11 Expert Tips for Solving WordPress Security Issues
WordPress security has always been one of the main concerns for its users. Due to its worldwide popularity, the platform is prone to hacking attacks and other threats, which is why maintaining its security may appear tricky at first. Of course, a well-equipped security plugin is one of must-have WordPress plugins when starting your new website. But when it comes to keeping your WordPress website extra safe, sadly, it’s not enough. Rather, a combination of different strategies is essential.
For this reason, we’ve asked a round of 10 WordPress experts to share their tips for solving WordPress security issues. Read on to find out what you can do to shield your WordPress website from unwanted intrusions.
Ian McClarty, President & CEO at PhoenixNAP Global IT Services
WordPress is currently powering about 35% of all web sites – 20% of them are running on WordPress.org (self-hosted WordPress), while 15% are running on WordPress.com. WordPress.com is a secure place, with limited user access, themes, and plugins.
With self-hosted WordPress, things are a bit different. The site administrator must take care of several WordPress security issues, like the security of the hosting, themes, and plugins, the strength of the users’ passwords, etc.
As in many other cases, the weakest point in WordPress security is the user itself – weak passwords and local machine exploits are the first links in a disaster chain. Next, nulled themes or plugins from unofficial repositories are also known to cause website issues. And finally, the hosting and the database itself can be vulnerable to attacks.
Two of the biggest exploits that I have experienced were related to third-party plugins – Revolution Slider vulnerability back in September 2014, and the most recent issue with Yuzo Related Posts. Based on these two world-wide plugin-related issues, we are now trying to use only plugins from well-known authors and based on the plugin changelog, we avoid immediate updates unless the changelog states differently.
Some general guidelines on how to keep your WordPress website secure:
- Use a well-known hosting provider
- Avoid using the default ‘wp_ ‘ database tables prefix
- Ensure that the database username and password are not default (e.g. ‘root’ and blank for password)
- WordPress admin panel username and password should under no circumstances be ‘admin’, ‘siteadmin’, or anything similar
- You should give administrator rights to only a few users
- Your themes and plugins should come from well-known authors that have no exploits in the past
- Make sure WordPress is regularly updated, as well as its plugins, with changelog checks
- Use WordFence or Cloudflare to prevent malicious attacks
Will Ellis, Owner of Advocacy Group at Privacy Australia Company
As a team that is greatly concerned about WordPress security for our clients, we spend a lot of time on monitoring and other tasks. There was a tipping point where we realized we were spending way too much time on mundane tasks. We realized we needed to automate a few of them.
The one tool that helped us automate and that we now can’t live without is Defender Security. Defender saves us hours weekly with its scanning and monitoring functionality. We used to handle all of our WordPress security issues manually and Defender takes around 70% of our tasks and automates them for us. If you have a WordPress website and aren’t doing anything for security, you’re making a big mistake. 73.2% of all WordPress installations have security vulnerabilities. Plugins like Defender go a long way in helping those vulnerabilities go away. Taking care of security manually on WordPress takes a lot of time, so any tool that can automate a handful of tasks is a huge help.
Dale McManus, the Owner of Create A Pro Website
The biggest threat a WordPress website faces is malware. Malware is “injected” into your database to cause chaos. How it affects your site will vary widely depending on the type of attack itself. Once malware is on your website, your data is at risk.
Thankfully, you can prevent these attacks from happening. First up, do you have an SSL certificate installed? An SSL certificate is the first level of defense against data breaches. Having it properly installed and activated on your domain ensures the security of your passwords and other data. Most web hosts provide a free SSL certificate. Check with them for more info.
Next, if you have any inactive plugins, remove them. If there’s an update available for any plugins or themes, run them! But make sure you back up your website first. You should back up your website at least once a week.
Assuming your plugins and themes are up to date, you may try installing the Sucuri Security plugin. The free version gives you everything you’ll need to monitor your website and protect it against potential malware attacks. Once you’ve installed and activated the plugin, you’ll receive emails if there are ever any security flags. You can also track user activity like failed logins and other important metrics that signify your site may be under attack.
If you practice what I’m preaching, your WordPress site will stay secure. That doesn’t mean it’ll never get attacked, but it’s a good start.
