Welcome to the Most Popular CMS on Earth
WordPress is one of the single biggest targets for cyberattacks. That’s because WordPress is the most popular content management system (CMS) in the world by far: it powers 43.1% of all websites and boasts a CMS market share of 63.6% according to W3Techs. For comparison, second place is Shopify, which powers 3.8% of websites and has a CMS market share of 5.6%.
Its free ecommerce platform, WooCommerce, is also a big player in its own right—being the most popular open-source, ecommerce solution in the world.
That raises an obvious question: What should you do when it comes to securing WordPress on your site and preventing or fixing WordPress vulnerabilities? From our own cybersecurity best practices at Coalition Technologies, here are our top 6 tips for solving WordPress security issues.
Why Choose WordPress?
WordPress is extremely flexible and powerful, and since it is open source it is also very cost-effective and popular. With WordPress being the largest platform on the web, there are a lot of cybersecurity experts who are available to help with the security of a WordPress website for a fraction of the cost of what it may be for a custom platform.
1. Protect Your Login Credentials
The most powerful step you can take in solving WordPress security issues is not to have those issues in the first place—and protecting your login credentials can cut data breaches by more than half.
According to Verizon in its 2021 Data Breach Investigations Report, 61% of data breaches involved the use of login credentials in some way. This most commonly happens because of:
- Password theft
- Brute force attacks
- Internal misuse of credentials
Guard Against Password Theft
Hackers like to go for the low-hanging fruit, and fixing WordPress vulnerabilities begins with trimming away all that low-hanging fruit before the hackers can reach it.
- Update all passwords regularly. 90 days (once per quarter) is a good default.
- Use unique passwords, and never reuse them. PurpleSec says 25% of employees use the same password for everything, which should trouble anyone.
- Store passwords properly. WordPress handles everything securely on its end, but if your employees are writing down their passwords on sticky notes or Google Docs, they can leak.
- Consider making passwords expire. This forces people to update their passwords, but can also lead some employees to get sloppy about storing their passwords. Solving WordPress security issues over the long term means mitigating this vulnerability with your password policies.
Strengthen Against Brute Force Attacks
Hackers can also use brute force attacks to steal credentials. This means guessing passwords at random, millions of times over, until finding a permutation that works.
- Limit the number of permitted login attempts. A good WordPress security plugin will manage this for you while also fixing WordPress vulnerabilities as they are discovered.
- Use unique passwords. As before, solving WordPress security issues means using unique passwords, and only using them once.
- Use robust passwords. Passwords should be at least 8 characters long, and ideally, they will involve numbers, letters, and special characters. Here are some tips. You can also use memorable passwords, which helps reduce memory issues. The UK government’s National Cyber Security Centre endorses the three random words idea—though four or five words is even better.
- Block specific countries or IPs that are generating a lot of failed login attempts. In particular, block these sources from accessing sensitive accounts with access to admin panels using firewalls.
Utilize Best-Practice Password Protection Policies
At Coalition Technologies we work tirelessly to keep our client credentials secure. Over the years we have built a proud track record of best-practice password protection policies. Similarly, solving WordPress security issues requires having good password protection policies of your own. Here are some guidelines for fixing WordPress vulnerabilities at the human resources level:
- Limit login access to an as-needed basis. Only give employees the minimum level of permissions they need, and only give them access to the tabs and systems they need. Limit “admin” accounts with universal access to the minimum possible number of people.
- Deploy effective employee training. Sometimes the misuse of passwords by disgruntled employees is malicious (in which case you can limit the damage by limiting access as mentioned above). But more often this misuse is unintentional, and solving WordPress security issues with password leaks can be prevented with good training. Make sure your onboarding process includes a module on password security, and consider deploying periodic refresher modules every 12 – 24 months.
2. Install a Good WordPress Security Plugin and Follow Best Practices
The core of WordPress is very secure, with world-class cybersecurity talent working to keep millions of websites safe. But WordPress also allows the use of plugins. These plugins expand WordPress functionality massively, but also introduce new potential security vulnerabilities.
However, there is a whole industry built around securing WordPress plugins, and these products are themselves WordPress plugins. Known as “security plugins,” these are must-have utilities for solving WordPress security issues and fixing WordPress vulnerabilities in real time. Your first stop after installing or updating the WordPress core software should be to pick out a good WordPress security plugin and configure it properly.
