Due to the popularity of third-party tools used in tandem with WordPress, the CMS is not always as secure as they\u2019d like it to be. That\u2019s no reason to start distrusting third-party plugins, themes, or software providers, however. It simply means you should be taking measures to ensure that if WordPress\u2019s team misses a potential security risk, that you\u2019ve got tools in place to monitor and protect your website and its visitors.<\/p>\n
So Who Is at Risk?<\/h4>\n
Some of you may be thinking, \u201cWell, I\u2019m a [small business owner\/independent blogger\/freelancer\/etc.] with a relatively small audience. I\u2019m not going to get hacked.\u201d<\/p>\n
The truth is, hackers don\u2019t care who you are. If they spot a weakness in your website\u2019s setup, they will attack and put your business at risk. Even if your website doesn\u2019t collect (or store) payment, login, or other personal information, hackers will find a way to make your website work for their own purposes.<\/p>\n
So who really is at risk here? The answer: Everyone.<\/em><\/p>\n To clarify, \u201ceveryone\u201d not only refers to your brand or business; \u201ceveryone\u201d refers to any person who has visited your website. As you\u2019ll see soon enough, attacks on websites aren\u2019t always done for the purpose of destroying a business\u2019s reputation (though that is pretty much a guaranteed end result regardless). Hackers often take advantage of site vulnerabilities in order to gain access to customer data they wouldn\u2019t otherwise be able to retrieve on their own.<\/p>\n It\u2019s important to remember the following:<\/p>\n In a recent Wordfence survey<\/a>, WordPress users were polled to find out what sort of attacks they\u2019ve experienced on their website. Here is a summary of those results, ranked by the most common attack type:<\/p>\n Site Defacement (~25%)<\/b><\/p>\n What happens?<\/em> Attackers either replace your website with their own content or they take down your website completely. Hackers don\u2019t need a reason to do this other than to make a statement.<\/p>\n Email Hacking (~20%)<\/b><\/p>\n What happens?<\/em> Attackers take control of your email and use it to send out spam. There may be a number of reasons why a hacker would do this; among them: to use your email server for free, to destroy your business\u2019s reputation, or to send out malicious links and content on behalf of a source people trust (that being yours).<\/p>\n SEO Improvement (~18%)<\/b><\/p>\n What happens?<\/em> Hackers will plant their own links and content within your site in order to improve their own website\u2019s SEO. While search ranking criteria can change based on trends in how people use the web (eg. mobile device adoption, social media for search, etc.), one thing will stay the same: when a reputable source links to a website or content, that website will then be seen as a trusted source too.<\/p>\n Redirects (~15%)<\/b><\/p>\n What happens?<\/em> Hackers will use your trusted source as a way to automatically funnel new, unsuspecting traffic to their site. So when someone tries to visit your website, they are instead taken to the attackers\u2019 website containing malicious content.<\/p>\n Page Impersonators (~5%)<\/b><\/p>\n What happens?<\/em> Attackers create what are known as phishing pages that look like valid forms. They\u2019ll create these impersonator pages to lure site visitors into giving them personal information.<\/p>\n Malware Distribution (~3%)<\/b><\/p>\n What happens?<\/em> Attackers gain access to your website and then distribute malware to all of your visitors\u2019 computers in order to retrieve their personal information.<\/p>\n Information Jacking (~20%)<\/b><\/p>\n What happens?<\/em> If you store sensitive customer information on your website (payment information, logins, personal information, and more), attackers only need to gain access to your site in order to steal it.<\/p>\n Attack Launchpad (~2%)<\/b><\/p>\n What happens?<\/em> Again, by leveraging your website as a trusted source, attackers can use your server to gain access to and attack other websites.<\/p>\n Ransomware (~2%)<\/b><\/p>\n What happens?<\/em> Just as the name implies, ransomware is a form of software attackers will implant on your website so you can no longer gain access. Their hope is that you won\u2019t have a backup or another way to get back in, and will in turn be willing to pay a \u201cransom\u201d for it.<\/p>\n Content Host (~1%)<\/b><\/p>\n What happens?