Akshat Choudhary, CEO at BlogVault
What we have observed is that most people who approach us with a hacked site had outdated plugins, themes, and WordPress core. This left their site vulnerable to threats. Most of them thought updating was not important or were worried that the process could break their site. Fighting this kind of misinformation has been the biggest issue we’ve faced in the WordPress Security space.
Our suggestion has always been to use a staging site to test updates beforehand. This is essentially a clone of the site where you can test changes without affecting the live site.
We offer free staging with our Backup Plugin. Once you’ve tested the updates, you can update the core, themes, and plugins all at once, even across multiple websites! Moreover, if you are unhappy with what you have tested, you can always restore the previous version.
We recently collated all our thoughts on this and wrote a massive Guide on WordPress Updates. It covers any concerns one might have about updating their WordPress site.
I essentially have two suggestions regarding security for anyone using WordPress:
- Always stay updated and backed up,
- use plugins and themes that do not add to your server load.
These will ensure your site is up and running smoothly all the time!
Yuriy Nifontov, Development Team Leader at Beetroot
We had a serious issue that included a complex vulnerability of files on WordPress and the server. There was also a plugin which, let’s say, allowed the existence of this vulnerability. As a result, we had many problems. For instance, the virus changed the headers of some files and added binary fragments to their unpopular parts, turning traditional PHP files into something different. When accessing the site, we saw a white screen and the site itself tried to steal personal information through cookies. We tried to fix the problem with backup, but it only worked for half an hour or so. We thought that there must be some kind of network through which the issue could return over and over again.
We were able to get rid of it for good by changing the IP, deleting DNS records from the web, deleting the plugin, changing file permissions, and adding a custom user for this site to the web server. We never deciphered the binary fragments and found the roots of this virus.
Now there is a new plugin Wordfence, which offers a much easier algorithm of solving problems like this. You just need to copy an infected website to a separate folder so that PHP files are not executable, and run it through Wordfence. This plugin searches for edited files and deletes all the infected ones. Then you have to take the site out of the folder, update WordPress and plugins, and re-install the disinfected archive.
Sudhir Polepalli, CEO of Tvisha Technologies
Like any other digital marketers, we also tried our hands on WordPress-powered websites, as they do not require in-depth technical expertise to build or redesign websites. But going forward, we identified a striking number of WordPress security issues. A few of them included website layout issues, URL de-indexing, duplication of URLs, and decreased rankings.
One more predominant security issue we faced with WordPress was its database errors. Every time, it asks the users to re-install websites or plugins whenever the server requests exceed the limit of 75k per hour. To overcome this issue, our website hosting service providers started incorporating extended security layers to increase the bandwidth of our websites and avoid reinstallation processes.
As far as redesigning of websites using WordPress plugins is concerned, we have come across the issues of content duplication through duplicated URLs, decreased link building and rankings. We have successfully handled this concern by redirecting the users from old pages to new pages at the time of adding new pages or building new URLs.
We felt there is a possible threat of losing site interaction and thereby losing our potential users whenever the SSL certificate expires, as users never feel safe enough to browse the sites which display the tag of “not secure”. We conquered this issue by keeping ourselves active in receiving the email notifications from our SSL service provider, and also by using plugins like Really Simple SSL to keep us informed before the SSL certificate expires. We are adept at following such practices and keep monitoring the time durations of the SSL certificates of our website through third-party service providers to ensure our users safe and secure browsing experience.
Jeremy Ong, Founder at HUSTLR Inc.
From my experience, the Brute Force method is the most common and straightforward way to access your WordPress website in an unauthorized manner. This trial and error method was used to unlock the login page of my admin.
Generally, the attack of brute force refers to the process of entering multiple combinations of usernames and passwords over and over to decipher the original one. It is one of the initial options for attackers to gain access to your website through your website login screen. There is no particular WordPress policy regarding the limits of login attempts, and this paved the way for bots – they can attack your website easily by using this brute force method. Even if this attack doesn’t succeed, it can still damage your server. The bombing of invalid user-names and passwords might become the reason for the suspension of your server if it is a dedicated server. So you, at any point, need to ensure that your website is safe from these brute force attacks.
