WordPress Security: 10 Common Mistakes to Avoid
If you own a website, you know how devastating it can be when it is attacked by bots, hackers, or other rogue elements. With WordPress becoming more popular, it has become a prime target for hackers as the payoffs can be greater. While there is no foolproof security, there are many small and big things that can be done to avoid common WordPress security mistakes and make it harder for bots to enter websites and create havoc. In this post, we will explore the common security mistakes made on WordPress websites and what can be done to minimize vulnerability to security threats.
Mistake #1: Not Updating WordPress
WordPress has a great community that is alert to security issues, and the team at WordPress issues updates regularly to fix security threats. However, it is up to website owners to carry out these updates on their WordPress install and patch up any security holes. Major updates to the WordPress core take place automatically, but for minor updates and updates to themes and plugins, website owners need to pay attention to the notifications that show up on their dashboard.
Updating WordPress is often a smooth process, requiring just a click, but sometimes there can be incompatibility issues that break websites. It is important to learn more about updating WordPress in this Quick Guide to updating WordPress.
Mistake #2: Not Purchasing Quality Themes & Plugins
Poorly coded themes and plugins are a security hazard on websites. They can slow down websites, be incompatible with the WordPress version being used, or with each other. They can also serve as an entry point for malicious software.
The obvious precaution to adopt here is to purchase themes and plugins only from quality sources. There are many good themes and plugins available for free in WordPress. If choosing a premium theme or plugin, look up Themeforest or CodeCanyon and other reputed theme houses like WPExplorer.
Select those which are better rated and enjoy a greater number of downloads. Read up reviews of the themes and plugins and check out what other long term, genuine users are saying about them. Go through the changelog to see if there are regular updates. Write to the authors to understand if that theme or plugin is right for you before making a purchase. And to put to rest any practical concerns, run it on a test site if that is possible.
Mistake #3: Not Updating Themes & Plugins
Just like WordPress, themes and plugins should have regular updates for bug fixes and security patches. It is the website owner’s job to test these updates then install them to keep WordPress websites safe.
Note: One of the most common reasons people let their themes get outdated is because of custom code. This is why using child themes is important. If planning on making any changes to theme files, remember to use a child theme so the core theme can be safely updated in the future.
Mistake #4: Lack of Security on Login Page
The login page is the place from where authorized users enter websites. But many unwanted rogue users can also cleverly find their way into websites from the login page and can even acquire admin level privileges. To prevent this, security on the login page needs to be enhanced. There are many easy tweaks that can be carried out to stop mischief right at the doorstep.
Website owners can change the username from the commonly used ‘Admin’ and enforce strong passwords. Or, limit the number of login attempts – this will be particularly effective in stopping brute force attacks. Another protection method that is easy to adopt is two-factor authentication. With Google pushing for the use of SSL, website owners may like to stay a step ahead and apply it to their website sooner than later. The login page is a good place to start improving security on websites.
Mistake #5: Improper Use of User Roles
WordPress has many user roles – Administrator, Editor, Author, Contributor, and Subscriber. Not all of them need to have the same privileges on websites. When adding users to websites, be careful with the privileges granted at the backend. Allow only as much privilege as is necessary for them to fulfill their roles on the website.
Granting unrestricted access to all users can make it easier for hackers to break in. There is no need to give subscribers any access to the backend when all they need to do is read content. Editor level access should be granted only to trusted users, and Admin level access can be granted, if at all, very sparingly. Allowing limited privileges to users and forcing them to use strong passwords can control access to the backend to a large extent.
Mistake #6: Not Deleting Unused Themes and Plugins
Over time, themes and plugins are added to WordPress as and when the need arises. But once there is no longer any use for them, they are forgotten and not deleted from websites. It is not enough to simply deactivate themes and plugins; they must be deleted if not intended to be used. This simple step can reduce exposure to malware. Inactive plugins do not consume RAM, bandwidth, or PHP but do take up server space. This can slow down websites and also be used to run malicious code on websites.
Before adding a plugin to a website, check if WordPress can natively handle the particular function. Or the theme being used or the host may be covering the functions needed. If there is any plugin on a website for these same functions, delete them.
Now that unused plugins are being cleaned out, it may as well go the whole distance and clean out the media library, the uploads folder, and the includes folder. These are alternate entry points for malware that enters websites only to execute itself later. By slimming down these folders, access points for malware and hackers are cut down.
Mistake #7: Not Choosing a Secure Host
Often, hackers are not targeting websites; they may be targeting some other website that shares server space. Website owners are just incidental victims. In a shared hosting scenario, one compromised website can bring down all the websites on a server. Therefore, it is important to choose a web host with a great deal of care. When it comes to hosting, you only get what you pay for. Cheap hosting options almost always compromise on security, and their servers are more prone to security attacks. Not only that, support is often less than satisfactory when websites are under attack.
Putting down good money for quality hosting is really worth the investment. It will save a load of headache down the line, especially if businesses are linked heavily to websites. Need help with picking a host? Head to our list of recommended hosting options.
Mistake #8: Not Checking for Malware
Malware can enter websites without website owners even being aware of it. It can remain hidden and do many things without knowledge such as tracking visitors, accessing sensitive information like credit card details, or adding backlinks to other websites. When there is malware lurking in websites, Google begins to turn away search engines to prevent other websites from being infected. This can cause a drop in traffic to websites.
There are many plugins and services available that can scan websites for malware and remove many of them. Website owners merely have to visit the website of services like Sucuri SiteCheck Scanner and enter the URL of their website. A report will be generated that displays the malware detected as well as the recommendations on how to handle it. Or else, website owners can choose to add a plugin and run a scan. If they wish, they can delete the plugin after use and reinstall it when they want to run a scan again.
Mistake #9: Not Installing a Security Plugin
One of the easiest ways to beef up security on websites is to add a security plugin. These plugins can handle many security issues like enforcing strong passwords, setting up firewalls, protecting against brute force attacks, and more. There are many free plugins like iThemes Security and as well as many premium security plugins available, and it is best to install and activate one at the earliest. There are also many website security services like Sucuri that offer to manage security on WordPress websites.
Mistake #10: Not Keeping Website Backups
Website owners may think that after doing all of the above, their website is safe from the bad guys. However, hackers are refining their methods, and new threats crop up continuously. Therefore, as a safety net, website owners can use a plugin for backup and take a secure backup of their site at regular intervals and keep them in a safe location.
It is not enough to carry out a backup of just the database; a full backup of the website is necessary. That includes the themes, plugins, the wp-content folder as well as important WordPress configuration files like wp-config.php and .htaccess files. Use quality plugins like BackupBuddy or VaultPress and update them regularly. Also, maintain multiple backup copies that can be used in different offsite and offline locations.
In Short
Website security is not always about tall walls and fences, nor is it a one-time fix. It is more about staying ahead of the mischief makers. There are many small and easy steps that can be adopted to keep a website safe and secure. It is important to review defenses to make sure they are in line with the needs of websites and evolve security practices that can keep them safe.
