As of the time of this writing, WordPress accounts for a full 34.6% of all websites, and 61.4% of websites built using a CMS. Like Windows in the OS world, the unpleasant downside to that popularity is that WordPress has a massive bulls-eye on its back, and is a popular target for malicious actors. The good news is that by following best practices there’s nothing stopping your WordPress site from being safe and secure. Below are some areas to address when shoring up your website’s WordPress security vulnerabilities:
Keep Your Website Up to Date
The absolute simplest and best thing an admin can do to secure their WordPress site is to keep the site up to date. This includes the WordPress core, the theme, and the plugins. This is easily the most important step you can take, and one that should be done as often as possible. As an example, WordPress version 4.7.1 contained multiple security vulnerabilities related to the REST API. Hundreds of thousands of sites were hacked and defaced. However, weeks before those vulnerabilities were exposed, the WordPress team had released 4.7.3, that addressed all of those security deficiencies. Don’t be afraid to update your site to the latest point release (5.2.2 → 5.2.3, for example), as these won’t affect any core functionality, but will address security concerns.
Don’t Forget WordPress Plugins
Plugins are fantastic ways to add functionality to your site, but they are just more software that you will need to keep up to date. The admin interface will let you know if a plugin has a newer version available, and will also link to the release notes for the new version, making staying on top of this a relatively simple task. Even more preferred is to set up a script on your server to take advantage of the WordPress CLI (Command Line Interface). One can fairly easily be set to run once a day, and keep both your site’s WordPress Core, as well as all plugins, up to date. The notes for the plugin will also state which is the most recent WP core version that it has been tested with. Also make sure to get your plugins from reputable sources. Generally speaking, stick to the plugin market within the CMS. These are vetted by the WordPress team, who will remove insecure or malicious plugins as they are discovered. There are other sources for plugins, but there’s no guarantee that they have been vetted.
The theme, if it is an off-the-shelf one, should also be updated as new versions become available. Themes should largely be for presentation, with functionality relegated to the plugins, but there’s always some bleed-through. Because of this, keeping the theme up to date is somewhat of a lesser concern, but still something to consider.
More Ways to Lock Down Your Website
The above steps will go a long way towards locking down your WordPress site, but there are some things you’ll need to address through your hosting provider. WordPress runs on PHP, and while it has support for older, out of date PHP versions, you should move to a newer version if you haven’t already. PHP 5.6 is still in use on a great many sites, but it really shouldn’t be. Its support ended in 2018, and it will no longer receive security updates. Besides, bumping the version up to 7.x, it will give your site a nice speed boost as well! Also, make sure that you have SSL (Secure Socket Layer) enabled on your site. This will secure traffic between the server and your users’ browsers. Let’s Encrypt offers free SSL certificates, and your hosting provider should have instructions for adding SSL. Beyond the security benefits, SSL will also improve your SEO and even the site’s performance. Don’t forget to encrypt your site, as this not only makes you a harder target, it also improves your site’s performance.
Let’s Get Specific
And now onto the more specific issues. By default, WordPress uses ‘/wp-login’ and ‘/wp-admin’ to log into the backend. This uniformity makes those endpoints a nice target. A simple step to securing your site is to obfuscate this page. There are many ways to rename this, or to hide it. Most of this is done in the ‘.htaccess’ file at your site’s root, but there are some plugins that will enable you to do this without having to access the server itself. Most of them just modify or create that file, but again, removes the need to gain server access.
Another target for DDOS (Distributed Denial of Service) attacks is Xmlrpc.php. Without going into much detail of exactly what this file is used for, suffice it to say that it is a holdover from a much different time on the web, and its role is greatly diminished. So diminished, in fact, that unless you’re logging into your site via an app on your phone rather than just the site’s admin panel, you can safely disable this. There are a few different methods to disable this service, including a plugin if you don’t have server access, or a simple edit to the `.htaccess` file if you do. Blocking this file from any IP address that you do not explicitly approve will absolutely reduce the number of attacks you’ll receive.
Despite the potential security issues that WordPress websites can have, there is nothing stopping you from keeping your WordPress site safe and secure. Keeping your website up to date is the simplest, and strongest, step you can take. There are countless tricks and tips to improve your site’s security. And I will leave with this one universal tip: The more you care about your website, the more steps you’re willing to take, the more secure your site will be.