Despite the circling horror stories and successful hacking attempts, WordPress is still the biggest content management system on the Internet, powering over 450 million websites online and holding more than 60% of the CMS market share.
Sounds impressive, right?
But if WordPress isn’t safe, why would it be extremely popular among individuals, developers, marketers, big brands, and online stores? The right questions here are: How safe is WordPress? How does it get hacked? And, how can you keep your WordPress website secure?
Throughout this guide, we’ll explore the security measures WP takes to secure its platform from common cybersecurity risks. We’ll also discuss how a WordPress website can be compromised, and how to better harden our security.
How WordPress Secures Itself
As a free open source CMS, WordPress enables lots of developers and community contributors to make alterations in the backend and create their own plugins and themes. It also allows users to connect to third-party applications and plugins.
As a result, WordPress becomes vulnerable to malicious security threats, which is why it has its own built-in security system.
-
Core Developers and WP Security Team
There’s a Core Leadership Team that’s led by а WP co-founder along with five main core developers and other vetted еxperts that have access to write the necessary codes to improve the user experience.
WordPress has a veteran security team of around 50 experts, lead developers, and researchers whose responsibility is to reinforce the platform from cyber attacks. They are responsible for creating security fixes and patches to monitor any potential risks and vulnerabilities.
The security team communicates with each other through a private channel to work on possible improvements and fix issues. If there is a critical security vulnerability -, the team immediately starts identifying it and working on a fix. Depending on severity of the issue – it might be patched immediately or during the next planned update..
-
Major and Minor Releases
As previously mentioned, the core WordPress team works on developing new features and add-ons to keep WP up to date. That’s where beta releases come in to test the new changes and fish out any bugs before the new software version comes out. Minor releases contain the latest security fixes for any spotted security vulnerability or software bugs.
Any major WP version consists of two digits (e.g. 4.2, 5.0, etc.), while minor ones have three digits (e.g. 4.1.3).
-
Automatic Updates for Minor (Security) Releases
Due to the critical nature of security releases, WordPress has made it a rule to automatically install them, starting from version 3.7. The WP site owner doesn’t have to do anything from their end. Still, they have the option to manually postpone or turn off those automatic updates, but it’s highly advised to keep them turned on unless completely necessary.
Security for Themes and Plugins
WordPress boasts a rich repository of over 50,000 plugins and 5,000 themes. When you install WP for the first time, you’ll get the default theme (currently Twenty Twenty-One). This default template has been thoroughly tested, reviewed, and approved as highly secure by the WP core team.
While the default theme is safe, many users tend to change it and use a different one. This is largely due to its limited feature set that might not be suitable for everyone, especially small business sites. That’s why there is a dedicated WP team that reviews templates submitted by developers and approves or rejects them to be displayed in the WP theme directory.
As for plugins, although the specialized team of volunteers tries their best to review all plugins, they can’t cover everything. That’s why you need to download add-ons from trusted sources only.
Website administrators get notified when plugin developers make changes, updates, or release fixes for plugins. In addition, the WP security team contacts devs if they discover vulnerabilities and collaborate with them to make the necessary fixes. If they find a dangerous or a plugin that poses security threats in the public directory – they quickly remove it.
Top Reasons WordPress Gets Hacked
As we’ve discussed earlier, WordPress often gets compromised due to its extreme popularity. Nevertheless, successful hacking attempts in almost all cases are due to bad WP user behavior and not keeping good website hygiene.
-
Weak Credentials
Like any secured online account, your WordPress platform has its login credentials like admin and website logins, FTP accounts, etc. Having a weak password for these accounts makes it very easy for hackers to get in.. Predictable logins are usually short, only include letters or numbers, and are related to something personal to you (e.g. birthday, anniversary, etc.).
If the hacker knows any personal information about you – it won’t be difficult for them to gain access to your WordPress platform and your entire website. That’s why a long complex password is always preferable. Also, try to avoid using the same pass across multiple accounts.
-
Not Keeping your Themes and Plugins Up-to-Date
This doesn’t apply only to WordPress, but as a general rule for any software or application. Most of the updates for the WP and plugins include patches in the code for security issues. In other words, an outdated add-on is a gateway to any hacker.
