WordPress Security – 8 Best Practices for secure WordPress Sites

WordPress Sicherheit erhöhen Header
There is no doubt “that it’s good to be the King”. For WordPress, one of the most beloved content management systems used by millions of websites worldwide, this means bearing the great responsibility of keeping your WordPress site secure from nefarious hackers and cyber threats.

Don’t worry; with some knowledge and preventative measures, you can turn your WordPress site into a virtual Fort Knox (or at least a moderately secure castle with a decent moat).

WordPress was first released on May 27, 2003, by founders Matt Mullenweg and Mike Little. Initially, WordPress was designed as a blogging platform. Over time it evolved into a full-featured Content Management System (CMS) that can be used to build a wide variety of websites, from simple blogs to complex e-commerce platforms.

WordPress is open-source software built on PHP and MySQL, making it freely available for anyone to use and modify. As of 2021, WordPress is the most popular CMS in the world, powering over 60 million websites. This is due to its ease of use, flexibility, SEO-friendliness, responsive design, and large community of developers and users.

There may be many reasons why website owners do not pay attention to the security aspects of their WordPress sites. Often there is a lack of technical understanding of WordPress security features or an unawareness of the risks and consequences of some security vulnerabilities. Here at Inpsyde, the security of our WordPress sites is paramount. We have been building websites for large companies for over 16 years, which require top-notch WordPress security standards, but we also implement our sites BackWPup, MultilingualPress, and Inpsyde.com with WordPress. 

In this post, we will walk you through everything you need to know about WordPress security: What tactics hackers use to attack WordPress sites? What best practices should you follow to withstand these attacks? And what is the WordPress Security Team? We also review and explain the function of some of the market’s most important and useful WordPress security plugins.

What role does security play for WordPress sites?

The security of your WordPress site is one of the most important factors for the entire company’s success. Customers today expect reputable businesses to ensure their websites meet all security standards. If your company makes headlines just once or even regularly due to significant hacks or loss of sensitive customer data, you will lose reputation, trust, and customers very quickly. 

Moreover, you risk severe penalties if you accidentally or intentionally ignore important data protection guidelines such as the GDPR. Google and other search engines also place high importance on security. Google’s algorithm generally ranks secure sites higher.

What makes WordPress secure?

WordPress has been struggling for a while with biases regarding cybersecurity. And indeed: WordPress websites are among hackers’ favorite targets. The majority of successfully hacked CMS-based websites run on WordPress.

Does this mean WordPress is insecure? No, it is just a numbers game, because 37% of the entire internet and 64% of all CMS-powered sites run on WordPress. The high number of successfully hacked WordPress sites is due to how many WordPress sites exist. Another reason: Currently, about 13 times as many sites run on WordPress as on the second most popular CMS, Joomla. Among them are numerous high-volume and high-revenue sites of large companies. Therefore it is more worthwhile for hackers to focus on possible security vulnerabilities in the most popular CMS and become WordPress experts themselves.

WordPress is as secure as you make it

An expertly and regularly maintained WordPress provides the perfect foundation for secure websites. This is true for smaller projects and enterprise-level sites with high volume, revenue, and security standards. Also essential for WordPress’ cybersecurity are regular core updates and best practices observance in password management and external program embedding.

What is the WordPress Security Team?

The WordPress Security Team further strengthens WordPress site security. This team of about 50 web security experts, including around half the employees of Automattic, regularly deals with emerging security issues. The security team always tries to fix possible security gaps with patches in the next update of the WordPress core. Particularly urgent problems are addressed with “Immediate Security Releases.”  

The WordPress Security Team also cooperates with security teams from other CMSs, such as Drupal or external experts. Via the Hackerone platform, the security team is regularly alerted to security risks by external web developers. Automattic and other WordPress stakeholders pay the advisers for their tips. Hardly any other Content Management System can draw on this security reserve to this extent.  

Why are WordPress sites hacked?

WordPress sites are targeted for multiple reasons. Naturally, most of these are money-related. For example, hackers want to get your customers’ credit card details directly and redirect them to sites where fraud occurs. Hackers often steal data to sell it to third parties. Some websites are manipulated for political or personal reasons and taken offline completely.

How are WordPress sites attacked?

