≡ Menu

Keeping WordPress Security Vulnerabilities at Bay

You’re are a proud owner of your priced WordPress site that’s visually enchanting, functionally superior, easy navigable, appealing, SEO friendly, studded with plugins, and so on goes the list. With your site attracting massive traffic, you are on a roll and is convinced that you have everything in place. When everything seemed just fine, you notice all or few of the following about your site:

  • Unusual errors on the admin dashboard
  • WP directory displaying queerly placed new files
  • Malfunctioning RSS
  • Admin panel or site getting redirected to a virus scanner page or to an error page
  • Browser giving warning about virus or malware infection on the site
  • Suspicious activity, from the site, being detected by your anti-virus
  • Site crashing in old browsers
  • Your site is completely down and you don’t have a clue

Speculate not; your site has fallen prey to a hack attack. Were you caught unawares? You got to admit it, because your site had glaring security loopholes. It’s one important aspect that goes neglected in the efforts to make your site look attractive while the foundation remains shaky. The interesting fact is, the security aspect is highlighted when your site gains prominence, and that’s when it becomes an easy target for the hackers.

What about sites based on other platforms? Are they not prone to hacking?

hardening wordpress security

Yes they are, but not as prone as WordPress sites. Unlike others, WordPress is specifically used as a blogging platform. A blog’s main feature is its shared environment, which allows users to gain file and directory permission. This privilege, if misused, can be harmful to the site’s files that runs the risk of being either overwritten or deleted.

Without themes and plugins, WordPress will not be the same as it is now. With these plugins and themes you can extend the site’s functionality to unimaginable levels. And that’s where the catch is! Themes and plugins pose serious security issues since they are developed by people who might have written it badly or might have become out of date. Other CMSs like Joomla and Drupal fare better on the security front because their development is based on stringent standards and functionalities are extended by hard-coding, which is one reason why they aren’t as popular as WordPress.

Popularity of WordPress stems from its highly “ease-of-use” and cost-effective features due to which very less effort goes into perfecting its key areas. This takes a heavy toll on the security aspect of the sites. Still if something is done, the end-user can completely override the code or settings making the site vulnerable to security threats. It’s the other way around with the other CMSs.

How to go about the security issues?

Securing your site is, actually, no big deal; all you need to be is proactive and organized with your site. This is how you do:

wordpress security lock

Careful with plugins and themes

It’s a fact that plugins and themes are inevitable to your site’s capabilities, but being free to use, they might contain malicious code or could provide unauthorized access to your site. Themes that hasn’t plugged the security holes in their timthumb.php scripts can pose serious threats to your site. Plugins or themes that are old or unused should be removed with no second thoughts. There are better ones available.

No compromise on regular backing up

Periodic backing up of your files and database is one serious measure that’ll make a huge difference in defending your site against vulnerabilities. While this might not be an offensive stand, you could very well be assured that your site can be brought back if you have the habit of backing it up regularly. Equally important is restoring the site from the location where it’s backed up with the same configuration, posts and plugins as it was at the time of backing up. If you’re not adept at this task, it’s better to handover this task to plugins such as BlogVault, BackupBuddy or VaultPress. But be sure not go for free ones, since paid services provide technical support and it’s for sure that you don’t want to risk your site’s existence by not shelling out few dollars a month.

SFTP encryption

Transmission of data is the point when hackers try to access your login credentials. Hence, a secure FTP that encrypts your login credentials makes it difficult for the hackers to crack it.

Security measures taken by your host

Equally important is the security measures implemented by your host. Your host should provide you with various options to counter vulnerabilities including backup and recovery methods. The server software should be up-to-date, leaving no room for vulnerabilities.

Account credentials

This is an area where people tend to be complacent. Passwords should be strong, be in this context or otherwise. Since, WordPress allows multiple login attempts, it’s all the more important to have a strong password to ward off hackers’ attempts to crack the password (brute force attack). Alternatively, you can opt for plugins such as Login Lockdown or User Locker that literally makes your site immune to brute force attack. Your server’s credentials also needs to be protected. This can be done by a HTTPS SSL encrypted connection.

Prompt updates

The WordPress core development team is alert at all times and releases version specific or generic updates as and when they discover security issues and bugs. You need to update your site frequently to stay away from vulnerabilities. Moreover, you ought to update your site timely. If not, over time, you would miss major releases that would render your plugins or themes incompatible with the latest WordPress version.

Security plugins

There are a host of security plugins to choose from that are comprehensive, easy to configure, laid with multiple settings and comes with detailed instructions. Better WP Security, BulletProof Security, Ultimate Security Checker and Secure WordPress are security plugins to name a few.

Light at the end of the tunnel

As per the National Vulnerability Database, 32% of all security issues are related to WordPress core, 40% related to WordPress plugins and 28% were not related to WordPress. This is a big breather for WordPress site owners because the statistics reveals that vulnerabilities related to the WordPress core is on a downward trend, but vulnerabilities related to plugins are on an upward trend. This would mean that the WordPress development team has done an incredible job that has made WordPress almost secure. This translates to, 40% of the security issues can be avoided if end-users manage things properly at their end with special attention to plugins and themes.

So you now know what has to be done in order to have a foolproof WordPress site? That’s right, just follow the above mentioned steps. If you’ve anything to add, please do comment or share.

Author Bio:- Tammy is working as an Android developer with ValueCoders which is an expert offshore IT outsourcing company that offers cost-effective Android apps development services.

{ 2 comments… add one }
  • razz

    August 15, 2012, 8:38 pm

    I was using wp login lockdown, but a few days ago my wordpress site dashboard pass was changed. i recover them and changed it to a strong pass via pctools password generator.

  • Anders Vinther

    August 5, 2012, 6:36 pm

    This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have now written up my experiences in a comprehensive WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a few more items and detailed steps for how to get the job done.

    Hopefully the checklist can help other people securing their WordPress sites…


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.