WordPress continues to be one of the most popular content management systems, claiming over 58% of the market share as of January 2017.
However, this popularity also makes WordPress sites an attractive target for hackers. According to website security firm, Sucuri, 75% of all websites hacked in the first quarter of 2016 were built on the WordPress platform.
Due to these statistics, many have criticized WordPress as being an insecure platform, but this is not actually the case. WordPress in itself is not insecure due to poor structure or coding.
The fact that WordPress is so easy to use and accessible for all that it means that inexperienced web users with little knowledge of online security are often in sole control of their sites and may inadvertently introduce weak points through poor management or lack of maintenance.
How to Keep Your WordPress Site Secure and Safe From Hackers
So bearing all this in mind, how do you make sure your WordPress site is up to date and secure, and how do you avoid introducing new security vulnerabilities when making changes and upgrades?
One of the basics of WordPress security is to ensure that the core code, themes, and plugins are updated regularly. As it’s easy to forget to check for updates regularly, especially when you are managing several sites, the easiest way to do this is to enable the automatic update feature of WordPress.
Along with doing this, you should also backup your site regularly to ensure that if any bugs are introduced to your site with the updated code, you can roll back to the previous version easily.
You should also make sure you are not introducing security weaknesses yourself by using insecure passwords. Other simple steps such as renaming the default ‘admin’ user can also help to harden your WordPress Installation. If other users have access to the site, make sure a secure password policy is enforced, and immediately deactivate any users who no longer need access to the site.
As most WordPress vulnerabilities are introduced via plugins, it makes sense to keep plugin installation to a minimum. Uninstall and delete any plugins that aren’t being used and if you manage a lot of sites, keep a list of which plugins are used on each site so you can easily keep track and take appropriate action if vulnerabilities are discovered.
Apart from these basic steps, one of the best ways to make sure your WordPress site is secure as possible is by being proactive and scanning and testing regularly for vulnerabilities and malware.
Scanning Your WordPress Website for Vulnerabilities
There are various security services that can scan your website and alert you to any potential security issues.
Sucuri Malware and Security Scanner
Sucuri offers a free website scanner that can detect installed malware and find out if your site appears on any blacklists (which would indicate a compromised site).
It will also check for issues that reduce the overall security of your site such as an outdated version of WordPress, or lack of website firewall.
Finally, the scanner presents you with a list of links and scripts that are found on the site. It’s not always been obvious when a site has been hacked, particularly if the only damage amounts to an added link or two, so this information can be very helpful for helping you to spot anything suspicious.
This is a simple web scanner that doesn’t require access to your admin panel or ftp access, but it may not detect every vulnerability.
Sucuri also offers a premium service that will monitor your site 24/7 without you needing to run the scanner manually, and automatically send alerts via email and twitter. This service will also block IPs if any suspicious activity is detected, remove malware for you and get your site taken off any blacklists after it has been cleaned.
Web Inspector
Web Inspector from Comodo CA provides a similar service to Sucuri via a web-based submission form.
The scan includes blacklist checking, phishing content, malware, and suspicious iframes, code, connections and activity.
However there is no warning about out of date WordPress versions or plugins, as this is a tool intended for use on any site, not just those built on WordPress.
Hacker Target WordPress Security Scan
This service from Hacker Target is another free online scanner that will alert you of an out-of-date WordPress version, and Google blacklisting. Plugins and themes in use are also detected as well as user IDs, directory indexing, and linked sites, JavaScript, and iframes.
Signing up for a paid account allows for deeper scanning including discovery of vulnerable themes and plugins that are installed but not active, enumeration of usernames that may be used for a brute force attack, and access to other scanners including web server testing and a system vulnerability scanner.
WPScans
WPScans offers a free basic scan that looks for vulnerabilities in WordPress and plugins, as listed in the WPScan vulnerability database.
If you sign up for a free account, you can set up automatic scanning with security alerts and reminders to update WordPress as soon as new versions are available. There are also paid accounts available with additional features.
WordPress Security Plugins
Using a plugin to detect any security issues or breaches can be more effective than using an external web-based scanner. Not only are they specifically designed for WordPress, but also as they have full backend access, they are more likely to pick up suspicious code and activity than scripts that can only scan the frontend of your website.
Wordfence
Wordfence is one of the most comprehensive WordPress security plugins available and is available as both a free and a premium version. The scanner looks for changed files, themes, and plugins, scans for malware signatures, backdoors and phishing URLs. Real-time monitoring allows you to see all traffic on your site in order to detect any suspicious activity.
Other security features include:
- Firewall
- Blocking of brute force attacks
- Manual blocking
- Malware scanner
- Live view of intrusion attempts, visitors, and logins
- File repair feature
The premium version of the plugin offers additional functionality including:
- Real-time threat defense feed for instant updates to new threats as they are discovered
- Checking and defending your IP for spam
- Checking if your domain has been flagged as a source of spam
- Remote server scan
- Password audit
- Comment spam filter
iThemes Security
Formerly Better WP Security, this plugin helps to prevent automated attacks and harden your WordPress installation. There is a vulnerability scanner with the opportunity to fix issues instantly, and any changes to the file system or database are monitored and reported. Common WordPress vulnerabilities such as default admin URLs and usernames, default database prefixes, and login error messages are also detected and eliminated by this plugin.
The pro version of the plugin has additional security features including:
- Two-factor authentication to improve login security
- Easy update of WP salts and security keys
- Automatic daily malware scan with email alert
- Strong password generator with expiry option
- Action logging
- Online file comparison for WordPress core files
BulletProof Security
BulletProof Security is a popular WordPress security plugin with both free and pro versions. It offers some fairly advanced security features and the pro version is available as a one-off payment without any recurring charges.
The plugin makes a number of changes to the WordPress core to make it more secure such as adding a firewall and security log, protecting configuration files from .htaccess and changing default database and admin names.
The vulnerabilities scanner looks for hidden plugin folders that may be used as backdoor, checks WordPress setup for insecure settings, and finds and quarantines malicious files.
Security Ninja Pro
Security Ninja Pro is a premium plugin that performs over 50 security tests and scores your site based on overall security performance. Individual tests that have passed or failed are easily identified via a color-coded traffic light system.
Tests include checking core, plugins, and theme code for available updates, checking usernames and password strength, checking file permissions and accessibility of configuration files, and various other security points. Each test has a link to more information and advice for passing tests that have failed.
There is also a free version of this plugin available with more limited functionality.
Sucuri
As well as the free and premium online website scanners, Sucuri is also available as a plugin that includes security hardening, malware scanning, file monitoring, and security event logging.
A firewall is also available as an add-on premium feature.
WordPress Security an Ongoing Issue
As hackers become more sophisticated and attacks on websites continue to increase, it’s vital to keep a tight rein on the security of your site.
There are many website scanning services and WordPress security plugins available and we’ve touched on just a few of them here. If we’ve missed out your favorite, please give it a mention in the comments.