Recently I’ve attended a few WordPress meetups around Chicago and discovered a pattern with security. Attendees will be confident to talk about their WordPress general best practices, but never about the likelihood of an attack on their instance. This seems odd, especially when 90% of all compromised content management systems came from WordPress.
Admins talked about daily backups, managing plugins, and running weekly scans. Some even subscribe to the Common Vulnerabilities and Exposures alert list, to get the latest on all tech related security issues.
There’s nothing wrong about doing those things.
But what’s missing is the prevention of basic ways a WordPress instance can get compromised.
First, businesses usually have someone else helping out with their website. As a result, business owners will share their passwords. Web admins, writers, SEO specialists, and interns may all have the same password. A strong password becomes less secure when more people know about it.
Although you may have good security practices, other people who know your password may not. For a hacker, a web admin or agency is a high-value target because they have access to multiple business accounts.
The second situation is protection against automated threats.
A new installation of WordPress has no protection against brute-force attacks. If an attacker does figures out your password, other systems will be compromised too. Many people reuse the same password across systems.
An intruder will use brute-forced credentials to login into your Gmail, Stripe, PayPal, and MailChimp accounts.
Social engineering and leaky passwords are common ways to get compromised. I see these website security gaps all the time when I help new customers install my product.
Below are 3 WordPress security plugins you can install within 15 minutes that will address my concerns. They’re free and will work on any platform or service (GoDaddy, HostGator, Dreamhost, DigitalOcean, cPanel, Plesk, etc…).
What if you shared your ultra-strong password to your web admin, SEO writer on Fiverr, and your marketing wizard brother-in-law? Now is the time to lock down access.
The most common solution people do is change passwords… but then they share them again, creating the same problem. LastPass’ strong passwords don’t protect you against this.
My first simple advice is to please make new accounts for every user you need to give access to. Everyone should have their own account on WordPress. No exceptions.
Second, every account on WordPress should be using two-factor authentication (2FA). It’s another layer of security that asks for a unique code from your personal phone. So even if I get your password, I can’t log in into your WordPress account unless I have your phone too.
Here are 6 really easy steps to add 2FA:
You can check if users are setting up 2FA or not by going to the Users page. If you have any questions about the setup, drop a comment below the article.
A lot of people don’t know this, but there are malicious actors scanning IP addresses all the time. There are 4,294,967,296 IP addresses in the public domain but attackers don’t need to waste time on all those IPs. They only need to know what ranges GoDaddy, AWS, DigitalOcean, and other providers use for their customers.
Hosting companies buy IP addresses in blocks then distribute them in IP pools for their customers. Attackers can continuously scan these pools as new websites come up. They can know if your site is a WordPress based website simply by trying to see if /wp-admin exists on the URL.
By default, WordPress can be brute-forced if left by itself. Your website could be compromised before you gained any traffic traction.
Luckily, there’s a plugin to defend against brute-force attacks.
This will be way faster than configuring 2FA, there are only a few steps.
There are some default options already in place, but you can fine-tune them in in the settings (which are hidden under the submenu for Settings). For more security, I’d also suggest installing Google Recaptcha to filter out bot requests.
For a while, I was never really a big fan of file scanners. I hate them on my computer (slows down processing) so inherently I hate them on my WordPress instance too. Plus I rarely install new plugins.
Over the years, I’ve shifted this mindset when it comes to WordPress security. I don’t install a lot of plugins but I do keep existing ones up to date. Additionally, sometimes I have other web admins updating my theme file for enhancements and features.
And on a side note, after talking with Mark from MacLean WebWorks, he recommends running this even if you have other scanners too. He’s seen Sucuri miss things that WordFence caught, and vice versa.
Never assume your WordPress instance to be safe without constant security audits or scans.
Plugin developers that update plugins can be compromised and sleeper code could be in your theme files. In some situations, sites could be compromised before admins harden the security.
Always have your instance scanned with the most up to date security vulnerability detection. It prevents backdoors, removes malicious files, and gives a little bit of piece of mind.
Don’t underinvest in your website. Upgrade your security and stay up to date as much as you can. Periodically audit your website security and be proactive on the common security breaches. For large breaches, subscribe to HaveIBeenPwned.com.
Install these 3 security plugins to be more secure today. Finally, help out anyone else who might run a WordPress website by forwarding this article to them or sharing it on social media. They will thank you for the security advice.
Matt is a Chicago-based entrepreneur with over a decade of experience building highly scalable web-based technology solutions. Knowledgable in 12 different programming languages and experienced startup veteran; having worked on 6 others. He's currently the founder and CEO of ChipBot. You can reach Matt on Twitter, LinkedIn, or StackOverflow.