It might not be easy for the average person to hack WordPress, but valuable websites are always at risk and here are eight common sense ways to protect yourself (and your online business) from attack.
Plugin and theme vulnerabilities to hack WordPress
It’s not fair to pick on plugin and theme authors, they’ve contributed something to the community for free but, none the less the truth is that a poorly written plugin (or theme) can introduce security issues to WordPress. The solution? Know your code or trust the developers working on your website to know your code.
Poor password management
As I mentioned before, passwords are the weakest point of most WordPress websites. If your password is compromised, say goodbye to your website.
Website hosting companies
Hosting matters for more than just search engine optimization, but also for security. When you’re looking for a good host, don’t simply settle for the cheapest, look for the one that can offer you great service and quality hosting in addition to excellent security. I recommend WP Engine for hosting to all my clients in a large part because I have faith in their security.
Update everything, always.
There is fundamentally no excuse for not updating WordPress. A giant yellow banner appears across the top of your administration client whenever an update is available, there is honestly no excuse to ever have a plugin, theme, or the WordPress Core out of date.
Seriously, I can not stress enough how vital it is that your website is updated regularly. If it’s not something you’re comfortable doing yourself, hire somebody to maintain your WordPress website.
Avoid commonly exploited vulnerabilities
Again, watch those passwords but also keep abreast of some of the more common vulnerabilities to a WordPress website, such as:
- delete or change the ‘admin’ account on your website;
- remove unused themes and plugins;
- force https:// instead of http:// in the admin area;
- add an .htpassword file to your admin area;
- use proper file permissions for WordPress files;
Hack WordPress with Phishing attacks
It should go without saying that a WordPress website (either on .com or a self hosted) will never ask you to email your login credentials, or reply to a message with those details … but I’m going to say it anyways.
WordPress will never ask you for your password, except at the login prompt to your WordPress website.
Accessing sensitive files
WordPress has a lot of files and those files need to have their permissions set correctly in order to work, but if they’re set wrong it can also expose your website to hackers. The solution is to use .htaccess to protect your files. Moz.com has a great piece on updating your .htaccess file to protect WordPress.
Exposing your login as your username
When you write a post in WordPress, the theme often generates a link to the author page, which unfortunately includes a link with your username. For example, this post includes a link to http://thisismyurl.com/author/thisismyurl/ which clearly exposes my username.
If a hacker has your username, they have 50% of your security.
There are of course a couple of things you can do to get around this, IT Pixie has a great post on changing the nicename (what is displayed) of your user profile, or you can take my advice and never write under your admin account.
All in all, WordPress is a wonderfully secure platform but these basic security issues should highlight the need for you (and all website owners) to be vigilant in protecting your website.