In this article, you will find the most important information about WordPress security and the answer to a number of frequent questions on the matter.

WordPress Security

January 17, 2016

In this article, you will find the most important information about WordPress security and the answer to a number of frequent questions on the matter.
Why are WordPress websites hacked?
WordPress is the most popular CMS. 59.4% of all websites are running on WordPress. But, this popularity attracts a black sheep too. Thus website administrators should take the security issue seriously.


Further article contents

  1. General aspects of security
  2. Updates, updates, updates: Application security on your website
  3. Hosting and web servers: Interview with Philipp Zeder from Cyon
  4. Security begins with you
  5. Data security / Back-ups – What to do if your website gets hacked?
  6. Links and important, external sources

1. General aspects of security

Before we get into WordPress details, here is a list of some general security aspect.

Restricting access:
Choose the user rights carefully. Too many Admin users increase the security risk.

Containment:
In the case of damage, make sure that other systems are not affected. Isolate individual systems.

Prevention:
There is no absolute security. Make sure that, just in case, you can recover your system. Plan your data security beforehand.

Trustworthy sources:
Obtain your WordPress themes from reliable sources. Don’t trust free copies of premium plugins or themes. This has led to a lot of hacks.

2. Not updating is the main reason for security threats

Can you remember the Panama Papers? The Panama Papers were leaked because the Rev-Slider plugin was not updated.


Data from the first quarter of 2016 show, that three outdated plugins are responsible for over 25% of all compromised WordPress websites. It is important that the plugins and WordPress core are updated regularly.

 

“We have found that over 78% of the malware cases we deal with are attributed to outdated core applications, plugins, modules, or some other server-side software” Blog Sucuri

The most important measures for you:

  • Choose plugins carefully. Basically, the following rule applies: the fewer plugins the better. If you want to use plugins, consider only trustworthy providers.
  • Update your plugins regularly.
  • Make sure that your WordPress core is regularly updated.

3. Hosting and web servers: An important part of your WordPress security

A secure hosting plays an important role in your WordPress security. In the following interview, Philipp Zeder from Cyon gives us valuable information on the subject.

What is there to consider on WordPress security when we want to choose a hosting partner/hosting offer?

Philipp Zeder: “The offer in this market is so big, it’s hard to maintain an overview sometimes. In terms of security, the deployed versions (PHP/MySQL/Webserver) say a lot about whether a hosting provider is up to date. Personally, I would pay attention on how the company is presenting itself, in general. Is the team presented? Can I reach the provider on various channels? And then, there are the personal recommendations from the community or from friends, who often paint a good picture of the provider.”

What are the measures taken by Cyon to minimize the safety risks?

PZ: “For years we check the uploads via FTP and e-mail data attachments automatically on malware. Since April 2015, we can recognize existing security gaps in customer installations and plug the detected holes automatically. In addition, we protect customer websites with a so-called Web application firewall (WAF) [Note: ModSecurity is in use], which blocks malicious page calls and thus also protects customers whose websites have been scammed despite other measures.”

What services does Cyon provide for data security/data backups?

PZ: “We provide our backups, which we create for emergencies, to our clients free of charge upon request. We are also working on a solution for our customers to easily restore these backups via our control panel my.cyon at the click of a mouse.”

Are there additional services you can recommend for increased security (for example Sucuri or other)?

PZ: “We are already using a WAF on the server side. We can recommend vendors such as Sucuri and CloudFlare for additional protection.”

Which is the most common cause of compromised WordPress websites?

PZ: “The two most common causes are outdated WordPress versions and security holes in plugins.” 

Do you have protection / technical precaution against brute force attacks?

PZ: “On our servers, we use CSF, which also has a login failure daemon (lfd) installed. In connection with ModSecurity, we can also intercept incorrect WordPress logins or brute-force attacks.”

How do you manage the updates of the server software?

PZ: “We are running a very rigorous update regime and update our server software on a regular basis. We undertake such updates at marginal times to impair the company as little as possible. If the security situation requires it, we also make updates on short notice. Safety is our number one priority here.”

Keyword https: How do you see the use of https for WordPress websites?

PZ: “We were the first European sponsor of the Let’s Encrypt project. Our customers could get free SSL certificates for their websites an hour after Let’s Encrypt officially went live. We find that all traffic should be encrypted, so we can also recommend, to every WordPress operator, the use of HTTPS. Thanks to HTTPS, not only are all connections encrypted but at Cyon HTTPS accessible websites are also automatically delivered via the modern HTTP / 2 protocol.”

4. Security begins with you

So far, we talked about what others should do. Here are the most important points you should consider:

  • Make sure your computer is not contaminated. Use software such as BitDefender.
  • Use longer and alphanumeric passwords. And most importantly: use different passwords for different websites! Use password managers such as Lastpass or 1Password
  • Do not enter passwords when connected on a public Wi-Fi. It is easy to read your data.
  • Do not use FTP to access your server. Use sFTP or SSH.

5. Data security

What happens if something goes wrong and your page is hacked? Make sure you have access to a backup of your data beforehand. This can be made through

  • Backup with your hosting partnerWordPress Theme Files in Repository so that the version before the attack is still available
  • WordPress Theme Files in Repository so that the version before the attack is still available

6.) Links and important external resources

Here is a summary of the most important resource related to WordPress security:

Hardening WordPress auf WordPress.org
Website hacked? Tipps from WordPress.org
How Attackers Gain Access to WordPress Sites

 

Do you have comments on the article or WordPress security? We are happy to hear from you.