21 Mar Top 10 WordPress Security Issues You Should Know in 2021
Imagine you have a perfect weekend getaway and head to the office, only to find out that the door lock is broken. It’s one of the worst feelings imaginable, and with a lot of expensive equipment stolen, it can be quite a lot of pain.
However, if you spend money on good security, you can be assured that such incidents do not occur. The same extends to the cyber world as well, where theft is much more commonplace. If you run a website and have tended to it for a long time, you know how much pain you’d feel if it was hacked. WordPress, one of the most commonly used content websites, tends to take many hits because of poor management from the client end.
We’ve created a list of the common WordPress security issues and have offered tips on how to fix them:
- Not Updating WordPress or its Add-ons
Running a website is no easy task. Once you set it up, you’ve got to manage the same. When websites aren’t managed properly, disasters strike.
There are two main reasons why website owners do not keep their sites up to date. One is because they feel that hackers would not target smaller sites. This is untrue because hackers prefer targeting smaller websites as they’re easier to get into. Another reason is incompatibility, as WordPress websites can break if updated. If done properly, they will add a layer of security.
2. Not Using WP Reset and Emergency Security Script
WP Reset and its Emergency Recovery Script are tools that any website owner should have in their arsenal. They are essential for situations when you can’t access your WP admin, encounter the white screen of death, or one of your plugins has caused a ruckus.
That being said, let’s talk a bit more about them. Firstly, WP Reset is a plugin made to test, restore and reset your website. Anytime you make any changes, this plugin will take an automatic snapshot to ensure you can return to something if the change doesn’t turn out how you wanted it to. Furthermore, the snapshots give you a safety net because you can restore your website the way it was when that snapshot was taken.
The snapshots are stored on the cloud, and you can also store them somewhere remotely. Whatever you decide to do, you can be sure that your website won’t be destroyed. Also, WP Reset allows you to easily update or disable any plugin with just one click. The same goes for any themes you want to install. Moreover, if you want to completely remove all plugins, themes, and custom database entries, the Nuclear Reset option will wipe clean your whole installation.
Next, we have the Emergency Recovery Script, which works best when used in conjunction with the WP Reset plugin. ERS is a WordPress independent and standalone file, which means that it will work even if your WP admin doesn’t. It is instrumental when you can’t access your account when you get an error or your website redirects.
Furthermore, ERS is absolutely safe to use; upon installing, you will get a unique URL and password, allowing you to access it. You can use the script whenever your website doesn’t work. It allows you to add in any missing core files or when you need to disable files that were affected by malware. Similarly, with it, you can disable plugins and themes without having to search for each plugin or theme individually.
Emergency Recovery Script saves you precious time when you want your website to work again. It also provides you with tools to reset your WordPress installation, disable maintenance mode and delete or reset the .htaccess file.
More great tools that ERS offers are the Administrator Account and User Privileges & Roles, which allow you to create a new admin account when you can’t access your old one and assign new user roles when you can’t access your website as an admin.
As you can see, both WP Reset and Emergency Recovery Script are vital parts of your website’s security and recovery, and it would be best if you included them in your toolbox.
2. Buying/Using Poor Add-ons
WordPress themes and plugins are what combine to create WordPress add-ons. These add-ons, just like the core, should go through quality control or a stringent security check. Poor WordPress add-ons can make websites vulnerable to hackers.
Bad or poor plugins or themes leave the site vulnerable to attacks, so keep a few measures in mind when choosing a WordPress plugin or theme:
- Get the WordPress plugins and themes from reputed sources
- Do not purchase plugins or themes on huge discounts or unknown websites as they can cause serious security risks
- Choose plugins and themes with good reviews and ratings
- Also sure that the WordPress add-on updated regularly
- Bad Login Practices
WordPress sites get their WordPress login pages attacked the most. The WordPress admin uses the login page as the gateway for anyone with complete access to the site. There are many login mistakes – from weak credentials and staying logged in when you’re away from the website.
