If you pay attention to internet chatter, you’ll eventually hear about how WordPress is a security breach waiting to happen. On the surface, it appears there might be some substance to the claim. This ridiculously popular content management system does get hacked a lot, but the truth goes a bit deeper.
First, most WordPress hacks are due to entirely preventable site owner factors and NOT any genetic shortcomings in the code. Second, the software is so popular that hackers can’t help but focus their efforts on it simply because the opportunity is always there.
While third-party themes sometimes get blamed for threat vulnerabilities, the reality is that well-maintained themes aren’t a typical means of ingress. There are plenty of shortcomings to go around that aren’t related to them at all.
Here are a few.
Before Anything, Backup Your Site
Backing up your site regularly, including all themes, plugins, content, and databases might not strike you as a critical security measure but having a recent working copy of your site ready to re-install on a moment’s notice could be the difference between being forced to pay a ransomware demand or laughing it off.
While WordPress offers the capability to easily perform your own backups and store them locally on a removable thumb drive, external hard drive, or even in a cloud storage account in Dropbox, consider having your web host do a daily automatic backup instead. Most of the big-name providers offer this as part of your hosting package. If you’re interested in offloading even more site maintenance, there are companies that specialize in that as well.
Depending on the amount of data on your site, trying to get through a daily backup yourself can be a little crazy-making if you happen to live in a state stuck behind the curve when it comes to high-speed internet technology infrastructure, especially one lacking fiber-optic service. Even California, a tech-savvy state if there ever was one, still has some hinterland areas that barely tip the meter at 30 Mbps. If you were wondering, yes, this is kind of slow.
You don’t want to mess with your own backup at that speed. Let your host do it.
It’s Still the Password
We keep hearing rumors about the great password-less future that is sure to arrive any day now, but until it does, take your WordPress password protection seriously. Yes, having a good password strategy is probably not the most exciting part of your day, but it can keep you from having a really bad day. Boring though it may be, creating a strong password and changing it regularly serves as an excellent deterrent and is one of the most proactive steps you can take to create an unhackable site.
In case you were wondering, “123456” is not a good password. Neither is “qwerty” or the clever “password.” Just don’t do it. For solid advice on how to up your password game, check out this article from How to Geek. Brute force attacks are still a popular way for hackers to breach your site. This tactic involves an automated assault where blackhat software simply tries thousands or millions of different login combinations until it hits on the right one.
TIP: Install a free login attempt plugin that locks anyone out after three unsuccessful tries.
Core Updates to the Rescue
Contrary to popular belief, updates to the core WordPress software are not part of a global plan to waste your time. Let’s take a look at what an update actually means and why you should take five seconds to do it when prompted.
Typically, an update is issued when a code weakness is discovered. This weakness could take the form of a simple bug that causes a software malfunction, or it could be a hole that lets hackers pour in and create a pile of mischief.
The update substitutes fresh code for the old code and fixes the problem in the process. You would prefer to have fewer breaches rather than more, right? Trust us. The answer is, “yes.” Best WordPress site owner practices mean you should update the platform every time the option is offered.
Protect Sensitive Files
There are a few files included with each WordPress installation that is especially sensitive. In other words, you don’t want hackers rummaging around in there because they can create a lot of damage. In particular, these files are:
- Wp-config.php
- php
- html
To make them off-limits to outsiders, insert the following code into your .htaccess file.
———————————–
Options All -Indexes
<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files license.txt>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>
<files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</files>
<files fantversion.php>
Order allow,deny
Deny from all
</files>
———————————–
If you’re interested in learning more about the wonderful and extremely helpful .htaccess file, this should get you up to speed.
Final Thoughts
The main thing to keep in mind is that WordPress is not a vulnerable CMS platform but rather software that requires proactivity on the part of site owners to keep things squared away. Here are a few stats to reassure you that this is not back alley operation.
WordPress currently powers about 35% of ALL websites, and that number continues to grow each year. In other words, it’s a solid platform. Think of it like taking your car in for a tune-up. If you tend to the basic preventatives, it will perform like a champ. Good luck!