<\/em> Attackers gain access to your server in order to host their own malicious files there.<\/p>\n Referral Spam (~1%)<\/b><\/p>\n What happens?<\/em> If you\u2019ve ever reviewed your website\u2019s referring sources list from Google Analytics, you may have noticed some odd-looking websites on there. These are due to bots that were set up on your website. So when traffic is referred from your website to another source, instead of seeing your url in their analytics, they\u2019ll instead see the fake referral website.<\/p>\n As you can see, attacks can come in all shapes and sizes. Some hackers want to use your website\u2019s good reputation for their own devious purposes while others just want a way to gain access to all of your visitors\u2019 personal information. Regardless of the type of attack, it\u2019s clear that hackers won\u2019t discriminate on what type of business they hit if they see a weakness they can take advantage of.<\/p>\n\n Regardless of your business type or size, it\u2019s important to be aware of the risks your website visitors take when they go to your site. They trust that a visit to your site and the handing over of their private information will be handled securely. So if you want to maintain your customers\u2019 trust and keep their confidence in your brand intact, you need to take the appropriate steps in securing your website.<\/p>\n By hosting<\/a> your WordPress website on a trusted provider\u2019s server, you\u2019re taking the first step in securing your website and protecting your visitors\u2019 privacy. Quality hosting services will provide you with a number of site security assurances, including 24-hour monitoring, regular website backups, and individual hosting space (since sharing with another account could bring any corruptions from that site over to yours).<\/p>\n If you\u2019re unsure of whether your current host provider or others you\u2019re looking into provide a safe environment, check their reviews. If they have ongoing issues with security or have a track record of poorly managing issues customers have brought to them, you\u2019ll want to find someone else.<\/p>\n At this point you might be wondering why we would suggest that you invest in additional \u201chosting\u201d services if you\u2019re already paying for a reputable hosting provider. Well, a\u00a0CDN<\/a>\u00a0(content delivery network) isn\u2019t really a hosting service. A CDN sits on\u00a0top<\/em>\u00a0of your hosting and aids in the delivery of your website\u2019s non-static content to visitors, no matter where they\u2019re located around the world.<\/p>\n CDNs are most commonly associated with faster site load speeds, but many of them\u2014like\u00a0CloudFlare<\/a>\u2014provide additional security checks for your website.<\/p>\n For any website dealing in sensitive information,\u00a0SSL<\/a>\u00a0(Secure Sockets Layer) is an absolute must. Once you\u2019ve lined up a hosting provider you trust, look to see if they offer SSL certificates as well (which many of them do). If they don\u2019t, there are others who can issue a valid certificate for free, like\u00a0Let\u2019s Encrypt<\/a>.<\/p>\n The main purpose of SSL is to create an extra layer of protection (via encryption) for your visitor’s information so third parties can\u2019t gain access to it. In addition, SSL encryption comes along with the added benefit of improved SEO. As Google and the other search engines seek to refer traffic to valid and trusted sources, your SSL certificate stands as proof of this.<\/p>\n In the Attack Launchpad security threat mentioned above, we discussed how hackers might be invading your site for the purposes of attacking another one. That\u2019s essentially what DDoS (distributed denial of service) is. Hackers will use a number of methods to direct an overwhelming amount of traffic to a website in the hopes of forcing the site to crash and consequently denying site visitors any access.<\/p>\n If your company is a larger enterprise and\/or you process a lot of transactions, making an investment in a DDoS mitigation service is not a bad idea. The cost of your site going down and all business coming to a halt can be disastrous for a company, so consider this extra layer of protection a necessity. A number of companies with CDN services\u2014like\u00a0Incapsula<\/a>\u2014offer DDoS protection as well, so take time to research and see whether it\u2019s possible to bundle your security services under one umbrella (and save some money).