WordPress Security: The Ultimate Beginners Guide for 2018

The Ultimate WordPress Security Guide for 2018

WordPress, as we all know, is the most popular CMS in the market today powering millions of websites on the internet. Its popularity is largely due to its ease-of-use and user-friendly dashboard that makes managing, updating and maintaining a WordPress website easier. Moreover, apart from helping you build a beautiful website, thanks to the availability of a number of WordPress themes & Plugins, It helps you to create an SEO-friendly website that helps boost ranking and traffic.

WordPress is the best CMS there is, however, due to its immense popularity it has become a target for malicious hackers, who are constantly trying to find vulnerabilities that they can exploit. Thus, while WordPress does provide you with air-tight security, you need to additionally shore up your WordPress defences.

As such, in the below ultimate WordPress security guide, we’ll take a look at the common WordPress security threats, tips on how to keep your WordPress website secure and the best WordPress security plugins that you can make use of to protect your website from all potential harms.

A] Common WordPress Security Threats

1. SQL INJECTION
One of the most prevalent security threats, through SQL injection, hackers are able to gain unauthorized access to your entire WordPress database. This is done by embedding malicious command or bugs in your MySQL database through which the hacker can retrieve sensitive or confidential information, change or delete important data or worse yet insert harmful links and spam on your website.

SQL-Injection
While there is not much you can do to protect your website from this threat, basic measures that can prevent SQL injection are installing plugins and themes from known sources and updating the said plugin & themes frequently. This can help keep this threat at bay. Oh, another thing is to make sure you’re hosting your website on a reliable provider. We just published a comparison between two great business hosting providers: Inmotion vs Siteground – you might want to check it out!

2. BRUTE FORCE LOGIN
A common security threat, brute force login refers to continuous attempts to log into your WordPress back-end through different usernames and passwords. The easiest way to avoid this is to use a strong password with numbers, symbols, upper case, lower case etc and the other method is to limit login attempts. We’ll talk more about these in our section on how to keep your WordPress website secure.

3. PHISHING or IDENTITY THEFT
Phishing-or-Identity-Theft
Another common threat, phishing is an act of collecting sensitive data such as credit card info, login details or personal information via deceptive emails and websites. Scammers usually create a replica of a known and a trusted website and send frequent emails to individuals, tricking them into believing that it is a legitimate business, thus obtaining the required personal/private info. There are various types of phishing and each requires a different solution to be fixed effectively.

4. MALWARE
Malware
A widespread WordPress security threat, malware or malicious software are codes that are injected into website files in order obtain unauthorized access to website’s database.Common malware infections are backdoor, botnet, drive-by download and malicious redirects. Malware is harmful if not rectified, but with the help of the best WordPress malware scanning plugins you can easily identify and remove these from your website.

5. SPAM
Spam
Spam can lead to a host of security vulnerabilities on your website like DDoS attacks, brute force attacks, among others. There are various types of spam, the most common being comment spam, referral spam and trackback & pingback spam. Thus, this is yet another security issue that needs to be identified and dealt with effectively.

B] How To Keep Your WordPress Site Secure

1. Make Use of SSL Certificate
Make-use-of-SSL-Certificate
Short for Secure Sockets Layer, the benefit of SSL is two-fold. Firstly, it helps protect sensitive data such as user information, credit/debit card details from being misused by encrypting the data when it passes from the user’s web browser to your web server, thus preventing data tampering. Secondly, it helps users to authenticate your website, so as to make sure that you are a legitimate business and not fake, which, in turn, helps boost customer trust. You could get a simple certificate like the Comodo Positive SSL certificate or anything similar for quite a low price.

 

 

2. Update WordPress Core and Plugins & Themes
Like mentioned above, one of the reasons for security issues like SQL injection and malware is outdated WordPress version and plugins and themes. Thus, in order to avoid potential vulnerabilities, you need to keep your site up-to-date by updating the WordPress core, plugins and themes frequently. Also, it’s important to get the themes from the right sources. Usually, a premium multipurpose WordPress theme should be pretty secure.

 

3. Limit Login Attempts
By limiting access to WordPress login page you are able to not only prevent brute force attacks but you are also able to prevent your server from being overload. WordPress, by default, doesn’t have a limit to the number of times a user can attempt login, which is something that hackers exploit to the maximum.
WP-Limit-Login-Attempts-plugin
Thus, it is crucial to limit the login attempts, which will help lock the user out temporarily and you can easily add this function to your WordPress website via the WP Limit Login Attempts plugin.