Our Security Plugin Recommendations
There are many good WordPress security plugins out there. Our clients rely on the WordPress architecture for millions of dollars of revenue. Website security is absolutely critical.
When we partner with our clients to offer our extensive WordPress web design services, we particularly recommend these two plugins for solving WordPress security issues:
- Wordfence® Security – Firewall, Malware Scan, and Login Security
- Defender Security – Malware Scanner, Login Security & Firewall
We routinely use these security plugins for our clients when managing their WordPress sites.
Ensure Proper Security Plugin Setup
The keyword research experts at Semrush recommend these critical steps for preemptively solving WordPress security issues:
- Limit the number of permitted login attempts. We already covered this one, but it bears repeating as an excellent way of preemptively fixing WordPress vulnerabilities.
- Hide your login page from public view. Visitors to your site should not be able to reach your login page through site navigation or by guessing the URL. The login page URL should be obscure and unlinked by other pages.
- Remove backend, admin, and shopping cart pages from search engine indexing. These pages are obviously much more vulnerable to hacking, so in this case solving WordPress security issues means keeping these pages out of search results.
- Back up your website on a regular basis. You can do this either manually or automatically, but do it regularly. Anything that’s not backed up should be considered lost—because that’s what it will come down to in something like a ransomware attack. The backups should be housed on a different server, and use different access credentials. When feasible, it is also smart to keep local “cold” backups. This is especially important for smaller businesses.
3. Audit Themes & Plugins Carefully Before Installing
When it comes to other WordPress Plugins (besides security plugins) and WordPress Themes, it’s critical to understand that you are dealing with a very wide range of products and quality. Any good strategy for fixing WordPress vulnerabilities means doing a lot of due diligence in auditing these applications.
Many plugins and themes are rock-solid and offer essential functionality and layout options that your website needs to flourish. Other plugins and themes are poorly designed and vulnerable to security exploits by hackers. And a few are outright malware.
WordPress is vigilant at solving WordPress security issues with plugins and themes by blocking out malware and spam, but sometimes a few of these bad eggs get through. Here are some best practices for auditing plugins and themes that interest you:
- A high download number is usually safer. Malware gets caught early on, and bad themes and plugins never get popular, so only the stuff that works is likely to rack up a high download count.
- Large numbers of positive user reviews are a reliable gauge. If lots of people have given a plugin or a theme a perfect or near-perfect star rating, that’s a good sign. But make sure you read a few of the middling and negative reviews too, to see what kinds of complaints people have.
- Search the web for businesses and news organizations talking about their experience using these plugins. When it comes to solving WordPress security issues and fixing WordPress vulnerabilities for your business, user reviews may not have the depth or credibility you’re looking for. So go online and look for names that you trust. See what they’re saying about these applications.
Where Should You Get Plugins?
When in doubt, choose WordPress plugins from reputable sources:
- The official WordPress plugins repository is your best bet, and if you only get plugins from one source, get them here.
- Reputable third-party marketplaces for plugins, e.g., CodeCanyon, are another good source for plugins. Reputable marketplaces put a lot of emphasis on solving WordPress security issues because their reputation depends on it.
- WP plugin developer sites such as WPMU DEV are another high-quality source for plugins. These communities of career WordPress plugin developers congregate to increase the visibility and trustworthiness of their products.
Good plugins have good development teams, and vulnerabilities in these plugins are usually quickly patched by the independent developers or agencies who built them. And when they’re not, there are usually many different alternative plugins that offer the same functionality securely.
4. Update Everything & Re-Audit
Letting your software fall behind is easy because of the time it takes to update (and the time it takes to fix things broken by updates), but this is terrible because many of those updates contain patches for fixing WordPress vulnerabilities or vulnerabilities in WordPress plugins or themes. That’s why organizations like Search Engine Journal recommend that you keep your plugins and themes up to date.
There’s no sugarcoating it: This is one of our most time-consuming tips for solving WordPress security issues. But you have to put in the time, because otherwise, you are opening the door for cyberattackers.
This includes the core WordPress software, the PHP version it’s running, and all themes and plugins. It ALL needs to be updated when new updates become available—and, when you update it, all affected plugins and functions need to be audited again to ensure that everything is working properly.
Allocate Ongoing Manpower
Keeping up with your WordPress core updates and plugin updates has to be part of somebody’s job description. If solving WordPress security issues through preventative updating is not on somebody’s radar, this is the kind of thing that tends to be forgotten.
