Is your website open to criminals? WordPress Security Tips

Millions of WordPress websites get infected with malware every year, spreading spam and aiding fraud while the site owners are often oblivious. In this post, we cover the seven main ways to prevent your WordPress website being hacked.

How big is the problem?

WordPress is the world leader in website platforms for business, long established as the preferred content management system and design platform for countless newspapers and other types of business across the world. As the most widely used provider, it’s natural that cyber criminals  have it in their sights.

It’s widely known that unscrupulous web developers often leave backdoors in websites they develop, creating a source of future income for themselves. When revenues get slack, they can secretly pop into your website, break something, then charge you for fixing it.

Depending how slack their morals are, they may also sell this secret access to larger scale criminal groups. If your website takes payments, your business could be in serious trouble and your costs could run to more than simply paying for web development that you should never have needed.

Taking this to the next level, it’s recently emerged that 40 WordPress themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company, were backdoored with malicious code back in 2021. The infected extensions gave attackers full access to sites, and that access also appears to have been sold to operators of spam campaigns.

These examples are just the tip of the iceberg, however, and just some of the ways that WordPress websites can be compromised. Below, we list the seven main precautions you should take to protect your site.

How to prevent cyber criminals from entering your WordPress website

Perform frequent website backups

Now is the time to begin backing up your website regularly if you haven’t previously. To back up your WordPress site, you will need a third-party plugin, and there are many excellent backup plugins available. UpdraftPlus is among the most widely used. It helps you recover your WordPress site from a previous backup and has automatic backup scheduling.

Install a security plugin

When running a business, it’s impossible to keep tabs on everything that happens on your website. That’s why a plugin like Sucuri’s is so important for website safety. Sucuri is highly recommended by WordPress itself because they provide excellent service. Numerous major media outlets whose sites run on WordPress use it, including CNN, USA Today, PC World, TechCrunch and The Next Web.

Strengthen WordPress Login Security

Making your WordPress login more secure is also crucial. The first step is to require complex passwords for user accounts on your site. Likewise, you should start using a password manager programme.

Second, implement two-factor authentication. As a result, your website will be safer from brute force assaults and compromised credentials. This ensures that a hacker cannot gain access to your website even if they have your username and password.

Finally, it’s a good idea to set a maximum number of login attempts in WordPress. By default, WordPress users can re-enter passwords as much as they like. If a user is locked out after five unsuccessful login attempts, the likelihood of a hacker successfully guessing their credentials is greatly reduced.

Secure the WordPress admin area

By preventing unauthorised users from entering the administration console, you can prevent a wide variety of frequent security breaches. The wp-admin folder, for instance, can be protected using a password. The most vital part of your website’s defence system is now doubly fortified. IP address restrictions allow you to restrict access to the administration portal to just those on your team. Those who gain access to your account and password will still be locked out.

Disable Plugin and Theme Editors

In case you weren’t aware, WordPress has a dedicated theme and plugin editor. From the WordPress control panel, you may access a plain text editor to make changes to your theme or plugin’s.php or.js files. While beneficial, this opens the door to possible security risks. By way of illustration, if a hacker were to gain access to your WordPress admin area, they could use the in-built editor to access all of your WordPress data. Then they can use your WordPress site as a distribution point for malware or to perform distributed denial of service assaults. To strengthen WordPress’s defences, you should get rid of the preinstalled file editors completely.

Disable PHP in Selected WordPress Directories

PHP scripts are generally able to be executed in any directory. By stopping PHP execution in unused folders, you can improve the safety of your website. For instance, WordPress will never access the uploads folder to execute any code you may have placed there. If PHP is disabled in that folder, a backdoor uploaded by a hacker will not run.

Update Your Site Regularly

One of the core concepts of cyber security is to keep on top of software updates, and WordPress is no different. Each new release of WordPress improves upon the security of its predecessors. The WordPress core team works quickly to offer updates that address identified security vulnerabilities. This means you are using outdated software if you don’t maintain WordPress up to date. To exploit the vulnerability, hackers need just locate websites still using the vulnerable earlier version.

Need cyber security help for your business?

Flywheel supports several hundred UK organisations by managing their cyber security solutions including backups, anti malware and anti ransomware, and disaster recovery solutions.

Find out more by reading our cyber security recommendations for businesses, or get in touch using our contact form and tell us what you need.