As the name of this post implies, this is our ultimate guide to WordPress security. So, I recommend you bookmark this article and return to it every now and again to ensure your websites are checking off all the necessary security boxes.<\/p>\n
Is WordPress Secure?<\/h2>\n
With so many hackers attempting to infiltrate WordPress sites regularly, you may begin to wonder if WordPress is really secure at all. You can stop wondering because WordPress is inherently secure, though, there’s a caveat.<\/p>\n
The security team behind WordPress<\/a> works diligently to neutralize any vulnerabilities that surface within the WordPress core. Security patches are included in core updates that are released consistently and on a regular basis.<\/p>\n In fact, since WordPress was initially released, over 2,450 security vulnerabilities<\/a> have been quickly patched. There are also times where fixes have been made in under 40 minutes<\/a> of a vulnerability’s discovery<\/p>\n The caveat is that you need to keep WordPress core up-to-date in order to apply all the security patches that are rolled out. Fortunately, updates can be pushed automatically or manually in a couple clicks. You can also choose to turn off automatic updates in case you want to run compatibility tests beforehand.<\/p>\n This change is also covered later on in this post, but you can also check out Why You Should Have the Latest Version of WordPress<\/a>, WordPress Core is Secure \u2013 Stop Telling People Otherwise<\/a> and WordPress: It Ain\u2019t Perfect \u2013 but Neither Are the People Who Use It<\/a> for details.<\/p>\n If you take away only one tip today, make it this one<\/strong>: keeping WordPress up-to-date is by far, the single most critical action you can do for the security of your site. Every other technique you apply is still necessary, but it’s not going to do you any good if the WordPress core itself is vulnerable and that happens if it’s not up-to-date.<\/p>\n Fortunately, you can update your entire site in a few clicks from The Hub<\/a>.<\/p>\n WordPress is secure, but the fact is, all websites are targets for hackers so no one is immune. Even a fresh install of WordPress with nothing on it, little to no traffic, and that’s kept up-to-date is still at risk.<\/p>\n Overall, there are two main reasons why any site is hacked: money and hacktivism (defacing a site for political reasons such as to show support for a particular political party or influencing group).<\/p>\n The American Economic Association reported<\/a> that businesses and consumers lose $20 billion per year due to spam. According to a 2016 report by Sucuri<\/a>, 100% of sites that were sampled were hacked in order to exploit them for profit, but four percent of them are simultaneously used for hacktivism.<\/p>\n For details, check out The Ultimate Guide to WordPress Spam<\/a>.<\/p>\n Any and every site is a target no matter how teeny-tiny or gargantuan. The reason is that WordPress itself is such a popular content management system (CMS) that it’s a natural target. Hackers can create a program, commonly referred to as bots or hackbots, that automatically and systematically scans for security holes and attacks hundreds of thousands of sites simultaneously. The more sites that can be scanned and attacked, the greater the potential success rate for the hacker.<\/p>\n WordPress as a target for hackers is similar to hitting a mansion-sized bull’s eye if you were playing paint ball. The chances of you being able to successfully splatter that target with paint over and over even from a great distance is almost certain.<\/p>\n Since WordPress now powers 28% of all websites on the internet according to W3Techs<\/a>, which is also the largest segment of websites using a known CMS, there are millions of sites that hackers can target.<\/p>\n It’s all about the math, really.<\/p>\n Smaller, less popular sites are a particularly great option for hackers because they’re less likely to be secure, since many owners of these sites may not know they’re actually a larger target than they realize.<\/p>\n On the flip side, larger, more secure sites are still a target because there’s a greater audience available for hackers who want to inject and profit off spam<\/a> if they can manage to get past the website’s defences.<\/p>\n It’s important to recognize that while WordPress is secure when it’s kept up-to-date, no site is impervious to infiltration 100% of the time.<\/p>\n For example, WordPress version 4.7.3 patched six XSS vulnerabilities<\/a> in the REST API that could allow hackers to inject code into any WordPress site. It affected over 1.5 million sites according to Wordfence<\/a>.<\/p>\n Sucuri initially reported that roughly 67,000 WordPress sites were hacked<\/a> and defaced by different hackers due to the discovered security hole. Once a patch was released, over one million sites weren’t immediately updated, which lead to them being hacked.<\/p>\n When writing code, it’s near impossible to not create any security holes whatsoever. When hackers find these vulnerabilities, they exploit them and you’re left with a compromised site.