Since the release of its very first version in 2003, WordPress has surely and steadily snowballed into the content management system (CMS) tycoon we know today. At this very moment, this system alone owns 63.8 percent of all CMS market shares—more than all other systems combined—, powering over 20 percent of 1.3 billion active websites existing today. That’s around 455,000,000 self-hosted sites relying on WordPress to share their ideas, promote their business, and connect with others.
So, people everywhere trust and love WordPress. Then, it’s gotta be safe, right?
For the most part, WordPress is secure, being under the surveillance of an ever-growing but currently 50-person security team consisting of lead developers and expert security researchers. With that being said, we can't ignore the fact that, over the years, this system has been prone to serious security shenanigans, especially when used for business.
Using nulled plugins and themes, failing to execute robust system administration and credentials management, and lacking awareness of and knowledge in best cybersecurity practices can all make your e-commerce site(s) vulnerable to hackers who try to harvest database credentials, distribute malware, and do all other kinds of malicious funky business. Even something as simple as using an outdated version of WordPress creates a security hole that hackers can exploit and have exploited.
No one needs that. More importantly, no one has time to deal with not only the hacks but their aftermath, cleaning up messes and deworming sites you’ve worked hard to perfect (not to mention any resultant data protection violations that may arise!)
So, here are some immediate measures you can take to protect your WordPress site(s) from cyber-attacks and maintain a safe working environment that gives both you and your clients peace of mind.
Hosts M’Ghosts: Choosing the Right Host (And Paying for It) Matters
Thousands of web hosts are available to host your business’s site, the majority of which meet WordPress’s minimum hosting requirements at a low monthly cost. But, since when were you satisfied with the bare minimum?
Your answer should be never, especially if you care about laying a strong foundation for your business’s cybersecurity. An engaged and reliable WordPress host is your first line of defense and, while everyone hopes that the service they’re currently using does enough, not all hosts are created equally. Beneath that attractively low price tag might be lurking increasing numbers of hacker attacks, suboptimal performance, and frequent site shutdowns, all evidence of low-conscious web security.
At a minimum, your host should set you up with an account that supports PHP 7.4 or greater. According to WordPress, any site running on version PHP 7.1 or below simply does not have security support and is prone to feeling the brunt of digital vulnerabilities. And yet, almost 33 percent of the WordPress community is still using these much older versions!
(Side tip: Always stay up-to-date on major releases of new WordPress updates, including those to the core, themes, and plug-ins. While WordPress will automatically install minor updates, the big kahunas are your responsibility to manage).
In addition to PHP 7.4 or greater, you want a host that offers:
- MySQL 5.6 or greater OR MariaDB 10.1 or greater.
- Nginx or Apache with mod_rewrite module.
- HTTPS support.
Also, as a baseline, servers hosting your WordPress site must be sufficiently hardened, being continuously updated with the latest operating system, security programs, and firewalls and intrusion-detection software as well as vetted for vulnerabilities, such as backdoors and malware. If hacking strategies are becoming more sophisticated by the day, the host should have systems and processes in place that always remain one step ahead.
Now, to obtain a high-quality and trustworthy host, you don’t have to break the bank but you do have to pay for more than the dirt-cheap-est service out there. As is the principle with buying a prom dress off Wish.com or picking up some gas station sushi, you do get what you pay for.
So, invest in a host that brings enhanced security as well as other important perks like top performance speeds, consistent customer service, and increased capacities to stably welcome more visitors. Most high-quality hosts can be obtained for as low as $20 a month.
Passwords: Y’all Still Messing Around?
Passwords, passwords, passwords. Change ‘em, differentiate between ‘em, keep ‘em weird.
It’s critical that you build complex passwords unique to not only your WordPress admin account but also your database, hosting account, email address, file transfer protocol (FTP) accounts. The days of using “123456” as your password for everything should be long gone, although SplashData’s annual list has found that, for the seventh consecutive year, “123456” has remained the #1 most popular (and most hacked) password out there. Yikes.
To generate a strong password, you can always mix and match random numbers, lower-case and upper-case letters, and symbols. But, if that feels like a hassle, you can always use a secure password generator that instantly creates a reliable password for you. If you’re worried about remembering all those crazy jumbles, you could always enlist the help of a quality password manager that can not only develop passwords for you as a generator would but also keep them all safe within a secure vault.
In addition to choosing strong passwords for all your different accounts, be sure to take the time to change all of them on a regular cycle. Set an alarm once a month (if you’re being super serious), every 60 days (a happy middle ground), or every 90 days (pushin’ it but still safe!) to sit down and manage your password inventory. It’s worth the effort if it means keeping your site hack-free.
Still worried that some mastermind might unravel your password? In that case, two-factor authentication is a must. This two-step process forces hackers to not only brute-force attack your password in hopes of an easy login but also retrieve a time-based one-time password (TOTP) sent to you via phone call or text (SMS). Since hackers likely won’t have access to both your password and cellphone, this added security measure is proven to be highly effective.
Finally, let’s quickly talk usernames. WordPress recommends running PHP applications using a specific and unique username for your administrator account instead of the default “Admin” username, which is commonly shared. You can do this simply by adding a new user to your WordPress dashboard and assigning it the role of “Administrator.” Then, delete the “Admin” user and attribute all the content to your new administrator account.
Won’t You Back That Site Up?
No amount of cybersecurity strategies will guarantee your site’s safety 100 percent of the time. That's why it’s important to prepare for the worst by regularly taking backups of your entire website so that, even after a cyberattack, you can get up and running as quickly and efficiently as possible.
Again, if you’re working with a good host, they’re likely to provide various types of backup services including automatic backups and one-click restorations. And even if your host doesn't offer backups, many WordPress services and plugins are available to dependably take on this role for you. Just be sure to keep these also up-to-date!
As a rule of thumb, you should back-up your site on a weekly or monthly basis, depending on the size of your organization. Some larger websites back-up every hour but this won’t be necessary for most small and mid-sized e-commerce pages.
Other Valuable (But Slightly More Complicated) Tips
In addition to these basic measures, there’s a ton of other recommendations available to solidify your WordPress security. Some of these you can manage on your own and others you can task to a web developer or web-development agency.
- Install an SSL certificate and run your e-commerce page over HyperText Transfer Protocol Secure (HTTPS) to not only increase security and levels of performance but enhance SEO.
- Bolster your wp-config.php file by moving it from your WordPress installation’s root directory to a non-www accessible directory, regularly refreshing and updating WordPress security keys, disabling file-editing, and changing permissions so that wp-config.php file can only be read by administrators.
- Prevent costly and vulnerable hotlinks.
- Limit login attempts to a certain number.
- Change your WordPress login URL so that it no longer includes “/wp-admin” in it.
- Consider installing distributed denial of service (DDOS) protection to prevent hackers from crashing your site.
As cyberattacks inevitably become more intricate and advanced with time, the key is to remain vigilant through regular updates and changes, invest in professional tools and ancillary technologies, and reach out to a supportive community of WordPress users, creators, and developers to get tried and true answers to your all of questions.
Now, go forth, and protect what is thine.