examples below that offer both free and paid backups:
Anything else to consider?
For four verticals: health, financial, payment processing, and education related sites, there are additional laws you have to be aware of to protect your visitors. You always want to be upfront about the type of data you’re collecting, why, and you want to have a data retention process so that you’re not keeping that information on file for all time.
For the proper context, read this story about the British Pregnancy Advice Service and what happened when data from a simple contact form submission was unknowingly stored on the database. The threat might seem obvious reading the article, but only if the proper data retention policy has been established.
So, in this case, you’ll want to keep all of it in mind. To recap, that includes:
- WP core updates
- WP security updates
- Strong passwords
- Two-factor authentication
- Theme updates
- Plugin updates
- Server updates
- Site backups
- Activity monitoring
- A data retention policy
Start this with your WordPress blog today, because someday you might have the opportunity to manage even more sites, and adopting these habits early means not having to catch up on a hefty workload later. If you don’t want to take on the work of each step personally, check out some of the plugins that can handle these tasks including our very own Defender, Automate, and Snapshot.
And remember, WordPress accounts for over 30% of the Internet because it’s easy to use, but it’s up to you to make sure you’re getting all you can out of it for you and your visitors. Security should always be a fundamental part of that.
WPMU DEV has been at the forefront of adopting enterprise security measures since its founding. We’re proud to share these tips as well as plugins to help you save time in implementing enterprise-grade security for WordPress. We believe site security should be a top priority at all times, and that it should be easy to achieve no matter how large you grow. Check out more information and find detailed tutorials on the WPMU DEV Blog.