WordPress has become the most preferred content publishing platform online, and its popularity is continuously growing. For hackers, this means a bigger target with greater payoffs. Are you, as a WordPress site owner committing basic security mistakes that make it easier for them?
WordPress is the most popular platform to build websites on, and its popularity has only been growing. The CMS has something to offer anyone who has ever wanted to own a website. The WordPress community is supportive, and consists of developers who can build anything in code as well as code-averse site-owners who are given a world of add-ons to make their sites extensible, and more functional.
However, maintaining a WordPress site comes with a number of caveats, which are difficult to navigate. The case is worse for new site-owners, since committing a small mistake could knock their site offline, or make it vulnerable to hackers’ attacks.
Knowing the common mistakes made, and avoiding them, is key to keeping your WordPress site safer. This is why we’ve come up with a list of the basic security mistakes that WordPress site owners and users make. Are you making any of these mistakes currently?
1. Not updating WordPress and its add-ons
Now while the rest of our list talks about mistakes to definitely avoid committing, this issue is a little more complicated. This is why we’ve chosen to get this out of the way right in the beginning.
Everybody talks about keeping WordPress Core and add-ons (themes and plugins) up-to-date, for the sake of security, as well as to add new features to the site. However, you as a WordPress site owner, have one good reason for not doing so– incompatibility.
Your WordPress site could break because of:
Updating WordPress Core
There are two kinds of updates on WordPress Core that keep it up-to-date with the best features, and security measures on the web.
- Major updates (like 4.5 or 4.6): These add new features and functionality to WordPress.
- Minor releases like Release 4.5.1 and 4.5.2: These are dedicated to security patches, and bug fixes.
There are a couple of catches with these releases. For one, it can be cumbersome to keep up to date with all of them. Version 4.5, for example, was released on April 12, while 4.5.1 was released 14 days later, and 4.5.2 was released about 10 days after 4.5.1. Secondly, while WordPress Core upgrades are designed to be compatible with all the previous versions; (even the first one), it doesn’t always work out that way. So when WordPress site owners update their WordPress core, their site crashes.
Updating WordPress add-ons (plugins, themes, and widgets)
There a number of problems you could run into while updating WordPress add-ons. Since the developers could be pressed for time or not have the expertise, they can’t make sure that their updates are compatible with every single version of WordPress. As a result, they could be incompatible with previous updates of WordPress Core. Moreover, even add-ons that are coded to be backward compatible might not be developed with other add-ons in mind. Lastly, add-ons’ updates contain significant security patches and bug fixes, which change the way they work and hence cause conflicts. One example of this was the security patch for RevSlider (a premium carousel plugin), that changed the way the plugin worked.
As a result, updating even just one plugins could cause your site to break. If compatibility issues between WordPress Core and an add-on are a concern, the safest route to take, would be to ask the plugin developer to release an update for the plugin, while also looking for alternatives that work with your other add-ons.
The key to keeping your WordPress site secure, is to update every part of your WordPress site. The consequences to your site, its data, and your site’s visitors are all too great to not update.
2. Buying/using bad add-ons
As mentioned, WordPress add-ons don’t necessarily have the stringent code quality or security measures in place that WordPress Core does.This is why it’s important for WordPress users and site owners to pay attention to pick a good theme/plugin. Every good add-on has one basic characteristic– it has has good code. But even if you don’t know how to judge the code of a theme/plugin, there are a few characteristics which you spot:
- They’re available via a reputed source: This means they’re on the WordPress.org repository, or with well-known theme/plugin seller, like Themeforest, Elegant themes, etc. Just as with material goods, buyers should be wary of a premium theme being available on a questionable website at a huge discount.
- They have good reviews and ratings from genuine, long-time users.
- They’ve stood the test of time: The longer a theme or plugin has been available, the more bug fixes and security updates they should have.
- They get updated often and have been recently updated (in the past 2 months) from the developer’s side
Installing a bad theme/plugin could have a number of consequences for your site, whether in a way that affects function (such as slowing down your site), or in a malicious way, such as sending spam mail on your site’s behalf. Apart from all this, having an add-on with malicious code on your site causes search engines to mark your site as malicious, and hence blacklisted.
