Word Press is a free and very popular CMS system, in fact, 60 % of the open source websites are built using Word Press. On the other hand, it’s a fact that 78% of the hacked websites were running on Word Press in 2016.
What does this mean and is Word Press the right choice for your Business?
There is nothing wrong in using Word Press, if your website functional requirements are achievable using Word Press then you can use Word Press. There is a number of reasons why so many Word Press websites get compromised each year, but the good news is you can secure your Word Press website by addressing the vulnerabilities and adhering to best practices.
According to Sucuri, one of the major reason behind compromised Word Press site is lack of skilled staff. Word Press is simple and easy to deploy and anyone with the basic website skills can deploy Word Press website, but just because anyone can deploy a Word Press does not mean they done it right. Many of the Word Press developers and administrators are in fact not highly skilled and experienced IT professionals. Using skilled development team with security mind you can reduce the number of vulnerabilities in programming. Furthermore, by engaging the security focus skilled administrator you can ensure proper deployment of your Word Press website.
In our experience, one of the reasons, why Word Press websites get compromised, is the add-on plugins. WordPress is an open source platform and thousands of developers publish the endless amount of plugins. This provides a huge choice of plugins and a wide range of additional functionality without programming the features but it also introduces serious security risks and flaws. Many of these plugins are not developed with security in mind, and like any programming code plugins require continues development and updates to fix vulnerabilities but most of the websites do not update these plugins even if the newer version is available. It is important to update all of the plugins and install only reputable plugins with continues support option to reduce the exposure.
Word Press community regularly release the latest version of Word Press to fix the known vulnerabilities in the platform. Most of the website owners and hosting providers do not update the Word Press in a timely fashion, as a result of this we see many of the compromised Word Press websites that could have been saved from the disaster if they were updated to the latest code.
Anyone can install Word Press, but this does not mean they do it properly using best security practices. There are a number of things you can do to enhance the security of your Word Press website by implementing the following steps:
Never use the default username and password for any production system change the default username for your Word Press to anything other than admin, administrator and root.
Use complex password a combination of upper case, lower case, number and special characters. Make sure your password is at least eight characters long.
Use plugin to implement Google Captcha on login page and Brute Force protection by limiting the number of incorrect login attempts, this will protect your system from against password guessing.
It will be even better if you introduce multi-factor authentication to log in to your Word Press admin panel. You can use Google Authenticator plugin to enable multi-factor authentication.
Make sure your Word Press secure directories are not accessible by the public, use Sucuri Plugin to scan file permission and hardened the installation.
Delete Installation files and version information from your Word Press installation.
Don’t settle for cheap hosting, spend few bugs extra and purchase a hosting from a provider that offer secure and well managed hosting services.
Regularly update Word Press and Plugins to ensure you have the latest code to mitigate all known vulnerabilities and reduce the exposure.
Use WAF to protect against attacks such as SQL injection, malware injection, cross-site scripting before you they reach your server. WAF can also help you restrict access to admin control panel and offer automatic fail over capacity.
Backups are important, no system is perfect and one day you may very well need to restore your site if that happens you need to make sure you can do it quickly as possible without losing information. For more information of Website Backup, you may wish to read…
For a no obligation Word Press Website Audit contact us.