Sometimes, WordPress gets a bad rap. Someone has heard that it’s not secure. A local business had its site taken over by hackers. Isn’t it the most hacked system in the world? WordPress security often feels like the topic du jour.
And you know what? It’s likely all true… but not for the reasons you might think. The fact is that WordPress is the most popular CMS (Content Management System) in the world – with 64% market share. And the single most popular way to get any kind of website online, with 40% of the world’s websites currently built using WordPress.
So yes, it is likely to be the most targeted by hackers. In fact, every year, hundreds of thousands of WordPress sites get hacked.
But sites are not getting hacked due to vulnerabilities with WordPress core software. Most sites that are attacked, get hacked through entirely preventable situations: not keeping things updated, and insecure passwords.
A company called Succuri runs some great security software for WordPress and keep the sort of statistics that make you want to crawl back under the covers. They found that over 39% of hacked websites (admittedly, this was back in 2017) were running out of date core software.
The versions of WordPress with the most vulnerabilities are now several years old. If you’re not updating WordPress then you are at risk.
According to WordPress themselves, only just over 50% of WordPress installations are running one of the two latest major releases of the software.
So … if you take nothing else from this post: go now and update WordPress.
There are some quick & simple action steps you can take to help lock down your WordPress website – outside of hiring someone to manage the WordPress security for you! – and I’ve listed out a few of them here.
1. You’ve probably guessed by now, but the first one is: update WordPress and all the plugins you use. If it’s been a long time since you’ve done this, it might pay to check if you have access to a staging site – a place where you can test plugin updates away from your live site, just in case …
2. How’s your WordPress hosting? If you’re still using a £4 per month plan from GoDaddy … get that addressed. We always recommend using managed WP hosting and can recommend WP Engine for this, as well as 34sp.com – both of whom we have been using for over 15 years.
3. Make sure your web host is using the latest version of PHP – the programming language WordPress is written in. Recently, PHP version 7 has become the standard yet many web hosts (I’m looking at you, £4 per month hosting providers … ) still serve up version 5. (If you’re interested, here’s what happened to version 6 … )
4. Lock down wp-admin. By default the login address for WordPress sites is domainname.com/wp-admin … and scripts targeting sites for hacking will be actively searching for that URL. But you can change it with the simple WPS Hide Login plugin – made by the same people who make the simple & effective WPS Limit Login plugin – both are excellent ways to limit your exposure to hackers targeting WordPress.
5. Finally … choose secure usernames & passwords. If you use the Simple History plugin – which I recommend to everyone interested in knowing what’s happening to your website – you will well know how often people are trying to login to your website. A large number of those attempts will be using the username ‘admin’ or the author name from your blog posts. Low hanging fruit for hackers. So, change your username to something else – you can still set your ‘display name’ to be your first name, but a username of ‘328o7eryfh’ or whatever, is far less hackable than ‘admin’
Okay … there are a ton of different ways to work on securing your website – so don’t stop with the above (and, of course, we offer WordPress care plans that can handle all of this), but this is a good start.