There are certain types of hacks that are common and for which your site should be prepared:

  • Brute Force Attacks: This is where hackers try to guess your usernames and passwords to log into the WordPress backend. They can then cause great damage in several ways. The hackers work with databases of frequently used passwords. Bots then scan your login area for these and other data. They use a specific context to try and guess your password with powerful algorithms.
  • Code Injections: One of the oldest and most common hacks is SQL injection. Using input fields on your website, such as the search function or forms, hackers can obtain important information by injecting SQL code, can manipulate your MySQL database, or can gain control over the WordPress backend.
  • Cross-Site Scripting: Hackers inject code into your site against your will. In this case, it is Javascript. This code is then seen as legitimate by the website visitors’ browser and is read out.  In most of these cases, it is your website visitors who will experience the problem. Hackers get their data via XSS injections or take over their accounts.
  • Distributed Denial of Service Attacks: Your server can only process a certain number of requests before it becomes overloaded and crashes. That is the goal of DDoS attacks. In this case, your site is sent so many requests from several globally distributed sources that the website no longer functions as desired. Large companies are often blackmailed in this way. Sony, Amazon, and Netflix have already been hit this way.
  • Malware: Malicious code can sneak onto your website via infected plugins or themes. Hackers can steal data or upload their content to your site. If the problem is not fixed quickly, it can cause significant problems, especially for large sites. In 2021, over 60% of all websites were infected with malware. So it is worth scanning your site for malware with plugins like WordFence.

WordPress security: Best practices

In the following, we will explain what you should keep in mind to make your site as secure as possible. You won’t be vulnerable to most of the above-mentioned hacking strategies with these best practices: 

Secure WordPress hosting

There are some important security factors that you can only influence to a limited extent, as they do not have to be implemented on your website but on the server side.

It is best to prioritize security when choosing a web host. Ideally, the web host should have a trustworthy reputation and be an expert in WordPress. Among large companies that rely on WordPress, WordPress VIP is considered the best hosting option. A good hosting provider already takes care of important functions such as malware scans, SSL certification, encryption with the HTTPS protocol, or automatic backups and thus guarantees security at the server level. 

It would help if you generally go for managed WordPress hosting instead of shared hosting, where you share servers with other companies. Even if your website is  not attacked, with shared hosting, you can become collateral damage if the shared server is hacked. Better hosting will also positively impact the speed and performance of your WordPress site.

Regular updates

You should regularly update the WordPress version and the plugins and themes you use. The WordPress security team tries to fix any new security vulnerabilities with each update of the WordPress core. It is best to allow WordPress to load the latest releases automatically. 

To update WordPress, follow these steps:

  1. Back up your website. It’s important to back up your website before making changes if something goes wrong during the update process.
  2. Check to see if there are any plugins or theme updates available. WordPress will not allow you to update the core software if you have any plugins or themes that have updates available. You’ll need to update those first.
  3. Update any available plugins or themes. To update a plugin or theme, go to the “Plugins” or “Themes” page in your WordPress dashboard and click the “Update” link next to the plugin or theme you want to update.
  4. Check if a new version of WordPress is available. Go to the “Updates” page in your WordPress dashboard. You’ll see a notification and a link to update if a new version is available.
  5. Update WordPress. To update WordPress, click the “Update Now” button on the “Updates” page. WordPress will download and install the update, and then you’ll be prompted to click a button to complete the update.
  6. Test your website. After updating WordPress, it’s a good idea to test your website to ensure everything is working correctly. Check all of the pages and functions on your site to ensure that they are working as expected.

Note: If you are using a managed hosting service they may handle WordPress updates directly. In that case, you can skip the steps above and check with your hosting provider to see if there are any updates available.

By always working with the latest WordPress version, you are already taking an important step towards a secure site. Most successful WordPress hacks happen to poorly maintained and not regularly updated sites.

Plugins should also always be up-to-date. Many WordPress users refrain from using the auto-update function for plugins because they are unsure which code is reloaded by the plugins. 

In general, you should ensure that your plugins are updated regularly. This way, you can assure they are compatible with the latest WordPress version and adapted to the current security standards. You will be notified in the backend if there is an update for one of your plugins. WordPress also informs you when plugins were last updated. For particularly outdated extensions, you will even get a warning.