With it comes to WordPress login protection, keep note of some of these flawed login practices:
- Using easy-to-guess usernames and passwords such as “admin” or “password123” Use a password manager to make the job easier for you.
- Having the same username and display name can make it easier to guess the login credentials. Try a different username to make it easier for yourself.
- Other measures including setting passwords to expire and restricting the dashboard access for a specific time
- Making Contributors on Sites “Admins”
User roles can be assigned to users on the site by the site owners. Avoid giving every user complete power over the website. Based on the Principle of Least Privilege, WordPress allows website owners to choose among five roles:
- Admin or Super Admin – Has ultimate control and decides the content that goes out regularly.
- Editor – Has control over publishing content.
- Author – Has the power to modify or publish content on the site without controlling others.
- Contributor – Can read, delete or edit content but cannot publish
- Subscriber – Capable of only reading content and does not have other rights
- Being a Theme/Plugin Hoarder
Even if you’re trying out new themes and plugins, make sure you delete those you don’t plan to use. Keeping them can put the site at risk. Vulnerable plugins can get the site compromised, so it’s better to delete unused plugins as soon as possible. Older user accounts, the ones that are no longer active, can access the website. Hence getting rid of them is a good idea.
- Not Using Firewalls
WordPress firewalls act as security guards to your websites and blocks any suspicious IP addresses trying to access your site. Not using firewalls can lead to a hack that can infect your website with malware. Common WordPress infections include:
- Pharma attacks
- Drive-by downloads
- Malicious redirects
Stay vigilant of these WordPress infections and protect yourself from any malicious activity by using a WordPress firewall.
- Remaining on Shared Hosting
Many web host providers generally offer a certain degree of security to the websites. The two most popular type of hosting is shared and managed to host. While managed hosting is considered a more secure and better option, shared hosting is more preferred as it’s not as expensive. With shared hosting, when one website is compromised, other sites are also exposed to the same threat.
On shared hosting, you also get a decent level of customer support, but this cannot be compared to the support that managed hosts provide. If you’re starting, then shared hosting is a good option.
If you use WordPress like 85ideas.com, the best option might be Managed WordPress Hosting, which provides a better web hosting experience with superior speed, security, and support for WordPress sites.
- Not Scanning Sites Regularly
Research shows that a website gets hacked at least 44 times a day. If Google finds a website falling under the hacked list, they immediately blacklist the site. This is done to protect Google users from accessing sites that can harm them.
Make sure you scan your sites regularly. This includes locations such as WordPress plugins, themes, core files, themes, databases and .htaccess files. When there are a wide array of places, make sure you check for:
- Signature/Pattern Matching – Matching files against websites against known malware patterns. If there’s a match, you receive an alert about an infection being found.
- Malicious Keywords – Phrases such as ‘base64_decode’ and ‘eval’ are associated with malware. Keep an eye on the same.
There are plenty of scanners that uses the methods that we just mentioned to scan a website. MalCare security service comes with a scanner that goes beyond these methods to identify new and hard to detect malware.
- Having an Unreliable Backup Solution
Losing websites can be a very painful and harrowing experience. WordPress backup services will, however, help you recover part or the entire site back to normal in case there is any data loss.
Finding the right backup service is important, so here are a few things to consider to safeguard yourself:
- Having the service available to back up every part of the site, including themes, files, pages, posts, settings and other configurations
- Storage of the backups must be safe and generally not on the hosting server
- Have multiple backup versions in different locations. You can store the backups on a Google Drive or even Dropbox to be on the safer side
- Real-time backups are crucial for E-commerce site owners as they store every order and save you from financial loss when disaster strikes
- Not Taking Steps to Harden Website Security
Taking a few steps to harden website can improve security. Plugins like MalCare make it easier for users to take small measures:
- Blocking PHP execution in untrusted folders
- Disabling file editor
- Blocking plugin/theme installation
- Changing security keys and
- Resetting all passwords and activation keys for all the users
We hope that noting these security flaws helps you understand that any website – big or small – is vulnerable to hacking attempts. Keeping the site secure ensures your site is impenetrable.