Why you shouldn’t worry about WordPress Security

By Rosie Brent 28 Feb 2020 12:57pm

Follow These Steps to Better WordPress Security

Securing a WordPress website is sometimes called ‘hardening’ and it’s a topic that often comes up as a concern. Fortunately, WordPress as a software solution is relatively secure and is constantly updated to keep one step ahead of those with malicious intent.

Because of this, hackers try to use alternative methods to access your website, most of which are very easy to protect yourself against.

 

The WordPress Shield

Keep Your Site Up to Date

As we stated above, WordPress spend a lot of time and energy ensuring that their software is as safe and secure as possible. Theme and Plug-In writers do the same. As a result, ensuring that your site is up to date on a regular basis is a simple way to keep hackers out and your website running smoothly. At MGC Agency we can train you to maintain your site or provide you with a maintenance package which includes ensuring your updates are done on a regular basis and your site is always functioning properly.

If you choose to do this yourself, make sure at the very least any update that is marked “This is a critical security release” is installed. This notice is attached to any update which is designed to resolve an identified risk and not doing so means your site is at risk of attack.

cartoon of building a wesbite

Usernames and Passwords

The most common Administrator username is admin. One of the most common forms of attack is what is called a “brute force” attack. Much as it sounds, in this form of attack a hacker just keeps trying to get into the backend of your website. In this case by trying to log in as admin and any password they can think of. Bear in mind these attacks are done by computers infected with viruses (sometimes collections of computers in what is called a ‘bot net’) and they can try thousands of combinations in a day. The best practice for this is to follow this procedure:

  1. If there is a user called ‘admin’ lock it and don’t use it
  2. Create administrative users with unique names (ideally nonsense but at least names rather than site operation descriptions – editor isn’t a great replacement for admin for example!)
  3. Use strong passwords. WordPress itself has a strong password generator in the Admin Dashboard. Go to Users > Your Profile to update yours

Disable Trackbacks and Pingbacks

Trackbacks and pingbacks often lead to what is called ‘comment spam’ (pointless comments on blog posts made by bots). They are also the gateway to DDoS (Distributed Denial of Service) attacks which aim to drag your website down by overloading your server (if you share your hosting with other sites this can have a knock-on affect on all sites on that server and lead to issues with your hosting provider) and to brute force attacks.

This setting can be changed in your admin dashboard through Settings > Discussion

Hide PHP Errors and Prevent PHP Execution

This tip is something best handled by a developer or those with some technical expertise. In all cases, back up your website before making any changes to any code so that if necessary, it can be rolled back to the last functioning version.

In your sites’ wp-config.php set the WP_DEBUG flag to false on all live sites. You should never need to output a PHP error message to a website user on a live site (this flag can be useful during development, but it is important it is set correctly upon website launch).

MGC Agency can support you with PHP development in general, and PHP for WordPress specifically as our team have years of expertise in this area. We can turn around high priority requests in short timescales and provide advice on practice for maintenance or ongoing support whatever your needs.

Change the Default Database Table Prefix

Again, this is a highly technical change and done incorrectly can destroy the functionality of your website. For support in updating your WordPress website to use a unique database table prefix please contact us at MGC Agency and a SQL expert will be assigned to perform this task. Alternatively, if you wish to do this yourself there are plugins available to be used and we would strongly recommend taking backups of your site prior to making any changes in case of difficulties.

The reason this is recommend is that by default WordPress prefixes all database tables with wp_ to prevent hackers forcing their way into your database calling it something they’d never expect makes it much harder for them to find their way in.

Prevent Directory Browsing

If you’ve ever stumbled onto a website that looked like a list of directories you’ve seen this in action. The reason for preventing this is that by browsing these directories anyone can get into the data on your website pretty easily as it allows you to see the wp-config.php file (which contains details of database names, passwords and other highly important configuration data). WordPress is designed to prevent this automatically, but you can also specifically disable directory browsing (even to the point of locking out the most critical files on your website, such as .htaccess, wp-config.php or your wp-content directory).

This can be achieved using a plugin or you can contact us, and our PHP experts will ensure that this is done manually following our strict quality guidelines and verify that all items are set according to best practice.

Regularly Scan Your Website for Vulnerabilities

Much like scanning your computer for viruses, it’s important to scan your website for vulnerabilities. The things you should be checking on a regular basis are:

  • If updates are required, particularly security-based updates
  • Virus Scans
  • Malware Scans

All MGC Agency websites come delivered with antivirus, firewall and malware plugins for your security. Our maintenance plan customers benefit from regular scans being scheduled and expert intervention taking place on their behalf without the need for them to pick up the phone.

cartoon of laptop virus

Final Thoughts

There are further steps that can be taken, mostly complex technical work that require server, PHP or SQL experts to support you and which cannot be achieved by means of simple plug-ins through the main WordPress Administrator Dashboard. If you are in any way concerned about the potential security of your website, contact MGC Agency and speak to one of our WordPress experts today. We can provide you with advice, offer potential solutions and full-service WordPress Care Plans that include maintenance and support as well as assistance should the worst happen, and you be the victim of a hack.

Though it is worth coming full circle and remembering that although there are steps you can take to harden your WordPress website and make it stronger, WordPress itself is a secure form of software, utilised by 35% of the internet (that’s 455 million websites). Almost 62% of the Content Management System websites in the world are WordPress (according to W3techs), more than all the other systems combined. WordPress sites also make up 14.7% of the top 100 websites in the world (TED, NBC, CNN, TechCrunch, People Magazine, the NFL, Best Buy, CBS Radio, and UPS to name a few).