The best way to make WordPress more secure

Photo by Ben White on Unsplash

The easiest and quickest way to prevent 90% of hack attempts is child's play!


Do you remember something called the "Panama Papers" from a few years back?  It was the biggest leak of confidential data in history, as far as we know, and it involved the financial and personal data from over 214,000 offshore accounts.

The attack that caused that leak was made possible in part by an outdated WordPress plug-in.

And do you recall in February 2017, when 1.5 million web pages were defaced? That happened through a WordPress flaw that allowed malicious users to modify WordPress page contents. The attacks happened despite the fact that a fix for the problem had already been published.

Or maybe you remember when celebrity chef, Jamie Oliver's, blog was hacked and infected some of his 10 million monthly visitors with malware?  Also presumed to have been caused by an outdated WordPress plugin (although not confirmed.)

Or maybe none of these ring even a faint bell. But increasingly, stories about internet attacks are making it onto mainstream media.  This is a trend that will continue.

It's inevitable that some of these stories involve the most popular software of the day.  For example, it's common to hear of threats such as malware and viruses on the Windows operating system, mainly because it's hugely popular and most people are familiar with it.

The same holds true for websites.  WordPress runs about 30% of websites on the internet these days, so it's only natural that it's involved in many of these attacks.

Apart from involving WordPress, do you know the most common similarity in the vast majority of website hacks such as those mentioned above?

The websites are usually running software that's out of date.

Read on for the one simple - and hopefully now obvious - tip that could have prevented all of these attacks.  And maybe it could prevent the next attack on your own websites.

If you're short on time, then skip to the step-by-step details to securing WordPress below.

Why are there so many WordPress updates?

First, a bit of background.  If you regularly log into your WordPress dashboard, you’ve noticed that new releases come pretty regularly. While there were just two two new WordPress versions released in 2017, there were a whopping ninety-five updates released across all versions currently being maintained!  

There’s a good reason for all these updates.  WordPress is a popular target for hackers (see Fact 3 on this page).  They are always looking for - and finding - new problems in the software that they can then exploit to gain access to WordPress websites.  

wordpress bricks in the wall to keep hackers out

Photo by Namroud Gorguis on Unsplash

Because of this, the WordPress development team have to continuously repair any problems that are found.  Hence the large number of updates they release.  A quick look at the changelog for each release (e.g. herehere and here) will show you that the vast majority of these updates deal with security problems found in previously released versions of WordPress.  

Each of these updates is another brick in the wall keeping out the intruders.

Why WordPress is popular for hackers

The single biggest reason for WordPress being the most hacked website platform in the world right now is it’s popularity.  There are around 80 million published sites on the internet.  An estimated 29% of these are powered by WordPress.  That’s 23 million sites for WordPress hackers to mess with!

The second reason for its popularity with hackers is WordPress’s ease of use.  

Today, anyone can build, run and change a WordPress website with very little technical knowledge. Hence many WordPress site owners are not aware of the steps they should be taking to keep their site safe.

Back to my favourite analogy of a car; once the engine is running, even a child can drive it.  (They're very unlikely to drive it well and very unlikely to drive it safely.  But they could probably drive it at least a short distance before something stopped it.)

This low barrier to entry caused partially by WordPress’s ease of use, coupled with it’s resulting popularity are the main reasons why WordPress is the website platform most attacked by hackers.

Why would Hackers attack MY little WordPress website?

One of the questions I’m often asked is “why would hackers be interested in my little site?”

There are several answers I usually give to this:

  • They aren’t.  Not really.  At least, not specifically in your site; it's just another website to them.  They rarely care since the hacks are done automatically by robots crawling the web, looking for known problems with past versions of WordPress.
  • Hacking your site could give them further access to anyone you might work with online.
  • Just because they can.

Despite the increasing awareness surrounding cyber threats, it's evident that the motivations driving online crime today go far beyond simple financial gain.  They can include political, ideological or even I-just-want-to-break-something reasons.

These are not just mischievous minors using your website for harmless pranks.  There's no need to panic, but take the threats they pose to your website seriously.

So, what’s a bewildered site owner to do?  Well, here’s the very first thing you need to do.

The one thing to do right now to secure your WordPress website

It's child's play ...

1. Log in to your WordPress site.  This will bring you to your WordPress dashboard.

2. Go to Updates at the top of the menu on the left. https://<yourwebsite.tld>/wp-admin/update-core.php

Find WordPress Updates

All the updates available for your site are listed here.

Install WordPress Updates

3. Update WordPress to the latest version by clicking Update Now.

Strictly speaking, this is the second step.  

The first step before ever working on your site is to take a backup.  But you knew that already.  Since backups are such a fundamental and since they should be running automatically and repeatedly in the background, I've removed it from the sequence of steps you should take here.

Precautions

As usual when dealing with any technology, there are some things to watch out for

1. Always check through your website after installing updates.  You may not notice any error messages but there can sometimes be problems when older plugins don't work too well with a newer version of WordPress.  There are an infinite* number of combinations so you can see why this check can only be done by manually going through the site and testing its functionality and appearance. (*Infinite for all practical purposes - I tried to calculate the number of possible combinations but it was too many permutations for my calculator!)

2. You should read the changelog for each update.  This is a text file that comes with the new release explaining what has changed and any known problems that have already been found.

3. It's always possible that an update can introduce problems that are more dangerous than those it tries to fix.  Stay up to date with the latest WordPress news by regularly visiting the WordPress.org site and your plugin authors' pages.

Conclusion

Now you know the single best thing you can do right now to secure your WordPress site.  Trust me, your site is now much less likely to be hacked and defaced by an automated program.

Next, why not make your site even more secure by following the tips in this article:

MAke your wordpress website more secure in 30 minutes

Take just half an hour and a few easy steps to making your WordPress website more secure.

Sources

  1. Panama Papers: Email Hackable via WordPress, Docs Hackable via Drupal. (2016, April 08). Retrieved March 16, 2017, from https://www.wordfence.com/blog/2016/04/panama-papers-wordpress-email-connection/
  2. Constantin, L. (2017, February 10). Recent WordPress vulnerability used to deface 1.5 million pages. Retrieved April 10, 2017, from http://www.pcworld.com/article/3168846/security/recent-wordpress-vulnerability-used-to-deface-1-5-million-pages.html
  3. https://blog.malwarebytes.com/threat-analysis/2015/02/celebrity-chef-jamie-olivers-website-hacked-redirects-to-exploit-kit/
  • February 5, 2018

Seán

Seán founded WPStrands to help ease the frustrations of everyone who runs their small business website using WordPress.

Click Here to Leave a Comment Below

Leave a Comment:

Share
Tweet
Share