Updating software and fixing WordPress vulnerabilities doesn’t generate sales directly but acts to prevent potentially catastrophic costs, and should be budgeted for accordingly. Make sure to set your company up for success by ensuring that your sysadmin or IT team has the bandwidth to stay on top of updates.
At Coalition Technologies, we stay on top of updates as part of our strategy of success for setting clients up for sustainable long-term growth.
Be Careful About Updates
One thing to know about solving WordPress security issues through diligently installing updates as they are released: WordPress reviews all plugins that are submitted to its official repository, in order to filter out spam, detect common serious bugs, and ensure that the plugins comply with WordPress guidelines.
However, once a plugin is approved and listed, WordPress does not have the ability to audit all of these third-party plugins again each time a plugin is updated. A plugin’s codebase can and often does change significantly after that initial review, and WordPress would not know.
This usually happens for legitimate reasons—e.g., UX upgrades, fixing WordPress vulnerabilities and bugs, and adding new features. But hackers can game the system by putting up an initial version of their plugin that passes muster, and then adding malware with subsequent updates. It can also happen when an existing plugin is abandoned or sold, and a malicious third party takes it over and adds malware. It means that some of the work of solving WordPress security issues falls to you.
Always review the update notes when a plugin is updated, and don’t rush to be an early adopter without outside verification: See what others are saying first.
Make Use of Vulnerability Lookup Services
You can also make use of services such as the WPScan Vulnerability Database, which can help you in solving WordPress security issues by giving you early notice of newly discovered security risks.
If you partner with Coalition Technologies to manage your WordPress site, we do all of our own WordPress theme and plugin vetting, and take responsibility for fixing WordPress vulnerabilities to which your site is exposed—giving you peace of mind and offloading a time-consuming task.
5. Identify Phishing Attacks
A major source of cybersecurity vulnerability is phishing, and while this is an Internet-wide phenomenon it should still be discussed within the context of WP use cases and solving WordPress security issues. Phishers often spoof WordPress itself or spoof customer e-mails. The cybersecurity firm Varonis has a good primer on how phishing works.
Anything with hyperlinks that you don’t control could be a phishing attack—websites, digital documents, etc.—but especially e-mail.
Beware of Incoming E-mail
Nearly all phishing attacks begin in e-mail. (It’s roughly 90% according to CyberTalk.org.) That means businesses need to teach employees e-mail self-defense best practices. This isn’t so much about fixing WordPress vulnerabilities as it is preventing your team’s behavior from becoming a vector for cybersecurity attacks.
Ensure that you have proper DMARC and SPF records set up for your DNS, which will prevent people from utilizing your domain in e-mails because they’ll either end up in junk or they’ll never be sent, depending on the DMARC policy set.
Guard Against Fake Links
Phishers use fake links, which are sometimes disguised to look like common sites such as Google. One method for solving WordPress security issues by securing against phishing is to change the security headers of your site’s X-Frame-Options which will not allow your website to be used in an iframe by external websites.
Use Real URLs
Lastly, don’t use link shorteners, which do not reveal to the user the ultimate destination website.
6. Secure Your Network
Another important tip for solving WordPress security issues is to secure your network. In this pandemic era of increased telecommuting and global workplaces, companies routinely transmit critical information across the Internet, creating many opportunities for security vulnerabilities.
WordPress is a very flexible platform, meaning you can patch commonly exploitable methods with simple code snippets found online, like disabling the XMLRPC and requiring authentication to access WP-JSON. Fixing WordPress vulnerabilities is often as simple as installing and utilizing the proper plugins.
In addition, multi-factor authentication options are available with the use of WordPress plugins.
Practice Solid Readiness & Prevention
Web Application Firewalls such as Cloudflare and many others have specifically designed their WAF to protect WordPress applications from different common attack types and patterns. Many hosting providers offer a daily backup service free of charge, such as WP Engine.
Partner with Coalition Technologies for WordPress Design & Development
At Coalition we offer full WordPress design and development services, either standalone or in conjunction with our award-winning SEO and digital marketing services. Everything we have discussed today about solving WordPress security issues and fixing WordPress vulnerabilities is included in our services when you partner with us.
See our WordPress Services FAQ. We’d love to work with you! Contact us to discuss your website’s needs.