WordPress security mistakes are easy to make. The most common mistakes in your WordPress security can be based on outdated information, common WordPress security myths or just not knowing WordPress security best practices.
While WordPress itself is secure, avoiding WordPress security mistakes requires a little bit of effort from site owners. In this post, we’ll cover the top 10 WordPress security mistakes with tips on how to avoid them.
Let’s dive in. We’ll cover eveyrthing from the quality of your WordPress host to your WordPress admin login to the themes and plugins you use.
1. Choosing Poor Hosting
Not all web hosts are created equal, and choosing one solely on price can end up costing you way more in the long run with WordPress security mistakes.
Most shared hosting environments are secure, but some do not properly separate user accounts. If user accounts aren’t properly separated, a single compromised account could take down every website on that shared server.
Your host should be vigilant about applying the latest security patches and following other important hosting security best practices related to server and file security.
How to Avoid Choosing Poor Hosting
Choose a reputable host for your website with a solid security record.
2. Not Having a WordPress Backup Plan
Backups and security don’t really sound like they are related. But trust us, having a backup of your WordPress website after a ransomware attack can really save your bacon.
A ransomware attack is when a hacker encrypts your website’s files, making them and your website inaccessible. To regain access to your website, you need a key to decrypt the files. For a hefty fee, the hacker will be more than happy to provide the key to you.
Having a backup of your WordPress website allows you to roll back your website to a state before your website being held for ransom. You regain access to your website without having to pay the demanded ransom. #baconsaved
How to Avoid Not Having A Website Backup
Create a schedule to regularly backup your website.
3. Insecure Logins
The WordPress login is the most attacked and potentially most vulnerable part of any WordPress site. By default, there isn’t anything built into WordPress to limit the number of failed login attempts someone can make. Without a limit on the number of failed login attempts an attacker can make, they can keep trying an endless amount of usernames and passwords until they are successful.
Your WordPress login is a lot like the front door of your house. Without a lock on your front door, it would be easy for anyone to walk right into your home, start moving your furniture around, smashing your stuff, and stealing your TV. It only makes sense to add a lock to your front door to make it harder for a would-be thief to break into your home.
How to Avoid an Insecure Login
Use a WordPress security plugin to limit invalid login attmepts.
4. No Protection Against Automated Bot Attacks
A bot is a piece of software that is programmed to perform a specific list of tasks. Developers create a set of instructions that a bot will follow automatically without the developer needing to tell them to get started. Bots will perform repetitive and mundane tasks way faster than we can.
Some of these bots are programmed with nefarious motives like:
Brute Force Bots scour the internet looking for WordPress logins to attack.
Content Scraping Bots are programmed to download the contents of your website without your permission. The bot can duplicate the content to use on the attacker’s website to improve their SEO and steal your site traffic.
Spambots muck up your comments with promises of becoming a millionaire while working from home in the hopes of sending your visitors to malicious websites.
How to Avoid an Automated Bot Attacks
Avoid this WordPress security mistake by using automated bot protection like Google reCAPTCHA on your website.
5. Using Vulnerable Versions of Plugins, Themes or WordPress Core
Vulnerable WordPress plugins or themes are the biggest WordPress security mistake you can make. Keeping software updated is an essential part of any security strategy, and this includes WordPress core and your themes and plugins. Version updates aren’t just for bug fixes and new features. Updates can also include critical security patches. You are leaving your phone, computer, server, router, or website vulnerable to attack without that patch.
Hackers target patched vulnerabilities because they know people don’t update (including plugins and themes on your website). It is an industry-standard to publicly disclose vulnerabilities on the day they are patched. After a vulnerability is publicly disclosed, the vulnerability becomes a “known vulnerability” for outdated and unpatched versions of the software. Software with known vulnerabilities is an easy target for hackers.
Hackers like easy targets. Having outdated software with known vulnerabilities is like handing a hacker the step by step instructions to break into your WordPress website.
Having a vulnerable plugin or theme for which a patch is available but not applied is the number one culprit of hacked WordPress websites.
How to Avoid Using Vulnerable Plugins & Themes
Keep all of your plugins and themes updated to avoid the WordPress security mistake of vulnerable software.
6. Weak User Security
Weak user security is a major WordPress security mistake. Simply put: a single WordPress admin user with a weak password could undermine all of the other website security measures you have put into place. That is why user security is an essential part of any WordPress security strategy.
According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
In a list compiled by Splash Data, the most common password included in all data dumps was 123456. A data dump is a hacked database filled with user passwords dumped somewhere on the internet. Can you imagine how many people on your website are using a weak password if 123456 is the most common password in data dumps?
Hacker’s tools are getting better, and they can bypass passwords faster than ever before. For example, let’s take a look at a chart created by Terahash, a high-performance password-cracking company. Their chart shows the time it takes to crack a password using a hashstack cluster of 448x RTX 2080s.