Generell solltet ihr nur bei der Auswahl eurer Plugins darauf achten, dass diese regelmäßig aktualisiert werden. So stellt ihr sicher, dass sie mit der neuesten WordPress-Version kompatibel und auf die aktuellen Sicherheitsstandards angepasst sind. Wenn es für eins eurer Plugins ein Update gibt, wird euch das im Backend mit einer Notification angezeigt. WordPress weist euch auch darauf hin, wann Plugins zuletzt aktualisiert wurden. Für besonders veraltete Erweiterungen findet ihr sogar eine Warnung. 

Invisible WordPress version number

You should try to work with the latest WordPress version. In addition, it is a good idea to keep potential hackers from knowing which version you are working on. Hiding the WordPress version number refers to removing or obscuring the version number of the WordPress software installed on a website. This is often done as a security measure, as the version number can be used by attackers to identify vulnerabilities in older versions of WordPress and exploit them.

There are a few different ways to hide the WordPress version number:

  1. Use a plugin: Several WordPress plugins can help you to hide the version number. These plugins typically allow you to remove the version number from the source code of your website and the WordPress dashboard.
  2. Modify your theme: Some themes include options for hiding the version number. Check the documentation for your theme to see if it has this feature.
  3. Edit your functions.php file: You can add a few lines of code to your functions.php file to remove the version number from the source code of your website. To do this, you’ll need to access your functions.php file via FTP or your hosting control panel. 

Remember that while hiding the WordPress version number can help increase security, it is not a substitute for keeping your WordPress installation up to date and using other security measures. It is important to keep your WordPress software and any installed plugins and themes up to date to ensure your website is as secure as possible.

Security with backups

Backing up is about storing a WordPress site’s data in a safe place. If something happens to the site, it can be restored quickly. Backups should be generated automatically and regularly. Large sites sometimes even work with hourly backups, while smaller companies back up weekly or monthly.

It is best to back up your data externally and not on your servers in case they are attacked. Our plugin, BackWPup, allows you to do just that and is one of the best solutions, especially for corporate websites. 

Some of the BackWPup features

It’s always a good idea to have a checklist ready beforehand so you aren’t caught unaware during a rush period. It’s a good way to avoid finding an empty backup and not knowing what you need. Helping you stay calm when you need it most.

Having a checklist for restoring your website is important because:

  1. It helps you stay organized and ensures you remember all the important steps. When restoring a website, many different tasks and steps can be involved, and it’s easy to forget something if you don’t have a clear plan.
  2. It helps you to restore your website more quickly. By having a checklist, you can quickly and easily see what needs to be done and in what order, which can help you to get your website up and running again more quickly.
  3. It helps you avoid mistakes. A checklist can help you avoid mistakes by ensuring you don’t skip any important steps or forget to do something. This can help to prevent issues that could cause problems with your website.
  4. It helps you to restore your website more confidently. Having a checklist can give you more confidence when restoring your website, knowing that you have a plan in place and are following all the necessary steps.

Overall, a checklist can be a valuable tool for restoring your website, helping you to stay organized, work more efficiently, and avoid mistakes.

Secure login area

As explained above, hackers use brute force attacks on login areas of WordPress sites to gain backend data access. They try to guess the usernames and passwords with the help of programs.

A simple and frequently used trick against brute force attacks is to set a limit on login attempts. For example, access is blocked if a user has entered the wrong password three times. However, since hackers often know the tricks to circumvent this security mechanism, certain best practices are essential for a secure login area.

The login area is one of the obvious security factors that is often overlooked. A secure and hard-to-guess password is mandatory. Likewise, you should choose your username. Many web admins adopt a standard admin setting out of convenience or carelessness. Hackers know this and particularly like to attack user names such as “admin” and “administrator” or the respective domain name, such as “inpsyde” in our case. On pages with such obvious usernames, the hackers’ bots only have to guess the password in brute force attacks. With an individual internal system for naming users, you are much safer.

Another way you can knock the wind out of the brute force hackers’ sails is to rename your login URL. The login areas of most WordPress websites are easily accessible by appending wp-login.php or wp-admin to the main domain. You can change this by setting the login URL using plugins like WPS Hide Login. That means that hackers have to get the exact URL of the login area before they can attack the password and username.

There is also the option of Hiding the login prompt refers to the practice of obscuring or removing the default login page for a website or application.This can be done for various reasons, such as to prevent unauthorized access or make it more difficult for attackers to find and exploit the login page.

