For website owners, the importance of cybersecurity is increasing significantly. The website owner’s online presence is far greater than the average web user, and their sites are a hotbed for digital assets and sensitive information. Unfortunately, this makes them a priority target for cybercriminals.
Hackers may infiltrate website domains to farm personal information for identity theft or directly aim for your finances if they’re interested in quick monetary gain.
Choosing a secure Content Management System (CMS), therefore, is essential to success. WordPress receives regular praise for its high levels of security. The core system is so expertly designed and coded, and numerous plugins exist with security at the forefront, that a staggering 25 percent of websites on the internet now use the CMS.
These four facts are worth serious consideration when securing yourself using WordPress…
1. 73 Percent of WordPress Sites Are Vulnerable to Attack
WordPress is ideal for new users, as there are endless forums and tutorials available to answer questions/resolve queries. Similarly, it’s a favorite with designers for its streamline ease-of-use, making it simple to collaborate and ensure your theme supports privacy.
Unfortunately, all these factors lull users into a false sense of security. The support is so accessible it leads many to fail to consider that nothing online is impenetrable.
The risks of putting too much faith in your CMS are numerous, but here are some of the most common types of attacks:
- Brute Force Attacks – Many sites have been breached because the username was never changed from ‘admin’, effectively giving hackers 50 percent of login details.
- DDoS – March 2014 saw a large-scale layer 7 DDoS attack that was caused by an unresolved vulnerability in the pingback feature.
- SQL Injection – It’s difficult to control data input from your site’s visitors, making SQL injections a significant WordPress risk.
- Cross Site Scripting (XSS) – According to Wordfence, cross-site scripting issues make up 47 percent of WordPress vulnerabilities.
2. Personal Security Equates Website Security
Security tactics rarely target your actual website by itself. Users can spend countless hours honing the perfect plugin and app arrangements. That being noted, this effort is futile if your own personal security practices are sloppy.
It’s necessary to dedicate equal focus to securing home (or office) systems as you do website security. This practice can be broken down further into two categories.
Picture this: a rampant virus has found its way into your computer. It’s left unchallenged. You log into your admin panel and start playing around with HTML. The virus now has a direct route to infect your website, one that no plugin or browser extension can contest.
It’s essential to stay safe at home to avoid this happening. Here are a few tactics and tools you can employ:
- Personal & Network Firewall – Be sure to understand the difference and utilize the correct option for your needs
- Antivirus & Regular Scans – Performing frequent checks using good software is essential.
- Safe Browsing – Certain domains put you at more risk than others; porn, gambling and torrent sites should generally be avoided.
- Turn Off the WiFi – We don’t need to be online all the time; disconnect when not in use.
Public WiFi is a convenient way to catch up on messages while out of the office, but these networks are notoriously insecure. Due to their open nature, it's easy for users to intercept your data; hackers even set up rogue hotspots with the sole intent of farming your information. By logging into your email, admin panel or any associated account, you are allowing cybercriminals full access to your domain.
Fortunately, you don’t have sacrifice the convenience. By using a Virtual Private Network (VPN), you can encrypt your data and protect yourself from prying eyes. This Secure Thoughts review provides a more detailed explanation for those wishing to investigate further.
Similarly, using Two-Factor Authentication is a great way to add an extra layer of protection. By requiring a code from a third-party device when logging in, hackers will be denied entry even if they have your passwords.
3. 52 Percent of Reported Vulnerabilities Were from Plugins
Plugins make up a significant amount of the security features on WordPress. However, they also are the most likely element to contain vulnerabilities. Rogue plugins can be detrimental and are unfortunately easy to overlook.
An example of this was flagged recently. Plugin “401 to 303” was found to be injecting ads into sites that were visible to search engines but not visitors. This technique is called ‘cloaking' and is banned by Google.
Fortunately, once aware of the problem it’s relatively easy to bypass. Follow these tips when choosing your plugin:
- Stick to established vendors
- Check reviews
- Self-audit code (if you have the skills and time)
- Utilize trusted security scanners
- Explore independent plugin marketplaces for extra feedback
- Always check plugin changelogs after a WP update – even if the plugin still functions, there may be dangerous security holes.
Some examples of trusted providers include:
- Sucuri Security – for scanning your site
- Centrora – a plugin firewall
- Askimet – protects from malicious code injections via a comments section
4. Shared Vs Managed Hosting: The Difference Matters
One key element of using WordPress is that it’s independently hosted. For new or budget websites, often the only factor that comes into play here is cost. It's easiest to just opt for the cheapest hosting available, but it's not always the smartest choice.
Here is why:
There are two different types of hosting – shared and managed. Shared hosting involves thousands of domains using the same server. Because of this, there's the very real possibility of experiencing the ‘bad neighbor' effect.
The theory is that, if any site on the server is neglecting security, all other sites are at risk. This theory came to fruition in 2010 when a mass website hack affected thousands of sites; the common denominator was that all the domains were using shared hosting,
Managed hosting, on the other hand, radically reduces your risk of attack. WordPress offers this option; the server still has multiple users but all are covered by WP security protocols. They also run daily malware checks, update automatically, provide fixes for attacks and significant support for users. These features mean it's undoubtedly the more secure option.
As unfortunate as it seems, there will never be a way to create absolute security. Staying informed and up-to-date is the best tactic you have.
The key takeaway points to remember are:
- Don’t assume anything is 100 percent secure.
- Maintain a high level of personal security.
- Be stringent with plugin choices.
- Meticulously explore your hosting options.
If you know of another WordPress Security fact that deserves a spot on this list, we'd love to hear your suggestion. Comment below and communally we can work to increase WordPress security for all.