WordPress is the most commonly used content management system on the web. This immense popularity makes WordPress a common target for hackers. Each day thousands of WordPress site get affected by malware, trojans, DDOS attack and others. With little effort you can make your WordPress site a lot more secure and difficult to crack.
In this post, we will tell you about the top 10 things that are making your WordPress site vulnerable and how you can fix them.
10 WordPress Site Vulnerabilities & Fixes
Here they are:
1. Not Having Backups
Each year millions of dollars of damages occur just because of data loss. Recovering lost data is a multi-million dollar industry. If you do not have a proper backup system in place on your WordPress site, then you are just waiting for a disaster to happen.
To fix this, you need to install and setup a WordPress database plugin on your website. There are several paid and free plugins that can do the job. We recommend using BackWPup, just setup automated scheduled backups and then forget about it. The plugin will regularly take backups of your website and will store them at your desired location.
2. Using Weak Passwords
The number one reason for WordPress sites getting hacked is probably weak passwords. Using passwords like admin1234, helloworld, abcdefgh, is like inviting the hackers to come exploit your site. Always use strong passwords, not just on your WordPress site but every where else too.
A strong password is a combination of letters, numbers, and special characters. There are several online strong password generators which you can use to generate passwords for your site.
Use a password management tool like LastPass or 1Password to manage all your strong passwords. These utilities allow you to enter your passwords without even typing them. These tools can also generate strong passwords for you on the fly.
3. Open Access to WordPress Admin Directory
By default whenever a user tries to access your WordPress admin directory they are redirected to WordPress login page. You can block access to your WordPress admin directory from cPanel.
Login to your cPanel dashboard and click on Password Protect Directories icon under the security section.
Next you need to select your wp-admin directory and choose a password.
4. No Limit on Login Attempts
Hackers can simply keep logging into your WordPress site until it is cracked. You can stop this by adding a limit on the login attempts a user can make in any given time.
Use Login Lockdown plugin, simply set a time limit and the number of attempts a user can make. Once a user has reached the limit they will be locked out of the login page.
5. Not Updating WordPress
Many WordPress users do not update their WordPress site. Most of them fear that updating their site will be complicated or make their site inaccessible.
WordPress comes with a built-in updater that can seamlessly update all your WordPress files. If you see any errors after updating to the latest WordPress then you should contact your hosting provider, or ask for help in WordPress support forums. Most such errors are usually quite easy to fix.
6. Unreliable Web Host
There are plenty of hosting providers who have their web servers poorly configured and vulnerable to DDOS attacks. Most reliable WordPress hosting providers make their servers secure which cuts down the number of hack attempts and DDOS attacks.
If your web host is not taking care of their servers as they should, then you should find a better hosting provider.
7. Open Directory Indexes
Your /wp-content/ directory contains media files, themes, and plugins. Leaving these directories open allows any one to simply type in the address in a browser and take a look at all the plugins and themes you have installed.
You need to disable directory indexing so that no-one can access these directories. Simply add this single line in your .htaccess file.
8. Not Cleaning Unwanted Plugins and Themes
Many users install WordPress plugins and themes and not use them. These themes and plugin files are php scripts and even when they are not activated they can be used to inject malicious code on your website.
Uninstall and delete all unwanted themes and plugins from your website. Remember you can always reinstall them when needed.
9. Using Plugins and Themes from Untrusted Sources
There are some websites offering free copies of popular paid plugins and themes. These websites can sometimes distribute plugins and theme files with malicious code. This code allows them to use your site to spread the malicious code, trojans, and other nasty things through out the web.
Avoid installing WordPress plugins and themes from illegal sites. Its simply not worth the trouble, and if you really need a plugin or theme then you should pay for it. Also keep in mind there are usually free alternative available to most popular paid plugins.
10. Not Monitoring Your Site
There is no way to make your site absolutely hack proof. Even the most popular and secure websites may get hacked. Just apply all the precautions that you can and then monitor your website so that you can restore your website if something bad happens.
There are several online services that can monitor your site for you. For example, pingdom.com can ping your site at regular intervals and let you know if your site is down.
You can also use Sucuri, which is a web security firm. Simply signup for a subscription plan and install their plugin. Sucuri can block and clean most common hacks, trojans, and malware. It is very easy to set up and does not require any special skills to use.
WordPress is secure and with these best practices you can make sure that your site is well protected.