<\/p>\n There are are also other ways a site could be vulnerable including human error such as using passwords that are easy to guess as well as insecure or unreliable hosting.<\/p>\n There are a number of commonly exploited and potential WordPress vulnerabilities including:<\/p>\n While this isn’t a complete list of WordPress security vulnerabilities, they’re the most common ways a site is exploited, often through the use of a bot. Multiple vulnerabilities could also be exploited at the same time as well.<\/p>\n According to Wordfence<\/a> as well as a report by Melapress<\/a>, XSS, SQLI and File upload vulnerabilities are the most commonly exploited security issues. Improperly coded plugins are also the largest culprit and accounts for 54% of these attacks, followed by the WordPress core and themes, respectively.<\/p>\n It was also reported that 73% of WordPress sites are vulnerable to attack.<\/p>\n For details, be sure to check out Category: Vulnerability<\/a>, The Ultimate Guide to WordPress Spam<\/a>, XML-RPC and Why It\u2019s Time to Remove it for WordPress Security<\/a> and A History of WordPress Security Exploits and What They Mean<\/a>.<\/p>\n With all the above in mind, this is why it’s important to take your WordPress site’s security seriously.<\/p>\n Fortunately, there is a myriad of ways you can beef up your WordPress site’s security from straight forward tips to more complex steps that you can find below. I’ll start with the basics and get progressively more advanced as you work your way through this article.<\/p>\n It’s just as important that your computer’s secure as it is that your site is secure. Malware and viruses can infect your computer, which can spread to not only your WordPress site but hundreds of thousands of other WordPress sites.<\/p>\n There are many ways you can ensure your computer stays as secure as possible.<\/p>\n Here are basic tips to help you start stepping up the security of your computer and WordPress site:<\/p>\n For more details on installing an SSL certificate, check out:<\/p>\n Remember this is just the beginning so be sure to work your way through this article and apply as many of these security steps as you can for a more reliable security strategy.<\/p>\n You can also use the .htaccess<\/em> to NGINX Converter<\/a> to take the examples below and automatically generate code you can use for NGINX servers.<\/p>\n If you were to ask, many WordPress developers would chant, “Security through obscurity is no security” or some form of that. They’re not wrong, but it also wouldn’t hurt to use it and it some cases, it may<\/em> help.<\/p>\n Security through obscurity means hiding an aspect of a software or web application in an attempt to secure it with the hopes that if a hacker can’t find what you’re hiding, it remains safe.<\/p>\n In the case of WordPress, this means hiding parts of your site such as the login page, for example, hoping that a hacker couldn’t find it.<\/p>\n This isn’t a reliable security tactic because most hackers are experienced enough that they could easily find a way around the obscurity tactic to infiltrate your site.<\/p>\n Most sites are not manually hacked by brute force attacks but infiltrated automatically and systematically by bots.<\/p>\n Since bots are set up to attack a site with a typical setup and move on if the hack isn’t immediately successful, there’s a chance (albeit a small one) that security through obscurity can work a small percentage of the time. This is especially true if the hacker is inexperienced.<\/p>\n These kinds of tactics are also a part of the recommended security hardening steps in the WordPress Codex<\/a>.<\/p>\n That being said, it’s true that you shouldn’t rely solely on security through obscurity to protect your WordPress site because it isn’t going to work at least most of the time. It’s far, far<\/em> away from being a solid security strategy.<\/p>\n It can still help in a small number of cases as previously mentioned so you can still use this method, but if you do, you must also<\/em> use a well-rounded set of security strategies that span far outside of obscurity tactics.<\/p>\n For details, check out Changing Your WordPress Database Prefix to Improve Security<\/a>.<\/p>\n With all that in mind, here are the most common security through obscurity tactics that you can choose to either bypass or use as a part of your overall security strategy.<\/p>\n There are a few common edits you can make to your wp-config.php<\/em> file that are considered to be security through obscruity tactics and you can find them below.<\/p>\n For more details on the wp-config.php<\/em> file and editing it, check out The WordPress wp-config File: A Comprehensive Guide<\/a> and How to Tweak wp-config.php to Protect Your WordPress Site<\/a>.<\/p>\nWhy Your Site is a Target<\/h3>\n
How Hackers Compromise Websites<\/h2>\n
\n
Basic, No-Nonsense Security Steps<\/h2>\n
\n
\n
Security Through Obscurity<\/h2>\n
Obscurity Through the wp-config.php<\/em> File<\/h3>\n
![\"Plugin](\"https:\/\/wpmu-dev.pro\/blog\/wp-content\/uploads\/2017\/07\/plugin-editor.png\")