Occasionally I’ll get a question from a client asking if WordPress is secure. If properly maintained and monitored, WordPress is one of the most secure CMS (Content Management System) platforms available. With that being said, if not properly maintained and monitored WordPress is currently the most popular target for hackers. WordPress powers over 30% of the ENTIRE internet and 60% of CMS powered websites use WordPress. For hackers it’s simply a game of numbers.
WordPress MUST be Updated on a Regular Basis
If you don’t update your WordPress website on a regular basis, or monitor its security, there’s a good chance it will get hacked. I update my clients WordPress plugins on a daily basis. A little tool called MainWP makes that an easy task for me since I manage a lot of WordPress websites. I’m able to login to one place, scan my managed websites and update everything with the click of a button. Plugins are a source of many security vulnerabilities within WordPress installations. WordPress plugin updates often contain security-related fixes. When a plugin developer discovers a security flaw and pushes an update to fix it, the hackers take note. Hackers use scripts that are constantly scanning the internet for known vulnerabilities.
WordPress Security Monitoring
My favorite tool for monitoring the security of my WordPress websites is Wordfence. Wordfence is a great firewall with a ton of options and also has a malware scanner. I always like to show my clients their “Live Traffic” feature that shows every single IP address that tries to access your website, what they were trying to access and where their IP address is located. In the past 24 hours, I had IP addresses from the Philipines, Hong Kong, Russia, France, Turkey
The WordPress Login Page is the Most Popular Target
The WordPress login page located at /wp-login.php is the most popular target for hackers. There are numerous ways to combat this. Wordfence allows you to limit the number of login attempts before blocking an IP address. I set that number to 2. They also allow you to immediately block any login attempt with an invalid username. It’s important to create a username that can’t be easily guessed (and NEVER use admin). Once a hacker has your username they will use a brute force attack that will keep trying to login to WordPress with different passwords. In addition to using Wordfence, I limit access to the /wp-login.php page by IP address. If your IP address doesn’t belong to me or my client, it will get blocked. This can cause some issues when trying to
Is Your WordPress Website Secure?
Is your head spinning yet? I just touched on the basics of WordPress security. If your website is not being properly managed or maintained contact me today and I can get you back on the right track.