Recently we’ve been writing about WordPress security and showing you ways to improve the security of our website. The main reason is that tens of thousands of websites worldwide are attacked every day. In this article, we’ll be going through the Top 10 security mistakes on WordPress websites you can easily avoid.
In order to prevent an attack on our website or at least reduce the chances of an attack we must eliminate numerous security issues that our website may have. Although we use WordPress, which is a relatively secure CMS, there can always be a security issue for which we are responsible. That is why in today’s article we will write about the top 10 security issues you didn’t know you must avoid.
1. Letting hackers can see you are using WordPress
You read that right, if hackers know which CMS your website is based on, then half the work is already done. It remains to find vulnerabilities within a plugin or your theme and your website will be successfully attacked. Wondering if it’s possible to hide that you are using WordPress? Of course it is. There is a plugin called Hide My WP and it is one of the best security plugins available in the market.
This great plugin will hide the fact that you’re using a WordPress CMS by changing the themes and plugins folder names, just like the other folder and file names used by a typical WordPress installation. Even the best CMS detectors will not be able to detect which CMS you are using. It will change the complete URL structure and the login page as well as wp-admin will be completely hidden. Besides hiding common WordPress paths, this excellent plugin has a smart IDS engine that autoblocks attacks like SQL injection and XSS.
All websites that use this plugin form a Trust Network, so you are safe from attacks or vulnerabilities that someone once had. This is a commercial plugin used by almost 30,000 websites, I think you should definitely try it. If you don’t want to spend money right away, you can find a free version in the WordPress repository that will introduce you to the basic options.
2. You use a weak username and password
Another one of the most common top 10 security mistakes and probably the largest number of attacks will be carried out in such a way, is that hackers get hold of the administrator’s username and password. Even more experienced WordPress users sometimes use weak passwords on their websites. Hackers use brute force attacks that keep guessing your password. If your password eventually get cracked, the hacker will be able to gain access and therefore have full control over your website.
Never use “admin” or “administrator” for username. Always choose a username that is hard to guess. As for the password, never enter your name, the name of your relatives, dates of birth and things like that. This is all information that someone else can have and thus can endanger your website. Inside WordPress there is a password generator which can create a password that is a combination of upper and lower case letters, numbers and special characters and it is impossible to guess it. Save that password in some data storage tool so you can always copy it. My recommendation is that you do not save your passwords in your browser, because passwords saved in this way can be easily stolen and misused.
3. Using nulled premium themes or plugins
It happens many times when we search for a plugin or theme that Google throws out a “nulled” product in the search results. Although we think we got a commercial plugin or theme for free, it’s actually not like that. Almost always, hackers insert malware into those “nulled” products in order to infect your website with malicious code. After you have installed this kind of software, hackers have full access to your website or all websites on your hosting at any time.
Avoid downloading and using themes, plugins or any other product from unreliable sources. Buy products and use them legally to make sure you don’t become another victim of hackers. There are many plugins that will scan your website for malware, and one of the best on the market is Wordfence security. You can get it directly from the WordPress repository.
4. Your theme or plugins are not up to date
This is another in a series of top 10 security mistakes on WordPress websites that many admins and site owners make. If your WordPress files, WordPress installation, themes and plugins are not up to date then they are very vulnerable to attacks. The reason lies in the fact that hackers do a lot of research. If a part of your websites has vulnerabilities, and the developers have released an update to fix the bug, be sure to install it. Hackers will find out in their research that you are using a product that has a bug and you haven’t installed a patch. The attack is guaranteed.
Before you decide to buy a theme or plugin, pay attention to how often that product is updated. If the update has not been done for several months or longer, then do not buy. Every serious product must have regular updates that will be adapted to the latest version of WordPress and that will fix known bugs. User reviews and update releases are your best indicator of whether to buy something or not.
5. You don’t use an SSL certificate
Using an SSL certificate on your website is something you simply must do if you haven’t already. Without an SSL certificate, the traffic that takes place between your website and the user’s browser can be intercepted and misused. In simpler terms, the SSL certificate will encrypt the content between your hosting server and the user’s browser, so even if it is intercepted by a hacker, it will be totally unusable.
We previously wrote about the fact that most quality hosting companies offer an SSL certificate for free if you decide to use their services. Many hosting companies now offer free SSL certificate with a domain you purchase from them. Always check of an SSL certificate is included when you purchase a domain.
If your hosting provider does not offer an SSL certificate for free, then you can purchase one from a service such as CheapSSLSecurity.
In this way, you will strengthen the security of your website, and your visitors will have the impression that they are on the website of a safe and stable company.
6. You have no DDoS attack protection
When we talk about DDoS attacks, we must mention that not only WordPress websites are at risk. This type of attack can be carried out on any website regardless of the CMS. This means that your WordPress sites are also at risk if you do not find a way to avoid this issue.
This type of attack works in a way to generate a lot of fake traffic, thus consuming your server’s resources until it becomes completely congested and therefore crashed. A DDoS attack can involve several thousand computers on a global level.
The best solution to this problem is to use a hosting service that offers protection against DDoS attacks. There are many quality hosting providers that will help protect you. If your hosting partner does not have this protection, then you should consider using a service like CloudFlare, which offers DDoS protection in its free version.
7. Using cheap and unreliable hosting
When we talk about hosting, I think we should have put this first in the list of security issues. Simply, without quality hosting there is no quality website. Today there are many hosting companies that offer hosting packages at very reasonable prices and promise very stable and good services. However, this is usually not the case.
Weak hosting companies usually do not have the equipment and resources to deal with threats from the Internet. They are often the target of attacks, and the websites on their servers are dysfunctional. So read user reviews and choose trusted companies that have been building their business for many years and really offer the service you paid for.
Some of the best and most famous hosting companies are Bluehost and Siteground, and they have hosting packages specially made for WordPress websites too.
8. Theft of user data
One of the very common security issues on WordPress websites is the theft of user data. This is especially important for credit card theft. Mainly websites that use WooCommerce and where credit cards are entered are at risk.
Hackers usually inject malicious code into your website that will monitor and record credit card information, and then send it to the attackers. There are many ways to solve this problem, and the most common is to use a plugin that will monitor your website.
One of the best tools is the Sucuri Security plugin which has a free malware scanner.
9. Divide users according to user roles
Many WordPress admins make the mistake of giving the same access to all users of their site. This is a big security issue because some of the users may not be using a strong username and password. If hackers find out his credentials, they have administrative access to your website, and you know what that means.
The solution is to separate users by roles. Within the WordPress admin dashboard there are 6 user roles such as administrators, moderators, editors and others. Only give admin rights to verified people you trust.
If WordPress roles are not enough for you, but you want different user roles, you can always install a plugin such as Advanced Access Manager.
This excellent and free plugin allows you to assign the roles you want to each user individually.
10. You don’t have a website backup
The best and fastest way to restore your website to a functional state is to restore from backup. However, if you don’t do a periodic backup then your pages could be permanently destroyed.
And this is where your hosting provider comes into play. Most quality hosting providers do daily, weekly and monthly backups of your websites completely free of charge.
If your hosting provider does not have this option, you can always use a plugin such as UpdraftPlus. There are many free plugins within the WordPress repository that will do this job perfectly.
Today we have described 10 security issues that you must eliminate on your websites if you want to be safe and reduce the chances of attacks to a minimum. If you eliminate all the shortcomings we have written your website will be completely secure, and visitors will have an excellent user experience.
You might also like