3. Using bad login practices
There are a number of simple login mistakes that WordPress site owners make, from sticking with easy to guess credentials, to stay logged in on their sites. This makes it easier for hackers, who usually use bots (just like search engine crawler bots), to look for websites with vulnerabilities.
Sticking with the default username (admin) reduces the time bots need to crack your login credentials, by 50%. Combining that with the use of a weak password only makes attacks on the login page (like a Brute Force attack, or a Dictionary attack) that much easier. Once the bots crack your login credentials, the hacker can log in as you, and legitimately perform admin-level functions. This is why it’s important to enforce good login practices, and secure your WordPress login page. A couple of other simple ways (and there are more ways) to protect your login page are renaming the administrator account to reflect a different username. WordPress site owners have to look out for legitimate ways to harden their login page though– some widely recommended practices such as moving your login page to a custom URL, are unnecessary, and can ruin your site’s user experience.
4. Making every contributor to the site an ‘administrator’
WordPress sites have different system users with different levels of access, in order to give the site owner the power to assign responsibilities to different users. This also serves as a way to give those with fewer responsibilities, the access to only specific areas they need access to. This principle (known as the Principle of Least Privilege), is one of the basic elements of security on any system.
WordPress has five different user roles:
- Super admin or Admin: Has full control over add-ons, content, files, and users on the site. (Super admin is someone who has Admin access over multiple sites, and controls the network administration for those sites too).
- Editor: Has full control over content and files, can publish anyone’s content, and is allowed to add script tags for formatting.
- Author: Can only create, modify, publish and delete their content.
- Contributor: Can only read, edit and delete content. No publication rights.
- Subscriber: Can only read content. No other rights
So say you run a successful news website or a blog with a regular guest blogger contributing once a month… You would best assign the guest blogger the role of ‘Contributor’ or ‘Author’.
Assigning the ‘Admin’ role instead, however, will put your WordPress site at a greater risk. Just imagine what would happen if they deleted a post by another author, a plugin or even an Editor by mistake!
Giving users unrestricted access could also allow hackers to exploit your site more easily. A good example of this kind of damage, was how TechCrunch got hacked by OurMine, a commercial security group that hacks accounts to publicize their services. The site was hacked using one of its contributors’ accounts.
5. Being a hoarder
Keeping old add-ons and users presents a number of opportunities to hackers. As a site owner, it is only natural to experiment with plugins and themes. In the process though, it is easy to forget about unused add-ons in your site’s repository. However, since you no longer use them, you also don’t update them. This opens up your site to a number of exploits.
Forgetting to delete old users (especially contributors) long after they’re gone, allows hackers access your site legitimately after a previous hack (like a Brute Force attack). This is one of the ways WordPress site owners are hacked for a long time without even knowing about it.
6. Not checking past uploads
Similar to hoarding add-ons and users, WordPress site owners also fall in the trap of never cleaning out their Media Library, the uploads folder, or the includes folder.
Hackers know this too. This is why they could easily upload a hack-file that looks like an image, and execute a hack later. This is how a number of exploits on the TimThumb vulnerability were carried out.
This method could also be used to create a backdoor. So even if malicious code is removed, and the WordPress site is kept up to date, it will still be susceptible to hacks.
Having a backup solution for your WordPress site is paramount to security. Not only does having a clean backup of your WordPress site make it easier to restore your site in case of a hack or blacklisting, it also allows you to scan your site’s code for irregularities and fire-fight more efficiently. However, most WordPress site owners don’t realize that the solutions they’re relying on are not dependable, until it’s too late. Backups must be the perfect disaster recovery solution, so they should be fool-proof, and adhere to the best WordPress security practices. Not only should they be independent of the WordPress hosting service, but they should be independent of your site, be stored in multiple locations, and have both: WordPress files and database encrypted and backed up.
If your site encounters a problem caused by anything as disastrous as your hosting provider being hacked to the deletion of files, not having a good backup plan would lead to your site experiencing a long downtime or worse.
The mistakes listed in this article are basic, and yet widely committed by WordPress site owners. Keeping your WordPress site secure lies not in being sure of impenetrability (because there is no such thing as a perfectly secure site), but in making it harder for hackers to achieve their target.
If you commit, or have committed any of these simple mistakes in the past, the best way to ensure that there is no malicious code on your site, would be to invest in an intelligent auto hack cleaner for WordPress sites, like MalCare.