 

4. Select a Reliable and Secure Web Hosting
A poor quality web hosting company doesn’t offer a secure environment to host your website. Moreover, while their shared hosting plan might be cheaper, more often than not, they host more number of websites on a single server than permissible and as such, any malware, virus or hack attempt on one website would ultimately compromise the security of another website which is hosted on the same server.

Select-a-Reliable-and-Secured-Web-Hosting
Hence, it is essential that you select a reliable web hosting provider like WPEngine or SiteGround that offers protection from security threats through security features like SpamAssassin, SiteLock, SSL among others. Plus, if you have the budget than moving your site to a VPS hosting can further help protect your website from potential harm.

 

5. Make Use of Strong Passwords
Nothing compromises your site’s security more easily than a weak password. You need to make sure to use a strong and unique password for your WordPress admin and this you can easily achieve via the LastPass Password Generator tool that helps generate a secure and strong password for your website.

Google Authenticator Two Factor Authentication

Additionally, you can also make use of the 2-factor authentication for login which will provide the much needed extra layer of protection, making it harder for hackers to breach your site’s defences when attempting brute force login. For this, you can use this robust Google Authenticator – Two Factor Authentication plugin.

 

6. Backup Your Website Daily
A simple fact, incidents happen. No matter what precautions or measures you undertake to protect your WordPress website, hackers are always trying to find new ways to breach your site’s defences. Thus, it is important to take a daily backup your entire WordPress site as well as database, so in the event, your website gets hacked, you will be able to restore it without any hassle.

UpdraftPlus-WordPress-Backup
Best part, WordPress offers you effective website backup plugins which make taking a backup easy that too at a time preferred by you. Some of these plugins are; UpdraftPlus WordPress Backup plugin (Free), BackUpWordPress (Free), and BackupBuddy (Premium).

 

B] How To Keep Your WordPress Site Secure

1. Wordfence Security
Wordfence-Security-plugin
With over 2 million active installations, Wordfence is the best WordPress security plugin there is. It helps tackle security issues like malware infection by scanning your entire website, plugins and themes. It provides you with two-factor authentication via SMS to prevent brute force login attack. It helps filter spam comments and its web application firewall helps in identifying and blocking botnet & other malicious threats before they can even access your website.

2. iThemes Security
iThemes-Security-WordPress-plugin
If brute force attacks are your major concern then this plugin is what you need. iThemes security plugin claims to offer 30+ ways to secure and protect your WordPress site and some of its major features include strong password generation, two-factor authentication and malware scanning. This plugin also helps stop automated attacks and it helps to scan & fix common vulnerabilities before they become a major problem.

3. Sucuri Security

A free WordPress security plugin, this plugin offers a host of security features like file integrity monitoring, blacklist monitoring, remote malware scanning, effective security hardening, instant security notifications and a website firewall (premium). It protects your website from DOS attack and brute force attack. In addition, its security activity auditing feature helps track all activity on your site, keeping a log of all the changes that are done, thus helping you figure out what went wrong in the event of a hacked website.

4. All In One WP Security & Firewall
All-In-One-WP-Security-&-Firewall-WordPress-plugin
As the name suggests, this WordPress security plugin provides you with an all-in-one security solution and is easy to use. Helping you fight-off common security threats, this plugin prevents brute force login attacks, protect your PHP code from hackers by disabling file editing, prevents image hotlinking, provides protection against Cross Site Scripting (XSS), helps ban users by specifying IP addresses and user agents and much much more. Best part, it also allows you to schedule automatic backup for your website and it helps reduce spam.

5. Akismet Anti-Spam
Akismet-Anti-Spam-WordPress-Plugin
A simple to use plugin, Akismet automatically checks and filters out spam comments and links, thus ensuring that your database in clutter-free. By installing this plugin, you are able to cut down your time on comment moderation and since it blocks the worst of spam outright it further helps to speed up your WordPress website.

# In Conclusion
Half the battle is won, when you are aware of what common security threats you need to look out for. Once you have identified the issue, finding an appropriate solution and fixing it becomes easier. Thus, we hope this WordPress security guide for 2018, that has listed down the basics of how to maintain your WordPress website effectively with the help of the best WordPress security plugins, can help you fortify your site’s defences efficiently.

Nirav Dave

Nirav Dave is the CTO & Co-Founder at Capsicum Mediaworks, a digital agency based out of Mumbai, India that specializes in all things Web Design & WordPress. He Worships WordPress and Loves to read anything and everything about this exceptional CMS.

Join the discussion

  1. Shanora Networks on February 21, 2018 at 3:17 pm Reply

    Great article. I also recommend not using the “admin” username as well as making sure user enumeration is not available.

Leave a Comment

Your email address will not be published. Marked fields are required.