It seems like almost every week we see a new post by Matt Southern on a new WordPress site vulnerability or exploit. This is for good reason as WordPress accounts for over 23% of all of the websites on the internet, and that number is steadily growing.
Due to how many websites use the WordPress platform, itâ€™s no wonder why hackers try to exploit this web platform constantly as they can potentially have access to a wideÂ chunk of the internet if they succeed.
Donâ€™t Think it Canâ€™t Happen to You!
Like many WordPress site owners, I fell into the trap of not being more proactive about security on a few of my gently used personal sites. This came back to bite me with a vengeance this last December when I experienced the worst Christmas present any webmaster can receive â€“ a big fat website hack!
The malware hack I experienced was especially nasty as it most likely exploited one of my websites through an older version of Â the Revolution Slider plugin that came with my theme. What I didnâ€™t realize until months later was that this initial hack opened the backdoor to a widespread infection of other WordPress sites I had on my shared hosting solution. A four-month long nightmare then ensued which even resulted in me having to completely remake one of my websites on a completely new WordPress build and database.
So whatâ€™s the moral of the story? Unlike me, be more proactive about WordPress security.
Looking back at this whole experience, itâ€™s clear that I made some pretty serious mistakes when it came to keeping my websites secure. Many of these mistakes could have been remedied byÂ following some simple guidelines.
In order to help you avoid a potential security breach, here are 10 tips based on the things I have learned to help you keep your WordPress site more secure:
1. Verify Your Site with Webmaster Tools
As scary as it was to get an email from Google letting me know my site had been compromised, thank goodness they notified me! The last thing you want to have happen is to experience a website exploit and not even know about it.
By verifying your site with Webmaster Tools you can have access to important data that can be used to find a potential issue such as traffic, queries, and manual action messages. In fact, Google has an entire section in their Webmaster Tools panel dedicated to security issues to help you pinpoint where your website is experiencing problems.
I personally have found the â€œFetch as Googleâ€ functionality to be extremely helpful as you have the ability to see a page the way Google sees it. This is especially usefulÂ in the case of a pharma hack, which I experienced on one of my sites, in which the spam pages created by the hack are not visible to the normal user and only show up on Googleâ€™s crawler.
Itâ€™s also important to have your site verified as working with Google through their Webmaster Tools platform soÂ you can request that your site be removed from the blacklist once a website hack has been resolved.
2. Update Â Update Some More
Within the WordPress ecosystem, there are three components that need constant updating: WordPress itself, plugins, and themes.
WordPress Updates: One of the best things about WordPress is how quick they are to patch security holes and roll out updates. In fact, since WordPress 3.7, automatic security updates have been enabled on most sites. New version builds of WordPress however often need to be updated manually, and itâ€™s important that you do so as WordPress constantly improves the platform with each release. If you arenâ€™t sure how your updates are handled when WordPress makes a change, learn how to configure them here.
Plugin Updates: WordPress makes it very easy to see which plugins need to be updated by clicking on the â€œPluginsâ€ tab on the admin dashboard. Some third-party plugins offer the option for auto updating, which I would absolutely recommend doing.
You can also force plugins to auto update by adding the following code to your wp-config.php file:
add_filter( â€˜auto_update_pluginâ€™, â€˜__return_trueâ€™ );
Theme Updates: Themes are also susceptible to attacks, and a good theme developer will patch up and deploy an updated version whenever a vulnerability is found.
Many themes also have the ability to set up auto updating, but if not, here is an easy way to force automatic updates by changing your wp-config.php file: