Is your WordPress website secure enough?
I’ve worked in web development for around 20 years, and the level of malware attacks currently happening is like nothing I’ve ever seen before. The number of data breaches has been increasing every year, bot attacks nearly doubled in 2023, and hackers are now using AI to automate more of their phishing attacks.
I have a client whose website was recently hacked, and getting it cleaned up was a nightmare that took weeks. The cybersecurity consultant who finally found the malicious code said it was one of the craftiest bits of malware he had ever seen. And this wasn’t even on a large website. My client has a memoir coming out later this year, but she is not an influencer or other well-known personality. He said the hackers were likely targeting sites with good SEO, so I guess there’s a pat on the back for me. He also said he would write up a blog post about what he found, so I’ll link that here when available. (We still don’t know how they got in.)
So how can you keep your website from getting hacked?
If your site is built on WordPress, you need to take extra precautions to keep your site secure. Malware can take a long time to clean up, and remediation services can start around $400-500.
If you are using a CMS (content management system) such as Squarespace or Wix, most of the following information doesn’t apply to you, but I would still check with your hosting provider to make sure that any available security measures are in place.
Why are WordPress sites more vulnerable?
WordPress offers an extensive library of add-ons, called plugins, that can expand the functionality of your website. Pretty much anything you want to do on your website, there’s a plugin for it. WordPress plugins are open-source, which means that anyone can design and offer a plugin for use on WordPress.
This is both good and bad: while you have an endless supply of plugins at your disposal, not all of them are safe to use.
Outdated or insecure plugins pose one of the biggest security risks to WordPress sites. It’s extremely important to keep your plugins up to date, and only use plugins that are reliable.
How do I know if a WordPress plugin is safe?
When installing a new plugin, always check the plugin details such as reviews, the developer, and how often the plugin is updated. Is the developer a reputable company? Most developers will have a website where you can learn more about them. Does the plugin have good reviews? Is it used on a lot of sites? If it only has a few reviews, poor reviews, a low number of downloads, or looks like it hasn’t been updated in a long time, it’s best to avoid it. Also make sure the plugin is compatible with the latest version of WordPress (and keep your WordPress updated to the latest version as well).
Are paid plugins safer than free plugins?
Maybe, but not necessarily. If a company offers free plugins as well as premium versions, that’s usually a good sign. That means they likely have the revenue and resources to devote to continued development for both versions. I always like to try a free version to make sure something meets my needs, and only upgrade to the premium version if necessary.
On the other hand, if a plugin is only available as a free version, that might be a red flag, especially if the developer is a single person rather than an actual company. Sometimes a developer will create a plugin just for fun, but then lacks the time or resources to keep it up to date, and eventually it becomes abandoned.
What else do I need to know about plugins?
Only install plugins that you need, and make sure to keep your plugins up to date. You can enable auto-updates in WordPress. You can also install a security plugin such as Wordfence, which will alert you if a plugin becomes outdated or has a security vulnerability.
If a plugin crashes or causes a critical error on your website, delete it. This may mean that you need to find something else to replace it with. Delete any plugins that you aren’t using – even if you deactivate a plugin but leave it installed, it can still present a security vulnerability.
What other security measures should I take?
For all of my WordPress clients, I am recommending the following:
- Install, at a minimum, the free version of Wordfence, which includes a firewall and will run a security scan every 3 days. Wordfence will also send email alerts when a plugin needs to be updated or presents a security vulnerability, or when anyone logs onto your site. You can also block IPs that are attempting to gain access to your site. Wordfence also has a premium version, which is $119 / year. You can compare plans here.
- Create a custom login URL. This helps hide your WordPress login page from hackers who may attempt to gain access to your login form. You can do this using a plugin called Defender, which also has a free option. Defender has some similar features as Wordfence, but I like to use them both.
- Enable 2-factor authentication on your login page. You can do this with either Defender or Wordfence; I like Defender’s 2FA because it gives you four options to choose from. I recommend setting up at least two 2FA methods in case one of them fails for any reason.
- Enable reCAPTCHA v3 on your login page. This is available through Wordfence. ReCAPTCHA v3 uses a score to determine whether the user is a human or a bot.
- Monitor your notifications from Wordfence and take immediate action on anything that is critical.
- Make sure you have backups of your website in case you do get infected. Your hosting provider may already offer a backup service, or you can use a plugin called UpdraftPlus to schedule regular backups.
Do I need malware protection from my hosting provider?
It’s a good idea to see what additional protections are offered by your hosting provider, but you may not need them. Bluehost, for example, offers a service called Sitelock, which offers plans for both malware protection and removal. My personal experience with Sitelock is that they are not the greatest (they failed to fix my client’s issue after completing 8 scans of her site), and if you have Wordfence, you don’t need both. Wordfence has better reviews, and its firewall is considered more effective.
Why even use WordPress if plugins make it more vulnerable?
WordPress is the most popular CMS platform, and powers more than 40% of websites on the internet. In terms of customization and flexibility, it’s unmatched. WordPress gives you full control over your website layout, and plugins allow you to do virtually anything.
Some people prefer other platforms, such as Wix or Squarespace, which are in some ways simpler and easier to use. I have some clients on these platforms, as well as Shopify, Kajabi, and ShowIt. Most of these platforms make me want to throw things against the wall, because their predefined layouts are so limited and I can’t do what I want. Even something as simple as repositioning a button or changing a font color is sometimes impossible. And since I know what’s possible with WordPress, I hate working within these limitations.
But the best CMS for you depends on your priorities. If you don’t mind having to work within predefined layouts and don’t want to worry about plugin maintenance, maybe Wix or Squarespace is the way to go. But if you want full control over your site layout, or may have a need for additional functionality or customization, WordPress is the answer. Just know that with these greater capabilities comes an increased need for maintenance and security.
