WordPress security threats, protection tips and tricks

Robert Abela is a WordPress Security Professional and founder of WP White Security. In this interview he talks about the main WordPress security risks, offers tips for website owners on how to protect themselves, and much more.

As a WordPress website owner, what are the main security risks to be wary of?
The main security risk of having a website is being hacked. Before talking specifically about WordPress, I’d like to point out that every online website is a target. Many believe that because their website is not popular, or because it does not hold any sensitive information it is not a target.

Hackers are after everything that your website has. They hack a website to host and transfer warez and other forms of illegal files, so they can use free bandwidth, which you pay for. They hack websites to inject links for black hat SEO or to inject malware and infect your visitors so they can use them as bots during a distributed hack or denial of service attack.

Back to WordPress, being a WordPress website owner unfortunately has even a higher security risk. WordPress is so easy to use that the number of non technical people who have their own websites and blogs has drastically increased. Malicious hackers know this and use it to their advantage.

They know that most WordPress websites owners do not go the extra mile to secure it, maybe because they simply do not see any reason to do so. They also know that typically such users install any type of WordPress plugin or WordPress theme without scrutinizing it, thus making them vulnerable and a very easy target. And so because WordPress is very easy to use it is now most probably the number one target for malicious hackers.

What would you say are the most important measures you should take to secure a WordPress website?
Web security is like a living thing, it is constantly evolving. Therefore everything you do should be done with security in mind. To start off with, there are some things that you can do just once to improve the security of your WordPress blog or website, but you still have to always follow a number of rules while using WordPress. By following such rules you will be safe from most of the automated targeted WordPress attacks which typically spread like wild fires:

1. Use strong usernames and passwords. A strong password should consist of at least 8 characters and should also include numbers and special characters such as ? and !. Avoid using dictionary words, pets’ names, partners’ names etc.
2. Before installing a WordPress theme or plugin, make a little bit of research about it. For example before installing a plugin, check how popular it is from the plugin ratings and what people say about it on the WordPress support forums. Check how frequently it is updated etc.
3. Always update your WordPress installation, plugins and themes. By using the latest version of a particular software you ensure that you are using the most secure and stable version. This does not just apply to WordPress, but to any type of software you use.
4. Trust no one. Before disclosing your WordPress password to a freelancer, make sure you verify who you are speaking to. If need be, ask for a telephone number so you can speak to the person. Before hiring a freelancer, ask your fellow bloggers to see if they can recommend someone.

What smaller measures might you take as additional precautions if you wanted to be ultra careful?
Apart from the above suggestions which apply to everything you do on the internet and not just to WordPress, then there are some other WordPress specifics you can to beef up the security of your WordPress blog or website.
To start off with, change the default “admin” WordPress username if you are still using it. By doing so you are automatically excluding your WordPress from the most common brute force attacks.

I would also recommend to set up HTTPS for the WordPress dashboard (wp-admin) directory. By accessing the dashboard over https (encrypted HTTP connection) you are ruling out the possibilities that a malicious user captures your connection and logs in to your WordPress.

Use WordPress user roles. If you have guest writers who write blog posts but do not publish them, give them a contributor role.

Use a WordPress audit plugin to monitor the activity of WordPress itself and the WordPress users, such as WP Security Audit Log and a WordPress plugin like Old Core Files to delete redundant files from WordPress.

Of course there are many other tweaks you can apply to your WordPress installation to improve its security and ensure you do not fall a victim of a malicious hacker attack. But most probably you would be better off if you talk to a WordPress Security Professional because every WordPress installation is different and everyone has different needs.

What popularly suggested measures that you see promoted on the web are of little or no help? Similarly, what suggested measures are blown way out of proportion in terms of their supposed benefits?

I’ve never seen any suggested WordPress security measures that are of little or no help. Every little bit helps. In fact when we make a WordPress security hardening, we do not just implement solutions and tweak to keep WordPress safe from malicious attacks. We also think of when a website is hacked and apply changes to try and limit the damage a malicious hacker can do once he or she hacks the WordPress blog or website.

Many people might think that this is a waste of time, i.e. once a website has been hacked it is too late. That is simply not true. The more you limit the damage a hacker could do once he or she intruded the website, the cheaper and easier it would be to recover the website. Of course if you make frequent backups of your WordPress site it would also help in the recovery process, so frequent backups are a must.

What important aspect of WordPress security do you see most commonly neglected by end users?
I do not think there is a specific aspect of WordPress security that is neglected. Having said that I am not saying that WordPress administrators and users are doing it right, but simply most of them do not even bother about WordPress security. On the other hand there are WordPress administrators who care about security, or the business they work for does and invest in WordPress security. In most cases, those who care have been hacked before, and that is why they care.

Unfortunately people do not see any benefits in securing a WordPress blog or website until they are hacked, which sometimes it is too late. Businesses have lost their reputation and some of them even went bankrupt when their website got hacked.

Do you have any further comments regarding WordPress security that you feel you have not covered in answering the above questions?
There is a lot of information available on the internet that can help you secure your WordPress blog or website, or get you started with it. Read, learn and try to apply what they recommend. If your WordPress is your main source of income, and maybe you do not have the time for it, or it is simply not your cup of tea I would recommend you to outsource the job to a professional because they can go the extra mile and give you solutions specifically tailored for your WordPress installation.

Do not wait for a malicious hacker to hack your WordPress before you start thinking about WordPress security since it might be too late. Stay secure!