Secure your Word Press Website

Word Press is a free and very popular CMS system, in fact, 60 % of the open source websites are built using Word Press. On the other hand, it’s a fact that 78% of the hacked websites were running on Word Press in 2016.

What does this mean and is Word Press the right choice for your Business? 

There is nothing wrong in using Word Press, if your website functional requirements are achievable using Word Press then you can use Word Press. There is a number of reasons why so many Word Press websites get compromised each year, but the good news is you can secure your Word Press website by addressing the vulnerabilities and adhering to best practices.

Hiring the Security Focus Development Team

According to Sucuri, one of the major reason behind compromised Word Press site is lack of skilled staff. Word Press is simple and easy to deploy, anyone with the basic website skills can deploy Word Press website, but just because anyone can deploy a Word Press does not mean they done it right. Many of the Word Press developers and administrators are in fact not highly skilled and experienced IT professionals. Using skilled development team with security mind you can reduce the number of vulnerabilities in programming. Furthermore, by engaging the security focus skilled administrator you can ensure proper deployment of your Word Press website.


In our experience, one of the reasons, why Word Press websites get compromised, is the add-on plugins. WordPress is an open source platform and thousands of developers publish the endless amount of plugins. This provides a huge choice of plugins and a wide range of additional functionality without programming the features but it also introduces serious security risks and flaws. Many of these plugins are not developed with security in mind, and like any programming code plugins require continues development and updates to fix vulnerabilities but most of the websites do not update these plugins even if the newer version is available. It is important to update all of the plugins and install only reputable plugins with continues support option to reduce the exposure.

Updating Word Press

Word Press community regularly release the latest version of Word Press to fix the known vulnerabilities in the platform. Most of the website owners and hosting providers do not update the Word Press in a timely fashion, as a result of this we see many of the compromised Word Press websites that could have been saved from the disaster if they were updated to the latest code.

Securing your Word Press Site

Anyone can install Word Press, but this does not mean they do it properly using best security practices. There are a number of things you can do to enhance the security of your Word Press website by implementing the following steps:

  1. Changing the admin username

Never use the default username and password for any production system change the default username for your Word Press to anything other than admin, administrator and root.

  1. Ensure the password is complex

Use complex password a combination of upper case, lower case, number and special characters. Make sure your password is at least eight characters long.

  1. Use Captcha & Brute Force Protection

Use plugin to implement Google Captcha on login page and Brute Force protection by limiting the number of incorrect login attempts, this will protect your system from against password guessing.

  1. Two Factor Authentication

It will be even better if you introduce multi-factor authentication to log in to your Word Press admin panel. You can use Google Authenticator plugin to enable multi-factor authentication.

  1. Ensure the file permission are set properly

Make sure your Word Press secure directories are not accessible by the public, use Sucuri Plugin to scan file permission and hardened the installation.

  1. Delete the version information

Delete Installation files and version information from your Word Press installation.

  1. Choose Secure Hosting Environment

Don’t settle for cheap hosting, spend few bugs extra and purchase a hosting from a provider that offer secure and well managed hosting services.

  1. Updates

Regularly update Word Press and Plugins to ensure you have the latest code to mitigate all known vulnerabilities and reduce the exposure.

  1. Web Application Firewall (WAF)

Use WAF to protect against attacks such as SQL injection, malware injection, cross-site scripting before you they reach your server. WAF can also help you restrict access to admin control panel and offer automatic fail over capacity.

  1. Backup

Backups are important, no system is perfect and one day you may very well need to restore your site if that happens you need to make sure you can do it quickly as possible without losing information. For more information of Website Backup, you may wish to read…

For a no obligation Word Press Website Audit contact us.

Why do you need to Backup your Website?

Ever wonder what will happen if your website is hacked or deleted, sure you may have a backup copy on your computer from the very first day when your site built; but is it the same website? If you are running a blog, online store or a business website your website will have additional content and information added regularly, you need to make sure that you can restore your website in case of disaster without losing information.

How long will it take you to reconfigure an offline copy? and is it acceptable for your business? Losing online presence means losing customers and potential revenue. Most business owners have this assumption that the hosting provider will back up my website on a regular basis, in most cases, it’s not true. Most hosting providers especially on shared hosting platform only keep less than one week worth of backup, and usually the only backup once a day, some cheaper hosting provider doesn’t back up at all to keep their cost low.

What does this mean for your business?

There are three important aspects of backups:

  • Recover Point Objective (RPO)
  • Recovery Time Objective (RTO)
  • Backup Retention

For fast and competitive online world, you want to make sure the backup intervals are not more than few hours apart, and for the RTO the time should be in minutes not hours.

Recover Point Objective (RPO)

f your hosting provider backup the data once a day, it means you have 24 hours gap between each RPO, if the backup runs 1 am each night and your website is compromised at 10 pm then all the customer’s enquiries, online orders since 1 am onward are lost. It may be OK for a website with no traffic or activity but if you are selling online and engaging customers you may want to reduce this to a couple of hours.

Recovery Time Objective (RTO)

Let’s look at the RTO, if your website is compromised 10 am and it takes your hosting provider to restore the site hours, you are losing money and customers. Not to mention the representational damage, who would want to buy from a website that gets hacked. In the fast competitive world, your backup system should be able to restore within minutes not hours.

Backup History (Retention)

Backup retention, I came across a number of businesses who were not able to restore the recent version of their website. Let’s say your website was compromised on Thursday and you only notice a week later, as I said before most shared hosting provider doesn’t offer more than 3 days of backup history. The limitation of backup systems is that it can not detect a good copy of the website from the bad, which mean if the backup systems only keep three copies on the fourth day all your backup copies will contain the compromised versions of the website, resulting in complete loss of website and its data. We strongly advise you to keep at least 30 days of backup history.

How much a Website Backup Cost?

There are decent hosting providers offering a reasonable hosting with a proper backup system for less than hundred dollars a year, depending on your hosting requirement you may have to pay bit more. But it surely worth investing such a small amount to ensure your website is available and recoverable in a timely manner instead of saving few dollars.

For no obligation website continuity & disaster recovery plan contact us.

© Copyrights are reserved to Solutionica, 2024

Website designed and developed by: Solutionica