As soon as an update is available, it’ll appear in your WordPress dashboard. Make it a regular routine to run all the available updates (but don’t forget to make a backup before that).
-
Getting Plugins and Themes from Untrusted Sources
If an outdated plugin can be a risk, imagine what a poorly coded one can do. This is a major security vulnerability and a good way for hackers to gain easy access to your WordPress website. It’s always better to download your themes and plugins from trusted sources such as the WordPress.org repository and popular trusted marketplaces like ThemeForest and Envato.
-
Hosting your Website on a Poorly Secured Host or a Shared Server
Even though all hosting providers advertise they take their own precautions to keep their servers secure, not all of them take strong enough steps to implement that. If your hosting provider doesn’t apply the latest security measures, this can place your WordPress site at the risk of being hacked.
Hosting your website on a shared server means that if any of the other websites on the same server are compromised – your website is automatically at risk. That’s why, if you want to stay secure, either host your website on a managed WordPress server or go for a reliable managed WordPress hosting plan.
DIY Tips for Hardening WordPress
There are some useful actions that you can take from your end to harden the security of your WordPress website. Here are some DIY WP tips:
-
Use Strong Passwords
Your password for any account should be long enough and consist of a combination of letters (both capital and small), numbers, and special characters (question mark, exclamation mark, dash, underscore, etc.). As mentioned, you should try to avoid personal information in your passwords (e.g. your name, date of birth, anniversary, etc.).
Another important pointer is to use different passwords for different accounts and to periodically change these credentials. Don’t worry if you find yourself having a hard time remembering all these passwords – you can always use a password manager that will sort them out for you.
-
Use Two-Factor Authentication (2FA)
In order to further protect your identity, some online accounts use a second authentication step. This may be in the form of an email with a verification link or a code via SMS.
Same thing applies to WordPress. If you’re offered the option to apply two-factor authentication (2FA) to your log in process – it’s always a great option to further secure your WordPress website.
-
Change File Permissions
Having shell access to your server allows you to make changes to permissions for files and folders. Run the following command if you want to change the user access for your folders:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
If you want to change permissions for your files, run the following command:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
-
Secure Your Database
Having multiple blogs running on the same server will make it easier for attackers to compromise or infect all of your projects. In this case, it’s better to run your sites in separate databases when you first install WP. This way, if one WP installation is hacked, the others will remain secure. It would also make it much easier to identify and remove the infection before it spreads.
Keep in mind, if you have another person managing your databases for you, it’s important to disable unnecessary features such as accepting remote TCP connections.
-
Set a Limit to Login Attempts
You probably noticed that logging in to any online account gives you a certain amount of tries to enter the correct credentials or go through the “forgot my password” procedure. By default, WordPress is set to offer an unlimited number of login attempts and this is an advantage that hackers use to gain access.
Set a limit to the number of login attempts to avoid this from happening. Most online services stick to three attempts and others can go up to ten. Still, don’t go below three attempts to stay on the safe side and avoid locking yourself out of the account.
-
Set Up a WordPress Firewall
Setting up your WP firewall helps prevent hackers from gaining access to your website through malicious IP addresses and blocks any requests coming from them.
There are some security plugins that you can use as well, which already have a built-in web application firewall (WAF). An example of a popular security plugin is MalCare which you can easily enable for your website.
-
File Editing
By default, administrators can edit PHP files like themes and plugins from the WP dashboard as it permits code execution. If a hacker manages to log into your WordPress backend, they’ll use specific tools to carry out malicious activities.
Luckily, WP gives you the option to disable file editing from your dashboard. Run the following command if you want to disable editing for files, themes, and plugins for all users who have access to the dashboard:
define('DISALLOW_FILE_EDIT', true);
Keep in mind, while that command will help you prevent some cyberattacks, it won’t prevent a hacker from uploading infected files to your website.
Final Thoughts
Generally speaking, WordPress is a safe platform that’s constantly monitored and regulated by an expert security team. However, a lot of websites get compromised and infected by malware mainly due to user negligence.
Keeping outdated plugins, unused themes, and not performing regular backups or updates for your WordPress website will make you an easy target for hackers. That’s why, you need to be vigilant about maintaining healthy website security checks and safety measures to stay safe while using WordPress.
Let us know what you think about the safety of WordPress in the comments section below.