I t’s time to clear the record. WordPress is not as insecure as you might think! This myth that WordPress has security flaws is completely false and it is time to put this issue to rest and learn how you can secure your Wordpress website with a few simple clicks.
How Did WordPress Get This Reputation?
To date, WordPress now comprises of about 26% of all websites on the web and with major brands using the open source software such as Wired Magazine, Mercedes Benz, Tech Crunch and People magazine using the content management system just to name a few. With so many famous websites and brands using WordPress where did the reputation come from?
There are two major theories behind the criticism one simply is the popularity. Being so popular and newsworthy any exploitation or vulnerability automatically becomes viral. WordPress started as a blogging platform and quickly grew to other major applications such as Ecommerce and B2C websites. Because of the popularity of Wordpress, the more attention and scrutiny it received from professionals and experts in security.
The second fair criticism came circa 2009 during a growth spurt of WordPress the major transition from just a blogging platform to complete website management as we see it today. The security flaws mainly stemmed from third party plugins and soft spots in the core system. Within a span of a month, the core WordPress team quickly responded with four major updates to harden security. Since then there have been tens of dozens of updates to the core system and it is one of the reasons updating a WordPress website is critical to protecting your online presence.
“The only truly secure system is one that is powered off
cast in a block of concrete and
sealed in a lead-lined room with armed guards.”
– Gene Spafford
Why Is Your Website Security Your Responsibility?
The security of your WordPress website isn’t found entirely in the core system and securing your WordPress site is your responsibility. This is mainly because many people fail to update their core CMS in a timely manner and any outdated versions have potential risk to be exploited. In one of my recent posts titled The simple guide to backup your WordPress website, I discussed one layer to security that should not be ignored the second barrier of defense is updating plugins, passwords and hardening your site against potential threats and hack attempts.
A Brief Overview of Potential Threats
As an open source software, WordPress is constantly updated by experts around the world while the central content management system is monitored and updated there is a dark part of the web out to hack your site to gain access to information or link inject into your code. This is done anonymously through what is called “Bots”. Bots are autonomous programs designed to perform simple and complex tasks more efficiently than humans and can synthesize human behavior. You may know the legitimate bots also known as spiders or crawlers. Google, Yahoo, and Bing use crawlers to index information for their search results, the malicious bots have different goals such as scraping content, malware, link injection, spamming, and denial of service (DDoS) attacks which can cause serious damage to your site as well as SEO efforts.
Do All Bots And Crawlers Pose A Threat?
No, they do not, while some are malicious the rest are harmless legitimate bots and this is one of the major reasons why you should be aware of what traffic is entering your website because your statistics may not seem as true as you might think. If you are using Google analytics on your admin dashboard, understand that the traffic amounts are not always 100 percent accurate.
Therefore, the web traffic you see on your admin dashboard is not showing you the whole picture. There is one simple reason for this, the one and only focus of Google analytics is human traffic rather than bot activity and not security. Human traffic is what counts for their data and all the information that goes along with it such as time on page, top pages visited, click through rates, impressions, and actions. Knowing the exact traffic entering your site is the first step to protection. The second is knowing what to do about it.
Human traffic is what counts for their data and all the information that goes along with it such as time on page, top pages visited, click through rates, impressions, technology and referral sources. Knowing the exact traffic entering your site is the first step to protection. The second is knowing what to do about it and initiating a security lockdown of your website and I will show you how in five easy steps.
What Plugins Can You Use To Check Your Traffic?
The plugins listed below can and will show you bot and crawler stats, live traffic views and more features than you can shake a stick at.
- Slimstat is a great plugin with more features than you may ever need and it is free. They do offer a premium version if you want to go beyond the free version for added features. Slimstat is a real time web traffic analytics on steroids. The features on data reporting are endless from Geolocation, filtering, multi-language support, social metrics, rankings, top traffic sources, and real time spy view of who is on your website and where they are located via IP.
- Wassup is a simple and extremely effective plugin for getting real time stats and one of my favorites. When installed you get a simple easy to read dashboard widget called “Wassup Summary” that tells you who is currently on your site in the past 24 hours and who were they referred by, they type of bot/crawler, the geolocation, IP address, and pages visited. By clicking the “More Stats” link on the graph, you are shown a complete overview of your traffic human and or bot/crawler percentage of spams, page views, pages per visit, and visits. This is the most simple and clearest analysis of your website traffic.
