I recently posted about how to simplify plugin and theme updates for multi-administrator WordPress sites using wp-cli. While this post may not be groundbreaking, I’m still going to explain how to mitigate the risk of a server hack and keeping your WordPress site secure. Why? Well, for this very reason! 👇
Last week, one of my clients’ servers was hacked. Upon investigating the logs, we discovered that it was due to having too many dormant users set as administrators with extremely weak passwords. These passwords weren’t set recently; otherwise, they would have been caught by the improved password strength checker built into WordPress. One of the sites on the server was over a decade old and had dormant administrators who no longer worked for the company. Digging deeper into the hosted account, we identified the responsible site. Multiple folders were scattered across the internal files, and an unauthorised administrator had been injected into the database. Although the hack probably didn’t require adding the random administrator since it likely compromised an existing administrator account, the hack may not have been aware of that. Unfortunately, this compromise eventually spread to the entire server, turning into a nightmare. Fortunately, we were able to restore the site successfully before the hack.
Keeping your WordPress site secure
Because WordPress powers millions of websites, it’s a prime target for hackers. It’s important to mitigate not only site hacks but also server hacks. After all, prevention is better than a cure, right? As a site owner, you must take proper precautions to protect your site, don’t rely on the host or the person who set your site up, as the owner you really need to take responsibility for that ownership. Here are some key tips to keeping your WordPress site secure:
Use a Password Manager
Ensure that all your WordPress and hosting account passwords are strong, unique, and stored in a password manager like LastPass. This helps in creating and remembering secure passwords. Enable two-factor authentication (2FA) whenever possible for added protection. And remember, do not use the same password for everything.
Review and Manage User Accounts
Avoid having unused administrators lying around. Regularly review all users and ensure that they have appropriate roles and permissions based on their needs. Limit admin access to only trusted users and remove access for users who are no longer part of your organisation. Even better, if you have access to wp-cli and are comfortable using it, you can eliminate the need for any administrators altogether. This provides a high level of security, although it goes beyond the scope of this post. If you’re interested in learning more, feel free to reach out, and I’ll explain further.
Install Trusted Plugins and Themes
When adding plugins and themes, only use those from the official WordPress repository. Avoid third-party stores as they may contain compromised code or code that is no longer supported by the original developer. Check user reviews, ratings, last updated date, and compatibility with your version of WordPress to identify trusted plugins in the official WordPress plugins repository.
Keep Everything Up-to-Date
Updates are necessary because they often include patches to mitigate vulnerabilities. Outdated software is more prone to newly discovered hacks and contains vulnerabilities. Always update WordPress core, plugins, and themes to the latest versions. Enable auto-updates where possible or do it manually. Before updating, it’s a good idea to back up your site first. Most reputable hosts have built-in functionality for this purpose, or you can clone your site and test the updates before applying them to your live (production) website.
Use a Security Plugin
While there are many configurations you can apply to your WordPress install by modifying code or adjusting .htaccess or nginx configuration, most users will benefit from installing a dedicated security plugin like Wordfence. These plugins offer features such as firewall protection, login monitoring, malware scans, and more. You can use them to enhance security and fortify your site.
Enable SSL Certificate
If you ain’t doing this then you probably shouldn’t own a website! Activate HTTPS on your site by installing an SSL certificate. This encrypts all traffic and prevents unauthorised snooping on sensitive data. WordPress.com sites have this feature by default, and self-hosted sites can use Let’s Encrypt.
Regularly check WordPress security news and bulletins to stay informed about new threats and fixes. Take prompt action if a vulnerability affects your site. Sign up for email alerts from WordPress to receive updates directly.
By following these WordPress security best practices, you’ll greatly enhance the safety of your site by keeping your WordPress site secure. Don’t wait until it’s too late and you’re frantically calling your developer with your site already hacked. Be vigilant about WordPress security, take if seriously to protect your site and peace of mind.