Last November, over a million WordPress customers managed by GoDaddy were part of a violation who could have exposed their email addresses, private SSL keys and administrator passwords. The attacker was apparently able to operate undetected inside their networks for two whole months.
WordPress has a long history of being a very rich and desirable target for exploits. For example, a the botnet used compromised WordPress servers to attack others in 2018. This is because the software is based on running a series of PHP scripts, which is a popular place for hackers. The large number of different components, including plugins, themes, and other scripts, makes it difficult to prevent infections or potential compromises. This site lists many other vulnerabilities that have been found, mostly on older versions of WordPress.
On top of that, there is human error to consider. Many WordPress sites are running older versions which could cause multiple major releases leading to unpatched security vulnerabilities. Additionally, some administrators are inexperienced in IT operational security or simply overloaded with other responsibilities and cannot dedicate enough time to implementing the necessary security measures to keep a WordPress site secure.
Let’s explore how you can set up and maintain your website security on WordPress.
Tips for securing your WordPress site
First, secure your WordPress username and passwords. Online literature is full of many bad admin password choices that site operators have made. Do not use the “admin” name on your account because many brute force attacks start by using this name, because it is so common. Instead, choose a random name to administer your account. Too, use MFA to protect all your WordPress logins.
Update your WordPress and PHP to the latest versions. For WordPress, this v 5.9.1. PHP has a variety of versions and updates. (My host automatically takes care of both of these things for me, and so should yours.)
Reduce the number of installed plugins, themes and other extras. Simply put, these can increase your attack surface.
Enable SSL/HTTPS access to your site to encrypt communications. Make sure your hosting provider supports it too.
Make regular backups of your site content. WordPress has a simple export feature that will create an XML file that you should store offline.
Further reading: How and why to start establishing a practice of making regular backups
Install a specialized WordPress security plugin, like Closing words. Take the time to understand the security features as well as the reports generated, and be sure to act on the information and its implications. A larger list of security plugins can be found on the WordPress websitewhere you can see if the tool was tested with the latest version of WordPress, when the plugin was last updated, and how many users downloaded the software.
Stay on top of the latest WordPress vulnerabilities. Finding them can sometimes be difficult, but here are some resources. First, both Plugin vulnerabilities and Wordfence blog post frequently report exploits and zero-day attacks that their own instrumentation networks have discovered. Moreover, a recent semi-automated tool developed by researcher Krzysztof Zajac can analyze various weak areas to detect potential problems.
As you can see, there are dozens of tips and resources available that can help you secure your WordPress website. In any case, you should not use WordPress without following these steps, even if you gradually add individual security measures one by one.