Our Army of Flying Monkeys Team just did our 1st 2017 round of security updates and maintenance scheduled tasks on our past clients WordPress websites to avoid Common Security Issues.
One thing that was asked of us was why they should be concerned about potential WordPress security issues. So we thought we’d simply lay out some of the most common WordPress security vulnerabilities, along with steps you can take to secure and protect your WordPress site.
All of our clients have had these steps taken for them by the amazing Monkey Team!
What Part of WordPress is vulnerable?
Not just the core WP install on your site of course, and actually it seems that our extremely useful plugins are the major culprit!
According to a recent report by wpscan.org, of the 4000 plus known WordPress security vulnerabilities:
- 52% are from WordPress plugins
- 37% are from core WordPress
- 11% are from WordPress themes
The Top 4 Security Cracks in WordPress Installs
Here are the list of Top 4 factors can make your WordPress site more vulnerable to successful attacks.
Problem #1 – Weak Passwords
Allowing the use of weak passwords on your website is for sure the biggest security vulnerability that we can ALL easily avoid. Your WordPress admin password ESPECIALLY should be strong, include multiple types of characters, symbols or numbers, and we recommend using a biggie 16 character one. In addition, your password should be specific to your specific WordPress site and not used anywhere else.
Answer #1 – Use a strong password.
WordPress password security is one of the easiest and most important ways you should use to secure your WordPress website.
So here’s the starter check-up:
- If any of your users are currently using any password that contains fewer than 6 characters/letters, you have to change it like right now. A simple bot can break through this in a matter of minutes/hours.
- If you’re currently using the same password on more than one login,you have to change it like right now.
- If you’ve had the same password on any of your WordPress sites for more than 6 months,you have to change it like right now.
Start practicing good WordPress password security from now on in, especially if you’re an ADMIN user.
We strongly recommend all our clients that they just don’t login as Admin unless they have to. 99% of all work done on a website can be done as EDITOR.
We recommend to our clients that they use a Password Manager and creator to get this strong enough. Currently we use LastPass and recommend this to our clients.
Many of the Security Plugins have an excellent feature to enforce strong passwords, check out :
- Bulletproof Security
- iThemes Security Limit Login
- Or you can use a sepcific plugin like the Login LockDown plugin
Problem #2 – Not Updating WordPress, Plugins or Themes
Running old and outdated versions of WordPress, plugins and themes will for sure leave your CMS open for attacks. Version updates normally include patches for security issues in the WP code, so it’s really important to always run the latest version of all plugins, themes and software on your WordPress website.
A warning icon in your Admin Bar will pop-up in your WordPress dashboard as soon as they’re available (if you are logged in as Administrator). Make a practice of running a backup (come on do we really have to say this bit?) and then installing all the available updates, one by one for safety, every time you login to your WordPress site as Admin. While the task of running update seems more than a little inconvenient, it’s one of the most important WordPress security best practices.
If you manage more than one WordPress website, a tool like iThemes Sync or GoDaddy’s ManageWP can be a big help, giving you one dashboard to manage many many WordPress sites.
Answer #2 – Keep your WordPress site updated.
Again: keeping your WordPress site up to date is the best way you can avoid potential WordPress security and hacker issues. Login to your WordPress site now as Admin, and install any and all available updates for WordPress core, your themes or plugins.
If you use any premium plugins or themes on your WordPress website, make sure you have a current license to ensure you’re getting updates and not running outdated versions. Sometimes they require additional plugins, like from Themeforest, to get the updates (Envato WordPress Toolkit).
Problem #3 – Using Plugins and Themes from Untrustworthy Sources
Badly-written, insecure, and/or outdated code in a plugin is the most common way hackers will exploit your WordPress website.
Answer #3 – Only download and install WordPress plugins and themes from reputable sources
Since plugins and themes are the biggest potential source of security vulnerability, as a security best practice, only download and install WordPress plugins and themes from reputable sources.
This means from the WordPress.org repository, or from reputable companies that have been in business for a while.
COMPLETELY avoid pirated and torrented “free” and “cracked” versions of any premium themes and plugins. These files historically have been found to be altered to contain malware.
Problem #4 – Using Poor-Quality or Shared Hosting
Since the web host server where your WordPress website lives is another target for hackers. Simply using cheap, poor-quality or shared hosting can make your WordPress site more vulnerable to being compromised by hackers.
While all hosts nowadays take precautions to secure their webservers, not all of them are as vigilant or implement the latest security measures to protect WordPress websites on the server-level.
Shared hosting can also be a concern because multiple websites are stored on a single server. If one website is hacked, attackers may also gain access to other websites and their data.
Answer #4 – Use a VPS (virtual private server) or WordPress Hosted Solution
While using a VPS, or virtual private server, is more expensive, it assures your website is stored on its own server.
A dedicated WordPress Hosted Solution is also a good answer, as this looks after a multiple of issues. These also have a WordPress backup plan included that is an important component of your WordPress security strategy. They automatically set up scheduled backups to run.
We hope this hasd laid out some usable solutions to the most Common Security Issues in WordPress.
Get on it, and make the changes to ease your mind!
