Keeping your WordPress site safe from hackers is not a difficult task if you are aware of potential threats and know what to expect. However, with so many opinions, advice, and rumors about questionable WordPress security, you may get confused: which dangers are real, which tips work, and what tools can actually help to protect your site?
In this article, we take a look at ten most common statements about WordPress security to find out whether or not they are true.
#1 My Site Is Too Small / Not Interesting for Hackers
Many website owners still believe hackers only target large corporations with sensitive business data. You may also think that your travel blog or a small-scale clothing e-shop is too tiny and not interesting for hackers. Actually, it’s quite the opposite – small websites are especially at risk because most of the time they aren’t properly secured.
Make no mistake here – hackers aren’t interested in your personality, nor do they care how many visitors per month come to your website. And it’s not always the money or sensitive business data they are after. Once broken, your site can be used to distribute spam or send your visitors to a malicious website to trick them into downloading trackers, viruses, or other malicious software.
What’s more, you should forget the image of a mysterious hooded man trying to break into your website. Most of the attacks these days are performed by bots, which don’t care who you are or what’s on your site. Bots are nothing but software applications that run automated tasks, such as scanning the Internet for vulnerabilities and attacking weak, unprotected websites. Therefore, they may attack any site, even a fresh one that hasn’t received any traffic yet.
This is why it doesn’t even matter how big your site is – there’s always a chance for it to be hacked.
#2 WordPress Is Not Reliable CMS
With more than 74 million websites, the most popular CMS (Content Management System) in the world certainly is a very juicy target for hackers. But even if WordPress may be subject to more hacking attempts than its competitors, this doesn’t mean you shouldn’t trust the system.
The opposite is true. The WordPress developers are very diligent and fix vulnerabilities as soon as they come into light. And your site could be way more secure if you could just bother to install those regular security updates.
It’s unfortunate, but many people don’t take good care of their websites, leaving their doors wide open for cyber bad guys. According to WP WhiteSecurity, the majority of WordPress sites are vulnerable precisely because they run outdated versions of WordPress. So just to be on the safe side – check what version of WordPress you are using, and if necessary, update it immediately.
#3 You Can’t Trust WordPress Plugins
There are more than 54,000 plugins in the WordPress directory, so it’s safe to assume that some of them may have security problems. For this reason, WordPress has a robust feedback and review system allowing its users to evaluate plugins, leave their comments and report any issues.
So it’s always important to check the rating of the plugin you’re about to download, as well as to read what other users have to say about it. If you notice anything suspicious, don’t download the plugin.
It’s also important to look after your plugins. Update them to the latest versions as soon as the updates are released, especially if they include security fixes. Remove plugins you no longer need, because outdated plugins pose a greater security risk than those receiving regular patches.
#4 Strong Credentials Are Enough to Secure My Website
A unique, complex password is a must for all your accounts and your WordPress site is no exception. Naturally, when it comes to creating a new password, simplicity is hard to resist. Using your name combined with your birth date as a password, or setting the same password for multiple accounts is the worst thing you can do. Never do that.
But even a hard-to-guess password is not always enough as hackers may use other methods to break into your account. So to ensure the safety of your WordPress site, it’s recommended to use 2FA (Two Factor Authentication), which will add an extra security layer to your account. With 2FA enabled, cybercriminals won’t be able to access your account even if they discover your carefully created password.
#5 An SSL Certificate Is Enough to Secure My Website
A SSL (Secure Socket Layer) certificate adds an extra layer of security to communications that take place between your website and its visitors. While the SSL protection is a significant step towards better security, it isn’t enough to keep your website safe from hackers and other snoopers.
The thing is that SSL only encrypts the data in transit, but not the data that is hosted on the site. So to make sure your site is properly secured, you will also need additional security tools, such as web application firewall, and up-to-date plugins.
#6 Limiting Login Attempts Is The Best Option to Avoid Brute Force Attacks
By default, WordPress allows its administrators to enter their password as many times as they want. While it’s handy if you are having a hard time remembering your login details, it is also a good opportunity for hackers to pull off a brute force attack.
A brute force attack is a hacking technique that aims at getting access to user accounts by entering thousands of possible username/password combinations. Usually, this type of attack is performed by simple scripts, called bots.
