Microsoft Windows has the largest worldwide market share of all operating systems. As a result, it’s also the number one target for virus writers. If you want your virus or malware to infect the most number of computers, you would logically write it for Windows.
Similarly, WordPress has the largest market share among web platforms worldwide. And, like Windows, it’s also the number one targeted platform for hackers. That doesn’t mean you shouldn’t use WordPress. It just means that you need to take precautions to ensure that your site is secure. We’ve helped secure hundreds of WordPress websites and helped fix many hacked sites over the years. Following is a discussion, based on our own experience, of the most important things you can do to keep your site from being hacked. This is not a comprehensive list of everything you could do, but rather a highly selective list of the things we believe will make the most difference in keeping your site secure.
The number one way that we see sites get hacked is via the site’s theme. There are thousands of themes available for WordPress. These themes are typically written by an independent developer with no oversight. Anyone can write and sell themes and many people do. Since the theme controls the look and feel of a WordPress site, they are typically purchased based on how they look and whether the style of the theme is appropriate to the purpose of the site. Security, performance and reliability are not factors that most people consider when purchasing a site theme. Therefore, WordPress site builders and site owners often select themes that may be poorly written but are attractive or relevant to the website’s use.
Theme vendors are of course trying to attract the widest audience so they can make the most sales. As a result, they continue to add new features to their themes to try to make a theme that can be everything to everybody. The result of this is that commercial themes grow in size and complexity, reducing their performance and increasing the likelihood that they contain bugs.
Hackers can buy these themes, just like anyone else, and they can review the source code of the theme in order to find bugs. Once they have found a hole, they can use Google to locate every site in the world that is running on that theme and use the bugs they found to hack into it.
The best way to protect your site against being hacked through its theme is to not use commercial themes. Custom themes, which can be created by experienced WordPress developers have far fewer scripts and their code is not sold on the open market. As a result of these two factors alone, they are much more secure and usually faster performing as well. Read more about The Pros and Cons of Commercial WordPress Themes.
If you are going to use a commercial theme, make sure that it is reputable and well supported. You can usually read theme reviews, see the number of times it has been downloaded, and take note of how frequently it appears to be updated. Once you have chosen a reputable theme, make sure that you keep it up to date. Good theme developers will put out regular updates in order to add features as well as fix bugs and security holes.
The theme is the main way we see sites getting hacked not only because so many sites are running poorly built themes, but also because site owners fail to keep the theme up to date.
WordPress Core and Plugins
Keeping WordPress core and plugins up to date is obvious and easy to do. Certainly if you don’t keep the software up to date, you are asking to be hacked. However, even if your site appears to need no updates, that doesn’t mean that your plugins are all up to date.
WordPress only registers updates for plugins that have new versions available. A plugin may have been abandoned by its author and hasn’t been updated for years. It may even have been removed from the WordPress repository. In other words, your site could be running insecure plugins and you won’t get any alert of this fact.
Therefore, you should regularly review all the plugins running on your site to ensure that they are still available and being regularly updated. This is the notice you may see below on the plugin page at WordPress.org if it hasn’t been updated recently:
It’s generally a good idea to replace plugins like this with other similar plugins that are being maintained.
There are dozens of WordPress security plugins which attempt to harden your website against insecurities that you may not be aware of. The two most popular are iThemes Security Pro and WordFence. We won’t argue the pros and cons of these two highly rated plugins, however, it’s critical that you buy one of them and install it. We prefer iThemes Security Pro because it has several features that you should turn on that we have found to be highly effective in keeping a site from being hacked. WordFence may or may not have equivalent features to these:
Brute force protection — this keeps hackers from trying to login thousands of times to your site, in order to attempt to crack your password.
Disable PHP in Uploads, Plugins & Themes. This is a little known feature of iThemes Security that disallows PHP from being executed directly from within these folders. Since uploading a malware infected PHP file and running it is the number one way that hackers compromise a website, this is a great feature.
Password requirements — this forces all users to have complicated passwords.
Disable xmlrpc and the WordPress API — most sites don’t need either of these and they provide massive back-doors to your WordPress website which hackers could potentially exploit.
CloudFlare is a free service that every website in the world should be running. There are too many benefits to list here, but in terms of security, CloudFlare is a core part of our security strategy. It provides a web firewall which filters attacks before they ever hit your server. The service is continually updated in order to block new attacks. There are paid levels which provide even more security, but the free version is so useful that there really is no reason to NOT use it.
There are many more things that could be done to help secure your WordPress website. The above list includes only those items that we have found to be most critical in securing sites against being hacked.