- Askimet is a plugin that targets comment spam and zaps those annoying auto comments and spam link dropping that can hurt your SEO as well as annoy legitimate followers.
What Are The Security Threats To Your Website?
Short for malicious software, it is used to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Malware injection on a website can cause the dreaded “This site will harm your computer” warning in search results killing your SEO efforts and divert traffic.
Hacking is used to breaking into the password protected sections of a website. After entering into the website, the hacker can do anything they desire, change the content of the website or inject links in the HTML scrap content causing duplicate content issues.
One of the most common ways to obtain backlinks is to inject them into the signature of a forum post known as comment spam. Comment spam can turn your website into part of link farm devalue your website or get you penalized by search engines.
Phishing is the act of attempting to acquire information and could be a threat if you are running an ecommerce website. Phishing is a way to obtain information such as usernames, passwords, and credit card details.
A type of malicious software designed to block access to a computer system until a sum of money is paid. By using a DDoS attack and threat, a hacker can threaten to shut you down until you pay up.
Link Spamming is a black hat SEO technique also known as “Black Hat SEO”, which consists keywords stuffing, cloaking, bad backlinks, overloading of anchor tags.
Brute Force Login Attempts
When someone or a bot will attempt to gain admin access to your site by attempting an enormous number of different username and password combinations.
Web scraping is a bot program or software technique of extracting information or content from websites causing duplicate content issues that will ruin your SEO efforts even if you are the original publisher.
Spam is flooding comments, links, forum posts, anchor text linking, link dropping of the same message, in an attempt to force the message on people or create backlinks.
How To Secure Your WordPress Site into “Lockdown”
I prefer to layer my security and have redundancies with updates and backups and secure protection and I have found it quite effective to protect my sites and my client’s websites.
- Let’s start with something I have stressed before. Keep your WordPress up to date core WP version, theme, and plugins. To do this safely learn how to back and duplicate your website by cloning and installing your site into a virtual web software to make sure updates don’t break your theme or functionality. If you are unsure how to do this, contact a WordPress professional or a developer and ask to for an update service.
- Next, install iThemes Security (formerly Better WP Security) By iThemes. It does a fantastic job of securing and protecting your website in all the ways you need in a single click. Packed with thirty plus features such as IP blocking for known blacklisted addresses, website scanning for changes in your core files, plugins, and themes, limiting login attempts, lost password recovery attempts and any repetitive attempts by bots at hacking in general. Now lets to move to a necessary more advanced configuration.
- The number one configuration I do is to change the default WP-admin login page URL and “Admin” username to something personalized. I see this time and time again ignored on many CMS systems especially WordPress. Do not leave your username as your author name or as “Admin”. I consider this leaving the front door open to the public inviting problems and its an easy and safe change. Just make sure to note your new login URL and admin email or name. For example www.mysite.com/secureaccess.
- Protect your files especially your .HTACESS files. This can potentially break your site so it’s best to ask a professional to do this, you could attempt this by editing your htaccess file by accessing it through an FTP (file transfer protocol program) or using a free htacess editor plugin in the WP directory. Heres a fantastic guide on how to do it. 12 Most Useful .htaccess Tricks for WordPress
- Limit login attempts and monitor your traffic. Most bots use multiple configurations of usernames and passwords mainly “Admin” and try repeatedly to gain access to your site so by limiting the login attempt to a lower threshold you can automatically lock out an IP that is trying to gain access and ban them permanently. We are all human and if you are like me and have many passwords to remember make sure to keep your login details easily accessible so you don’t get lock your self out as well.
How To Secure Your WordPress Site into “Lockdown” The Checklist
Here is a link with a great checklist using Ithemes security plugin to secure and lockdown your WordPress site.
The Wrap Up And Final Thoughts
Every website is vulnerable to hacking attempts when you protect your WP site, keep it updated, maintained, and backed up you can not only secure your site and your customer’s sensitive information but also prevent any major crises from taking down your site or causing you to revert to previous versions. WordPress can be extremely secure if you take the precautionary steps to secure it properly with a little time and knowhow.