Last November, more than 1 million GoDaddy-managed WordPress customers were part of a breach that could have exposed their email addresses, private SSL keys, and admin passwords. The attacker was apparently able to operate undetected inside their networks for two whole months.
WordPress has a long history of being a very rich and desirable target for exploits. For example, a botnet used compromised WordPress servers to attack others back in 2018. This is because the software is based on running a series of PHP scripts, which is a popular venue for hackers. The sheer number of different components, including plug-ins, themes, and other scripts, make it hard to prevent potential infections or compromises. This site lists numerous other vulnerabilities that have been found, mostly on older versions of WordPress.
On top of this, there’s human error to be taken into consideration. Many WordPress sites are running older versions that could be behind several major releases, which leads to security vulnerabilities being left unpatched. What’s more, some administrators are inexperienced in IT operational security or simply overburdened with other responsibilities and can’t dedicate enough time to implementing the necessary security measures to ensure the safety of a WordPress site.
Let’s explore how you can set up and maintain the security on your website on WordPress.
Tips for keeping your WordPress site secure
First, secure your WordPress username and passwords. Online literature is filled with numerous poor admin password choices that site operators have made. Don’t use the “admin” name on your account because many brute force attacks start with using this name, since it’s so common. Instead, pick some random name to administer your account. Also, use MFA to protect all of your WordPress logins.
Update your WordPress and PHP to the latest versions. For WordPress, this v 5.9.1. PHP has a variety of versions and updates. (My hosting provider takes care of both of these automatically for me, which should be the case for yours as well.)
Reduce the number of installed plug-ins, themes, and other extras. Simply put, these can increase your attack surface.
Enable SSL/HTTPS access to your site to encrypt communications. Make sure your hosting provider supports this as well.
Make regular backups of your site’s content. WordPress has a simple export function that will create an XML file that you should store offline.
Do install a specialized WordPress security plug-in, such as Wordfence. Take time to understand the security features as well as the reports that are produced, and ensure that you act on the information and its implications. A larger list of security plug-ins can be found on WordPress’ website, where you can see if the tool has been tested with the latest version of WordPress, the last time the plug-in was updated, and the number of users who have downloaded the software.
Stay current with the latest WordPress vulnerabilities. It can sometimes be difficult to track these down, but here are a couple of resources. First, both Plugin Vulnerabilities and Wordfence’s blog post frequently inform about exploits and zero-day attacks that their own instrumentation networks have uncovered. What’s more, a recent semi-automated tool developed by researcher Krzysztof Zajac can scan various weak areas for potential issues.
As you can see, there are dozens of tips and resources available that can help you secure your WordPress website. In any case, you shouldn’t operate WordPress without making use of these steps — even if you gradually add in individual security measures one by one.