There are a few different ways to hide the login prompt:

  1. Use a plugin: Several WordPress plugins can help you to hide the login prompt. These plugins typically allow you to customize the URL of the login page or to add additional security measures such as two-factor authentication.
  2. Modify your .htaccess file: You can use the .htaccess file on your web server to redirect users away from the login page. To do this, you’ll need to access your .htaccess file via FTP or your hosting control panel. 

Remember that while hiding the login prompt can help increase security, it is not a substitute for using strong passwords and other security measures. It is important to use a combination of security measures to protect your website and prevent unauthorized access.

Secure passwords

Although complexity is key when creating a password, the reality is no one should ever know their passwords. They should always be able to find them, but it should be impossible to remember. At most, a story should be associated with a complex and random series of numbers, letters and symbols. Although everyone should be aware of the importance of a secure password by now, “123456” and “password” or simple key sequences such as “qwerty” have been the most commonly used passwords for years. For corporate websites with a lot of traffic and significant turnover where the administrators work with such passwords, it is only a matter of time before a hack occurs. You should therefore give your employees the following best practices when choosing their password:

A strong password:

  • is at least eight characters long,
  • has both upper and lower case letters,
  • includes numbers and
  • includes at least one special character like $!%@ # ?/.

In addition, you should change passwords regularly. While always ensuring that every service has a different password. Having a story to remember your passwords can be a helpful tool. It is also recommended to have password managers as a good way to manage passwords and not lose them. At Inpsyde, we work with 1Password, for example. 

Without a doubt, the most secure method to have is two-factor authentication. Logging in is only possible after two steps with this method. What these two steps are, is determined by the website administrator. One example would be that a code is sent to the user’s mobile phone after the correct password has been entered, which they can then use to log in. There are numerous 2FA plugins to implement this security mechanism on WordPress sites.

Current PHP version

At the moment, PHP 8.2 is the most current PHP version. Using the latest PHP version is important for security reasons and affects your WordPress site’s speed. Even so, over 70% of WordPress sites still use outdated PHP. Every version that isn’t PHP 8 has no security update, which means that they are out of the scope of the current security. Every version of PHP 7, or perish the thought, PHP 5, no longer receives security updates from PHP. This mistake should be avoided, as hacks are less successful with updated PHP versions.

The currently supported PHP versions – www.php.net/supported-versions.php

Adapted user roles

In the day-to-day business of companies, different employees have different decision-making rights. Even on your WordPress site, only some employees should have the power to install new plugins, change the content, or even take the whole site offline. Each person involved should ideally only be given the permissions they need to do their job. WordPress has six user roles:

  • Super Administrator
  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

The super administrator and the administrator of a page have all options for editing the page. A contributor, for example, can only edit the posts they have created. For large companies with numerous decision-making levels, it can be worthwhile to create your own “custom user roles” with the help of WordPress experts or plugins. This way, individual rights can be granted to each user. 

WordPress security for large enterprises

This post has  covered the most common attack vectors of WordPress sites. You can protect your WordPress site against such hacks with good hosting, secure login areas, regular updates, well-chosen passwords, two-factor authentication, and other security standards. 

However, every website works a little differently. The websites of large companies, in particular, are often designed in a very sophisticated and customized way. These sites also get a lot of traffic and work with particularly large amounts of data. This makes them interesting for hackers. As there are no plugins that are carefully vetting code, it makes sense for these companies to work with experts. One of the biggest things that can be done to improve quality is code review, something Inpsyde does line by line. 

Because code isn’t usually written to be scalable, it can be written better to sanitize mistakes in the input. 

That is why at Inpsyde, the best guiding principles and coding philosophies are ever-present. Ensuring attention to performance (fast and efficient), security (secure and resistant to attack), scalability (designed to handle high levels of traffic and demands), code quality (encourages the use of coding standards and best practices), and collaboration (encourages collaboration and teamwork).

We advise you to come back often to this post for review and apply these principles and ideas to the way you do your website. While always ensuring to care about the code on your website. So that you have the least attackable or exposed surface possible, because plugins are the hardest to control vectors on the website, work with experts that know. Contact our WordPress security experts for individual support for your website to learn more about WordPress security standards at the enterprise level.