<\/p>\n Your host provider should have already installed a firewall for your server. While firewalls are a great way to keep out unwanted visitors, many hackers these days have found creative ways to get around them. To be on the safe side, add a firewall to your website for an extra level of protection.<\/p>\n Firewalld<\/a>\u00a0offers a free one you can use. If you\u2019re unsure of how to install it yourself, check with your host provider and see if they can help. If you\u2019re on a shared server, they should be able to do this for you without a problem.<\/p>\n Most WordPress website vulnerabilities come from plugins. WordPress\u2019s security team reviews all third-party tool submissions, but it\u2019s inevitable that some insecurity will make it through\u2014and plugins happen to be the most common place where it does.<\/p>\n There are three things you can do to make sure your plugins are kept in check:<\/p>\n Did you know that when your site throws an error that your server path will be displayed for all to see? Hackers know this and they will keep an eye out for that information if you haven\u2019t disabled front-end error reporting. Rather than give that valuable information away for free, disable those notifications.<\/p>\n For more on error reporting, check out our post Debugging WordPress: How to Use WP_DEBUG?<\/a>.<\/a><\/p>\n The amount of spam hitting a website can be a problem. Spam isn\u2019t just an annoyance, but it also can pose some serious security risks. That\u2019s why plugins like Akismet were created\u2014so you can easily block comments from known spammer IP addresses.<\/p>\n In collecting IP address information on your website though, you\u2019re putting visitors\u2019 privacy at risk. The only way to keep that information safe is by not storing the IP address information from commenters in the first place. So if you get rid of IP address information on your site, how do you prevent spam comments as well as trackbacks and pingbacks from coming through?<\/p>\n There are two types of logins you need to be concerned with on your website: your own as well as those of your visitors. Any time someone is given access to your website (on either the front or the backend), there is an increased risk of someone else maliciously entering or gaining access to private information.<\/p>\n With that being said, there are a number of ways you can ensure certain login guidelines are enforced (just make sure you\u2019re abiding by them as well):<\/p>\n Restricting access to your website isn\u2019t just about keeping hackers out, it\u2019s also about making sure that any user given access for specific purposes sticks to those purposes. Here are some restrictions you should plan on setting:<\/p>\n It should also be noted that all of these suggested tips for ensuring privacy are especially important for eCommerce websites that deal with the exchange of financial data. In order to achieve PCI compliance, you need to have certain systems in place to ensure you\u2019re securing customer info.<\/p>\n Remember: your main goal in using more reliable security services and having stricter standards for your website is so you can protect visitors\u2019 information. If they start to feel in any way that your website is compromising their safety, they\u2019re going to abandon it in search of someone else\u2019s who can give them that sense of security.<\/p>\n If you have any further questions on what you can do to secure your website, check out the Ultimate Guide to WordPress Security<\/a>.<\/p>\n There are a number of ways you can find out if your website has been the victim of hacking:<\/p>\n WordPress website security is not always a sure thing, but there are steps you can take to ensure the effects of an attack are not long-lasting or inflict irreparable damage to your brand.<\/p>\n\n
WordPress Website Risks<\/h4>\n
Ensuring Privacy for Your Site Visitors<\/h3>\n
1. Invest in Good Hosting<\/h4>\n
2. Use a CDN<\/h4>\n
![\"MaxCDN,](\"https:\/\/wpmu-dev.pro\/blog\/wp-content\/uploads\/2016\/05\/maxcdn-network.png\")
3. Set Up SSL<\/h4>\n
4. Consider DDoS Protection<\/h4>\n
5. Install a Firewall<\/h4>\n
6. Keep Plugins in Check<\/h4>\n
\n
7. Disable Error Reporting<\/h4>\n
8. Clean Up Your Spam<\/h4>\n
\n
![\"Stop](\"https:\/\/wpmu-dev.pro\/blog\/wp-content\/uploads\/2016\/06\/stop_spam_810.png\")
9. Enforce Stronger Login Settings<\/h4>\n
\n
10. Restrict Access<\/h4>\n
\n
In Case Your Site Does Get Hacked<\/h3>\n
\n