By default, WordPress uses MD5 to hash user passwords stored in the WP database. So, according to this chart, Terahash could crack an 8 character password … almost instantly. That is not only super impressive but is also really scary.
To make matters worse, even though 91% of people know reusing passwords is poor practice, 59% of people still reuse their passwords everywhere! Many of these people are still using passwords that they know have appeared in a database dump.
Hackers use a form of a brute force attacked called a dictionary attack. A dictionary attack is a method of breaking into a WordPress website with commonly used passwords that have appeared in database dumps. The “Collection #1? Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. That is billion with a b. That kind of score will really help a dictionary attack narrow the most commonly used WordPress passwords.
How to Avoid Weak User Security
The best way to avoid the WordPress security mistake of weak user security is by creating a strong password policy and using two-factor authentication.
Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Google shared on its blog that using two-factor authentication can stop 100% of automated bot attacks.
7. Unencrypted Communications (No SSL)
Not encrypting communications on your website is a serious WordPress security mistake. Anytime we make an online purchase, communication happens between your browser and the online shop. For example, when we enter our credit card number into our browser, our browser will share the number with the online store. After the store receives the payment, it then tells your browser to let you know that your purchase was successful.
One thing to keep in mind about the information shared between our browser and the store’s server is that the information makes several stops in transit. If the communication is unencrypted, a hacker could steal our credit card before it reaches the final destination of the store’s server.
To better understand how encryption works, think about how our purchases get delivered. If you’ve ever tracked the delivery status of an online purchase, you would have seen that your order made several stops before arriving at your home. If the seller didn’t properly package your purchase, it would be easy for people to see what you purchased.
How to Avoid Unencrypted Communication
You will need an SSL certificate to encrypt communication on your website. If your WordPress website is lacking SSL, the first thing you should do is to ask your hosting provider to see if they provide a free SSL certificate and configuration.
Cloudflare offers a free shared SSL certificate for WordPress websites. If you would prefer not to have a shared SSL certificate and you are comfortable with the command line, CertBot is an excellent option. Certbot not only creates a free SSL certificate using Let’s Encrypt for you, but it will also automatically manage the renewal of the certificate for you.
8. Insufficient Security Logging & Monitoring
Insufficient logging on your website is a big enough WordPress security mistake that it landed on the OWASP top 10 of web application security risks. Logging is an essential part of your WordPress security strategy. Monitoring the right behavior will help you identify and stop attacks, detect a breach, and access and repair the damage done to your website after a successful attack.
Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data.
How to Avoid Insufficient Logging
Add security logging to your website to avoid this WordPress security mistake. You can use some of the developer functions and filters that WordPress provides to create a logging system, but the easiest way to start a security log is to install a WordPress security plugin
9. Unused Plugins and Themes
Having unused or inactive plugins and themes are on your website is a major WordPress security mistake. Every piece of code on your website is a potential entry point for a hacker.
It is common practice for developers to use third-party code–like JS libraries–in their plugins and themes. Unfortunately, if the libraries aren’t properly maintained, they can create vulnerabilities that attackers can leverage to hack your website.
How to Avoid Plugins and Themes
Uninstall and completely delete any unnecessary plugins and themes on your WordPress site to limit the number of access points and executable code on your website.
In addition, avoid using abandoned WordPress plugins. If any plugin installed on your WordPress site has not received an update in six months or longer.
10. Installing Software From Untrusted Sources
Installing software from untrusted sources is one of the fasted ways to create a WordPress security mistake. You should be wary of a “nulled” version of commercial plugins. Oftentimes these free or heavily discounted versions of pro plugins contain malicious code.
It doesn’t matter how you lock down your WordPress site if you are the one installing malware.
How to Avoid Software from Untrusted Sources
You should only install software that you get from WordPress.org, well known commercial repositories, or directly from reputable developers.
If the WordPress plugin or theme it isn’t being distributed on the developer’s website, you will want to do your due diligence before downloading the plugin. Reach out to the developers to see if they are in any way affiliated with the website that is offering their product at a free or discounted price.
Wrapping Up: Top 10 WordPress Security Mistakes Explained
As we can see, there are a lot of potential WordPress security mistakes. Luckily all of the security mistakes are easily avoided with just a little effort from us.
A Simple WordPress Security Checklist
Most WordPress security vulnerabilities can be mitigated by taking a proactive approach to WordPress security. To recap, here’s a simple WordPress security checklist to follow:
- 1. Choose quality hosting.
- 2. Create a backup schedule.
- 3. Limit invalid login attempts
- 4. Add automated bot protection.
- 5. Avoid using vulnerable software.
- 6. Use strong passwords and 2fa.
- 7. Encrypt communication with SSL.
- 8. Add WordPress security logging.
- 9. Remove unused plugins & themes.
- 10. Only install software from trusted sources.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.