WordPress security is one of the greatest challenges facing small business these days. Every 24 hours, more than 30,000 WordPress sites get hacked. I often get asked why hackers would care about some obscure small business website, especially those run by home-based business owners, that don’t even have the ability to take payments. The reason has nothing to do with accessing credit card information. Hackers are interested in using legitimate servers to send spam and to hijack search results. It’s no different from thieves stealing cars to commit their crimes. And just as when your car is stolen for criminal purposes, the consequences can be harsh. When your web server is used to launch spam or inject other sites with malware it comes back to haunt your brand. Left undiscovered long enough and your server will be blacklisted so that it can’t be found online. That takes a lot of time, energy and money to resolve, a process during which nobody can find your site.
A WordPress security audit is essential for every small business owner. You can perform this yourself or have a professional do it.
Here are some quick tips to help you determine how secure your website is, and a few ways to improve your security.
Is there a user account using the “admin” username?
By default, WordPress sets up new users with the username of “admin” so obviously this becomes the first point of attack. Step one in your WordPress security audit is to remove that user account. If you have a user with that username, create a new one with a more obscure name such as first initial and last name or even first and last name, and give that one administrative privileges. Logout and log back in using that new account you just created. Then, delete the “admin” user account. When asked what to do with the content owned by “admin,” assign it to the new account you just created.
Review password strength
Perhaps it shouldn’t surprise us that vast numbers of people still use passwords like “1234” or “password” because with all the passwords we have to enter, it can be overwhelming to use more difficult ones. Unfortunately, hackers know what the most common passwords are. Hundreds of lists have been compiled and distributed containing passwords that have been compromised and these are the first ones used when trying brute force attacks. In fact, it’s actually quite likely that your own passwords are floating around out there somewhere, gained from accessing your Email account or from a site that you frequently visit. If you use the same password for multiple sites you are at great risk of compromise.
The harder the password, the less likely it will be to guess. So it’s vital that you require every administrative-level user on your site to use what WordPress defines as “strong” passwords. These include a combination of upper and lower-case letters, numbers and at least one symbol.
The best protection, especially if you have several admin users, is to apply two-factor authentication. With this system, each admin user must first enter a numeric sequence that is sent by Email or to a mobile phone. This makes it very unlikely that your login will be compromised because the hacker would also need access to your Email account or phone.
Are your plugins, theme and WordPress software up to date?
New security holes are discovered pretty well every other week and this leads to patches and updates of WordPress, the various plugins your site uses, and your theme. If these things are out of date, there’s a good chance that your system includes known security holes that can easily be compromised. Your WordPress security audit should include a review of your plugin versions.
Unfortunately, updating plugins, WordPress and especially your theme, is not without risk. Plugins are created by a variety of third-party vendors that don’t generally talk to each other. They often write their code in ways that isn’t optimized to official recommendations. This means that the updates can break your site or break other plugins. It’s not uncommon for an update to suddenly cause other things on your site to generate errors, even fatal ones that cause your site to fail completely.
Before updating, make a backup of your site and download it so you have it handy if you need to do an emergency restore. Then update one plugin at a time, checking the site after each one.
Theme updates are even more challenging, because they can often cause settings or widgets to be moved or deleted. Before doing a theme update, take a screenshot of every active widget. Copy the text of each widget containing any text or code, and store that code in a safe place. Remember where each widget was located. After your theme update, the widgets could very likely be moved to the “Inactive Widgets” area. These steps allow you to move them all back into place afterwards.
Finally, before you complete the update, export the “settings” of your theme (typically a JSON file), as well as the settings of special plugins like Revolution Slider. And I recommend also exporting all your content as an XML file as a secondary backup.
Once you’ve done all this, it’s time to update your theme. Put your theme into Maintenance Mode. Switch to a different theme, such as the WordPress 2017 theme. Then delete the theme you were using (keep the child theme in place if using one). Install the new version of the previous theme and activate it. Update any required plugins that came with the theme. Switch back to the child theme if using one. Then check if widgets or settings have moved or been deleted. When everything is back where it should be, you can remove the Maintenance Mode setting.
Check for unnecessary users
The fewer admin-level users you have, the better. If your site has multiple administrative users, check for any that are inactive and switch them to a lower level of authority until such time as you may need them again. Ask yourself if all the administrative-level users need to have that level of authority. It may be possible to lower their authority to Editor or Author so that they can do their job without posing a major security risk.
Review your backup strategy
It’s absolutely critical that you have a strong backup system in place. Your WordPress security audit isn’t complete without a look at your backup strategy. Is your site being backed up automatically? If so, do the backups consist of just the database or also the files? How often do the backups take place? Where are they stored? Most backup plans store the backup files on the same server space as the site is hosted. In that case, if something catastrophic were to happen to the server, your backups would disappear along with your site. It’s always better to store a copy of the backups in a secondary location geographically separated from the server that hosts your site. How many backups are you keeping? If your site is hit by malware, you may have several backup files that contain the same malware infection. Having an older version will allow you to restore a pre-malware version of the site.
There are many other things you can do to improve the security of your site, but they are quite technical and beyond the scope of this article. These include crowd-sourced IP address tracking, “away” mode login restrictions, changing WordPress salts, locking out default WordPress back doors, applying lengthy waits after a couple of failed login attempts and much more. If you are interested, contact the author for more information.
This article written by George Pytlik, the Breakfast of Champions’ web designer. He offers a low-cost maintenance plan for WordPress sites that does all this and much more, a system designed for business owners to improve the power of your brand. Learn more about it here.