I would suggest you some essential practices to fix this brute force problem. It is the common observation that the majority of the WordPress security issues happen due to negligence.
First of all, you need to strengthen your password. Your password should never be fewer than six words. Another solution to this problem is to use updated WordPress plugins which include two-factor authentication. By enabling this authentication, the login page is layered by another protection tier. This will ask another time-sensitive code to access the login page of the website. It nearly minimizes the probability of being attacked by the brute force method.
Cheryl Smithem, Founder and Principal at Charleston PR & Design
The biggest issue I’ve witnessed is not educating the site owners about the responsibilities of owning a WordPress site. As a result, WordPress versions are not up to date.
Original developers who are not informed of best WordPress practices and do not use WP codex standards leave sites vulnerable. WordPress will age forward gracefully and will work only if coded to standard. Too many people haven’t spent any time to learn these standards and rather try to do things quickly and cut corners. Additionally, plugins that are not vetted into the WP repository and not kept up to date are open to vulnerability. We have even seen a site coded by a supposedly reputable company that was done in such a way as to not show that the WordPress version was out of date! The site owner had no way of knowing that he was running an ancient version of WordPress.
Site owers don’t learn how to add additional users and as a result, they share a single admin login. Worse still, the default admin user is not promoted to any site role, and botnets hammer at that login.
Next, passwords are too simple. Too many people fail to put in anti-spam detection and approve junk comments which invite malware.
Other critical issues are using shared hosting servers which are under constant botnet attack. These slow servers lag and sites are not nimble. When one site gets attacked, all other sites are vulnerable.
Finally, too many people spend too few dollars on their sites. They feel that $4 a month for hosting and cheap development will give them a site that will represent their business well. In reality, cheaping out hurts them just as much as not having a website.
Saurabh Jindal, CEO of Talk Travel
We use WordPress as a CMS and have set up our website on it. We generally try to keep the number of plugins to a minimum so as to not have inter-plugin conflicts.
The biggest security concern we have been seeing is the number of spam comments. The number seems to be increasing every month, and though we have been blacklisting the keywords in the Discussions panel, the number of spam comments keeps increasing. We still have not figured out a solution for this, but maybe we will have to end up using a plugin such as Akismet for this.
Igor Mitic, Co-Founder of Fortunly
My major issue with WordPress security has been a brute force attack. Fortunly has been a target of these a few times and luckily, our passwords haven’t been cracked. A brute force attack means that an automated software tries hundreds of combinations within minutes in order to discover the password.
Luckily, my website hasn’t been disabled and I haven’t gotten any malware installed. However, after the second attack, I invested more time into creating a very strong password that would take a lot of effort to crack. Passwords are something I took for granted, especially since I was afraid I’d forget them. This habit has put my website into risk which is why I encourage everybody to come up with a strong, unique combination of letters, numbers and special characters. Another protection method is Captcha, which I designed to recognize automated software and suspend their activity.
Brian Harris, Founder at SoftwareFindr.com
In the past, my site was heavily targeted by hackers via DDoS attacks. Even after restoring all my site files and manually cleaning up the additional malicious files that were still on my server, hours later I would get the notification that my site was targeted again and had been put offline. After trying various security plugins, I ended up using Defender by WPMU Dev.
This plugin allowed me to update all of my plugins and themes. Also, it allowed me to harden my login page and with a few clicks, I was able to lock code execution within certain WordPress folders. I would highly recommend this plugin to help keep your site safe.
My biggest takeaways from this experience are:
- Keep all the plugins and themes up to date and remove the ones you don’t need.
- Rename the login page and avoid using the default admin username.
- Use a security plugin to monitor new files or code added to your site files.
At first glance, securing your WordPress website may appear to be a difficult, if not futile task. Nonetheless, there are always ways in which you can strengthen your website’s defense against threats, and thus protect your data from irreparable damage. According to these experts, if you make sure to strengthen your passwords, run frequent theme, plugin and core updates as well as regular backups or your website, and install a strong wordpress security plugin, you’re onto a good start. Good luck!
We hope this article was helpful. If you liked it, feel free to check out some of these articles as well!