There are almost 75 million WordPress sites to date, which makes up more than 25 percent of the entire Internet.
WordPress is flexible, easy-to-use, and with more than 40 thousand plugins in the repository, it is easier than ever to customize it to fit your needs. With its growing appeal, it’s more important than ever for users to take appropriate security measures.
As the president of SiteLock, a website security company, I have seen countless WordPress websites compromised, and it seems like these breaches are becoming more and more prevalent.
In 2005, there were 157 million data breaches in the United States exposing 66.9 million records, according to the 2015 Identity Theft Research Center Breach Stats Report. Fast forward to 2015, that number has skyrocketed to 781 million breaches exposing more than 169 million records. At SiteLock, we identify more than 50,000 compromised websites and clean more than one million malicious files every month.
Cybersecurity should not be taken lightly. A breach can directly impact the overall health of a company by affecting everything from its bottom line to brand reputation. A 2015 study found that cyber crimes for 252 benchmarked organizations have a mean annualized cost of $7.7 million per year, with a range from $310,000 to $65 million.
As WordPress grows in popularity it will become more of a target for hackers. This article takes a look at four ways to keep your WordPress site safe and secure.
Remove Information That Is Helpful To Attackers
Hackers look for “low-hanging fruit” that is easy to identify and exploit. It is critical to ensure you are not leaking information to a potential attacker. Here are a few quick, easy fixes we recommend to avoid common information disclosures:
- Remove readme.html
- Remove the ‘Proudly powered by WordPress’ footer
- Disable version information from being displayed in the header or RSS feed by placing the below code in functions.php:
function disable_version_info() {
return '';
}
add_filter('the_generator', 'disable_version_info');
- If you are using Apache, add the following to /etc/apache2/conf.d/security to reduce server information disclosure:
- ServerTokens Prod
- ServerSignature Off
- TraceEnable Off
Again if you are Apache, disable directory listings by adding the following option to the server config file: Options – Indexes.
Tighten User Security
We all know how important it is to use strong, unique passwords, but it’s equally important to use a unique WordPress administrator name (instead of admin or wp admin) to prevent user-based attacks. Use two-factor authentication and consider moving wp-login.php to a unique URL, too. And lastly, be sure to regularly review registered users and disable user registration if unnecessary.
Maintain A Clean WordPress Hosting Environment
Complexity is an attacker’s playground. With this in mind, be sure to store backups away from the hosting server and delete unnecessary plugins. Do an inventory once a quarter or so to remove plugins and code you are not using.
And in the case that WordPress itself is compromised, do not store hacked files on the server — especially in a publicly accessible directory. This seems obvious but is a mistake we see often, especially for website owners who are trying to save “evidence” of the attack.
If you want to save this information, move it offline! And lastly, remove test scripts, like phpinfo(), from the server when finished testing.
Update, Update, Update
Out-of-date plugins and themes are a leading cause of hacked websites. WordPress core itself enables auto-updates automatically, however, you still need to make sure that you are regularly checking for plugin and theme updates.
Conclusion
Hackers will continue to find new ways to exploit sites. Now more than ever, it is imperative that you take the right security measures to protect your WordPress site. Implementing security measures on a regular basis can save you time, money, and even your reputation in the long run.
Stay safe out there.
1 Comment