One of the most common methods for preventing brute force attacks is limiting login attempts. For example, if a hacker (or a bot) enters a wrong password three times, the account will be locked and remain that way until an administrator unlocks it. However, if a malicious user locks multiple accounts, this can cause a denial of service for the victims and lots of headaches for the administrator.
So a better option here would be to implement a progressive delay technique that locks out user’s account for a certain period of time after a specified number of failed login attempts.
#7 Hiding the Website Login Page Will Prevent Brute Force Attacks
Many WordPress users believe that hiding the login page or the “wp-admin” folder will keep their account safe from brute force attacks.
While this is better than nothing, moving or hiding the access point won’t protect your page against sophisticated hacking attempts. Cybercriminals these days are smarter than you may think, and with the right tools they can easily find and break your hidden page or folder. From there, they can use your website for nefarious purposes.
#8 You Should Change the Database Table Prefix to Enhance Security
A popular myth among WordPress administrators is that modifying the prefix (“wp_”) of the WordPress database tables will keep their website safe from SQL injection attacks.
However, there’s no proven evidence that this action could somehow protect your site from malicious attacks. What’s more, if not done carefully, this modification can even break your website.
#9 IP Address Blocking Can Save You From Hackers
There are a number of WordPress plugins that claim to block malicious users based on their IP addresses. While such method may be a good solution to block spam and avoid some hacking attempts, it won’t make your site safe from all malicious visitors.
The main problem with this technique is very simple: with proper tools anyone these days can mask their IP address, so if you block a specific IP, chances are you will be attacked from another one.
#10 If My Site Was Compromised, I’d Know About That
On the contrary – most site owners that have been targeted by hackers, don’t realize it or find out about the hack way too late.
No one, except amateur teenager hackers, is interested in simply breaking down your website. Most sites are hacked so they can be used for other purposes: for example, luring your readers into downloading malicious software. So if your site works fine, it doesn’t mean it’s not spreading malware. If you want to be sure, run malware scanning from time to time.
#11 WordPress Sites Don’t Need Maintenance
If you have just built your first site and think your job is finished here, think again. Having a WordPress site is more than constantly filling it with new content. If you want to keep it safe, you will have to perform regular maintenance, which basically means installing new updates whenever they come out.
You should also take care of your site even if you no longer use it. Otherwise, it can fall into the hands of the bad guys. So if you don’t feel like creating new posts anymore, it’s better to take down your site rather than leave it open for cyber attacks.
#12 WordPress Is 100% Secure
While many question the WordPress security, others feel completely confident and don’t even think about additional security measures.
Even though we are positive that WordPress is a reliable CMS, it’s true it can’t guarantee 100% safety for your website. In fact, no service or tool can. Security vulnerabilities always exist, and cyber criminals are fast to find and exploit them.
#13 Disabling Old Plugins Is Safe
This is a common mistake many site owners do – instead of removing old plugins, they choose to disable them.
Keep in mind that even inactive plugins and themes can be exploited because they don’t receive necessary updates and fixes. You can update disabled plugins regularly, but it simply doesn’t make sense if you no longer need them. So for the sake of your site’s safety, make sure to remove everything you don’t use anymore.
#14 It’s Safe to Update Your WordPress On Public WiFi
While it’s true you should keep your WordPress up-to-date, never do that on public WiFi. Such networks are usually poorly secured, making it extremely easy for cybercriminals to intercept your traffic while you are installing your updates.
Another option is to make use of a Virtual Private Network that will help you stay safe any time you go on the Internet, including the times you are using public WiFi. What a VPN does, it hides your IP address and encrypts your Internet traffic, making it impossible for anyone to monitor or track you. This means that if anyone decides to spy on your communications to find out your passwords or steal other sensitive information, they won’t be able to do that.
#15 Regular Updates Will Keep My Site 100% Safe
While keeping your WordPress site up to date is a must, even this precaution, unfortunately, can’t guarantee you ultimate protection from cyber attacks. The truth is, there’s no single tool that will make your site hacker-proof, but by following the best security practices and applying the right measures, you can fix certain vulnerabilities to minimize the risk of falling a victim of cybercrime.
Being aware of possible threats, creating strong, complex usernames and passwords, and installing reliable plugins from trusted sources is a good start. Arm your site with a good firewall, add two-factor authentication to your logins, update your software on time, and your site will be able to resist certain hacking attempts way better than those with poor protection.