Common WordPress Security Mistakes Many Websites Make
If your website has ever been attacked by bots, hackers or other rogue elements, you’ll know that setting it right again can become a nightmare. With WordPress gaining in popularity, it has become more of a target with hackers as the payoffs can be greater. While there’s no such thing as foolproof security, there are many small and big things we can do to avoid some common WordPress security mistakes and make it harder for the bots to enter our websites and create havoc.
In this post, let’s check out the common security mistakes on WordPress websites. We’ll also find out what we can do minimize our vulnerability to security threats.
Mistake #1: Not Updating WordPress
WordPress has a great community that’s alert to security issues, and the team at WordPress issues updates regularly to fix security threats. But it’s up to us to carry out these updates on our WordPress install and patch up any security holes. Major updates to the WordPress core take place automatically, but for minor updates and for updates to themes and plugins, you need to pay attention to the notifications that show up on your dashboard.
Updating WordPress is often a smooth process, requiring just a click, but sometimes there can be incompatibility issues which break your website. There’s more about updating WordPress in this Quick Guide to updating WordPress.
Mistake #2: Not Purchasing Quality Themes & Plugins
Poorly coded themes and plugins are a security hazard on your website. Not only can they slow down your website, they can be incompatible with the WordPress version you’re using, or with each other. Add to it, they can serve as an entry point for malicious software.
The obvious precaution to adopt here is to purchase themes and plugins only from quality sources. There are many good themes and plugins available for free in WordPress. If your choice is for a premium theme or plugin, look up Themeforest or CodeCanyon and other reputed theme houses like WPExplorer.
Select those which are better rated and enjoy a greater number of downloads. Read up reviews of the themes and plugins and check out what other long term, genuine users are saying about them. Go through the changelog to see if there are regular updates. Write to the authors to understand if that theme or plugin is right for you before making a purchase. And to put to rest any practical concerns, you can run it on a test site, if that’s possible.
Mistake #3: Not Updating Themes & Plugins
Just like WordPress your themes and plugins should have regular updates for bug fixes and security patches. It’s your job to test these updates then install them to keep your WordPress website safe.
Note: One of the most common reasons people let their themes get out dated is because of custom code. This is why using child themes is important. If you plan on making any changes to your theme files remember to use a child theme so you can safely update your core theme in the future.
Mistake #4: Lack of Security on Login Page
The login page is the place from where authorized users enter the website. But many unwanted rogue users can also cleverly find their way into our websites from the login page and can even acquire admin level privileges. To prevent this, we need to enhance security on the login page. Really, it’s not hard to do this and there are many easy tweaks that you can carry out to stop mischief right at your doorstep.
You can change the username from the commonly used ‘Admin’ and enforce strong passwords. Or, limit the number of login attempts – this’ll be particularly effective in stopping brute force attacks. Another protection method that’s easy to adopt is two factor authentication. And with Google pushing for the use of SSL, you may like to stay a step ahead and apply it to your website sooner than later. So, you see, the login page is a good place to start to improving security on your website.
Mistake #5: Improper Use of User Roles
WordPress has many user roles – Administrator, Editor, Author, Contributor and Subscriber. Not all of them need to have the same privileges on your website. When you add users to your site, be careful with the privileges you grant them at the backend. Allow only as much privilege as is necessary for them to fulfill their roles on the website.
Granting unrestricted access to all users can make it easier for hackers to break in.
There’s really no need to give subscribers any access to the backend when all they need to do is read content. Editor level access should be granted only to trusted users, and Admin level access can be granted, if at all, very sparingly. Allowing limited privileges to users and forcing them to use strong passwords can control access to the backend to a large extent.
Mistake #6: Not Deleting Unused Themes and Plugins
Over time, we keep adding plugins and themes to our WordPress as and when the need arises. But once we no longer have any use for them, we forget to delete them from our site. It’s not enough to simply deactivate themes and plugins, you must delete those that you do not intend to use. This simple step can reduce your exposure to malware. Inactive plugins do not consume RAM, bandwidth or PHP, but do take up server space. Not only can this slow down your site, they can also be used to run malicious code on your website.
Before you add a plugin to your website, do check if WordPress can natively handle the particular function. Or the theme that you use or your host may be covering the functions that you need. So if you have any plugin on your website for these very same functions, you may want to delete them.
Now that you’re cleaning out unused plugins, you may as well go the whole distance and clean out the media library, the uploads folder and the includes folder. These are alternate entry points for malware which enters your site only to execute itself later. By slimming down these folders, you’re cutting down on the access points for malware and hackers.
Mistake #7: Not Choosing a Secure Host
Often, hackers are not targeting your site, they may be targeting some other website that shares server space with you. You’re just an incidental victim. In a shared hosting scenario, one compromised website can bring down all the websites on a server. Therefore, it’s important to choose your web host with a great deal of care. As we’ve repeatedly said in our blog pages, when it comes to hosting, you only get what you pay for. Cheap hosting options almost always compromise on security and their servers are more prone to security attacks. Not only that, you’ll often find support less than satisfactory when your website is under attack.
Putting down good money for quality hosting is really worth the investment. It’ll save you a load of headache down the line, especially if you’re business is linked heavily to your website. Need help with picking a host? Head to our list of recommended hosting options.
Mistake #8: Not Checking for Malware
Malware can enter your website without you even being aware of it. It can remain hidden and do many things without your knowledge such as tracking your visitors, accessing sensitive information like credit card details or adding backlinks to other websites. When there’s malware lurking in your website, Google begins to turn away search engines to prevent other websites from being infected. This can cause a drop in the traffic to your website.
There are many plugins and services available that can scan your website for malware and remove many of them. You merely have to visit the website of services like Sucuri SiteCheck Scanner and enter the URL of your website. A report will be generated that displays the malware detected as well as the recommendations on how you should handle it. Or else, you can choose to add a plugin and run a scan. If you wish you can delete the plugin after use and reinstall it when you want to run a scan again.
Mistake #9: Not installing a Security Plugin
One of the easiest ways to beef up the security on your website is to add a security plugin. These plugins can handle many security issues like enforcing strong passwords, setting up firewalls, protecting against brute force attacks and more. There are many free plugins like iThemes Security and as well as many premium security plugins available, and it’s best you install and activate one at the earliest. There are also many website security services like Sucuri that offer to manage security on your WordPress website.
Mistake #10: Not Keeping Website Backups
You’d think that now you’ve done all of the above, your website is safe from the bad guys. Sorry to disappoint, but hackers are refining their methods and new threats crop up continuously. Therefore, as a safety net, you can use a plugin for backup and take a secure backup of your site at regular intervals and keep them in a safe location.
It’s not enough to carry out a backup of just the database, a full backup of the website is necessary. That includes the themes, plugins, the wp-content folder as well as important WordPress configuration files like wp-config.php, and .htaccess files. Use quality plugins like BackupBuddy or VaultPress and update them regularly. Also, maintain multiple backup copies that you can fall back upon in different offsite and offline locations.
Website security is not always about tall walls and fences, nor is it a one time fix. It’s more about staying ahead of the mischief makers. There are many small and easy steps that you can adopt to keep a website safe and secure. It’s important to review your defenses to make sure they’re in line with the needs of your website and evolve security practices that can keep it safe.
If only more webmasters would understand the importance of taking enough precautions and keeping the required checks in place, they can avoid the huge costs involved in restoring a hacked website.
Vishnu, thanks for such instructive post. I think it would be easily converted into some sort of a security checklist for WP newbies (Idea for Content Repurposing)
And I will share the link with my friends, most of them are bloggers and webmasters.