If you are a website owner currently using WordPress as your CMS, it’s likely that the exceptional security features baked into WordPress played a key role in this decision. After all, the platform is the biggest and most commonly used CMS solution on the internet, and has provided users with secure, open source CMS capabilities for over 15 years.
Despite the plethora of protective elements included with WordPress, it would be very naïve to think that your website is invincible. You may have heard that hiding your WordPress version is among the top WordPress security best practices. In this post, we’ll cover all you need to know about hiding your WordPress version, along with other important security measures that should be taken to secure your website.
Should You Hide Your WordPress Version Number?
When setting up a WordPress site, you should know that the default setting may leave “footprints” of your site. This is primarily for tracking purposes, although the WP team probably doesn’t mind the branding either. While several elements are included, the WordPress version number is the one that causes the most confusion.
There are two major bits of misinformation when it comes to the WordPress security myth of hiding your WordPress version number:
- You can completely hide the version number (you can’t) – Even if there were bots scouring the internet only looking for version numbers, you can’t hide all traces of the version number. Masking the
wp_generatoronly removes the version from one location.
- It hides the vulnerability (it doesn’t) – Your WordPress version number isn’t the vulnerability, and if you don’t update the software, you are potentially leaving known exploits on the site.
Don’t Hide Your WordPress Version Number
There’s nothing to stop you from using an outdated version of WordPress, but keep in mind that keeping your WordPress site updated to the latest version is among the most important WordPress security tips. If you insist on using an older version of WordPress, you are putting your site at risk. Outdated software is the #1 culprit of successful attacks.
Three Reason Why We Removed the ‘Hide WP Version’ Feature from the iThemes Security Plugin
Ultimately, we decided to remove the ‘Hide WP Version’ feature from iThemes Security, our WordPress security plugin, for these reasons:
- It gave people a false sense of security. Hiding the WP version made people feel like they were securing their sites and stopped them from using better methods like two-factor authentication.
- It doesn’t remove the vulnerability. Even if an attacker doesn’t know the WP version you are using, they can still exploit a vulnerability. It is always going to be the best practice to run the latest version of all software.
- Security patches are backported. Most WP security patches are applied to older versions of WordPress.
Why Hiding Your WordPress Version Isn’t Enough For Better WordPress Security
If we haven’t been able to convince and you still think that hiding your version of WordPress can be a starting point to better WordPress security, it definitely shouldn’t be the only action you take. Cyber thieves and attackers use more advanced methods than ever before and continue to develop new ideas.
Therefore, it’s imperative that you stay ahead of the game by implementing a host of other security features. Failure to do so can lead to a host of problems, including but not limited to:
- Attacks to your systems leading you to temporarily shut the website until the issues are fixed.
- Attacks to users that could leave you responsible for financial damages.
- Lost reputation that could impact your future sales for years to come.
- Lost peace of mind meaning you can no longer focus on the job at hand.
- Attacks to employees and other users, which could bring serious ramifications too.
- Lost finances due to the direct exploitations of the hackers.
Essentially, getting your WordPress security is pivotal for your sanity as well as the sake of your finances and visitors.
Better WordPress Security Actions To Take
The only solution is to combine several WordPress-related security actions that can actually secure your website by locking down unauthorized access to your website and its files. A comprehensive approach to website protection will put you in a far stronger position while also putting your fears (and the fears of your clients) to rest.
Here are 10 simple steps to help take WordPress website protection to the next level:
- 1. Use WordPress two-factor authentication to secure your admin logins. Two-factor authentication ensures that bots and hackers can’t access accounts through brute force.
- 2. Choose strong passwords that utilize numbers, letters and special characters. Support this with captcha technology.
- 3. Place a limit on the number of login attempts allowed. This greatly reduces the possibility of brute force attacks. Giving hackers unlimited chances to guess a password naturally increases their chances.
- 4. Don’t run outdated WordPress plugins or themes. In addition, don’t install plugins or themes from untrusted sources.
- 5. Install and activate a WordPress security plugin like iThemes Security that can be used for security purposes and utilize them for the best possible performance.
- 6. Select the right web host for your WordPress hosting to instantly remove another potential threat to the system.
- 7. Change the permissions and settings in the various files and folders to restrict unauthorized access to key data. You can use the iThemes Security plugin to quickly set the appropriate permissions.
- 8. Monitor traffic and block malware, along with other common threats to the site. Have a system that adds WordPress security logs.
- 9. Deny attempts from IP addresses that show suspicious behaviors and look to be from a hacker. Use the iThemes Security blacklist and 404 detection features to do so.
- 10. Use SSL on all of your WordPress sites. SSL certificates range in price but are absolutely necessary to keep information on your website secure.
- Bonus: Have a solid WordPress backup plan. In the case you get hacked, you can always restore a clean version of your website. Use a trusted WordPress backup plugin such as BackupBuddy that offers off-site storage of your backups.
The Final Word: Use Solid WordPress Security Strategies That Actually improve Your Security
Website security is a fundamental need of any website and is something all owners need to address. While using WordPress instantly reduces the danger due to the advanced features, it’s imperative that you take responsibility and make the necessary changes to ensure that the site is protected from hackers and bots. By taking better WordPress security steps to secure your site, you should find that the site security is under control.