WordPress is able to pick up several of the most significant web statistics for itself. The content management system operates a quarter of all websites worldwide – an incredible number, based on more than 1.2 billion web pages – and has a market share of more than 50% among all CMSs. Even though Drupal, Joomla, TYPO3 & Co. can be very popular, you will not get around WordPress’s omnipresence. But what about the security of WordPress?
A system with such a spread must be a predestined target for hackers and script kiddies, right? And in fact, more than 35 million brute force attacks are caused on WordPress pages every day, and that is just the statistics collected by Wordfence. Fairly, however, it must be mentioned that the attack loss on WordPress websites is countered by the higher update cycle of the system and its plugins, while the competition offers rare updates.
So, what to do, to make WordPress safer?
Secure WordPress the right way
With the following tips, the security risk of your website can be drastically reduced:
- First of all: Update! Only updates can close vulnerabilities.
- Install security plugins that can mitigate or even completely block some attack vectors. The Sucuri Scanner, the Wordfence Firewall and iThemes Security Pro (paid) have proven themselves.
- Set up two-factor authentication. If an attacker succeeds in accessing the login data of a user, he is prevented from logging in by the unique security code sent to the respective user.
- Rename or delete the user “admin“. He is the first to be used in brute-force attacks.
- Add a captcha to the login form. For bots the access gets more difficult. The plugin Google Captcha (reCAPTCHA) by BestWebSoft or the integrated solution of iThemes Security Pro has proven itself. Also recommended for comment forms to reduce spam.
- Use secure passwords consisting of at least 10 characters with special characters, numbers and letters in uppercase and lowercase.
- Set up a content delivery network, like Cloudflare, to reduce or even prevent DoS attacks that can impact a web page until crash.
- Encrypt the website using an SSL certificate. A nice side effect: the website is not devalued (s. Google’s blog post “Moving towards a more secure web“).
- Do not install plugins that were last updated 6 or more months ago and are therefore no longer maintained on a regular basis.
- Choose a professional Hoster that has experience in handling IT security. With a managed hosting, instead of a root server, manual maintenance and security are not required.
- Create regular backups to recover your website in a worst case scenario.
With just a few but very effective clicks, your web page is not one of the more than 50% of the affected WordPress instances. Even if some tips require a deeper intervention in the system and possibly require expert knowledge, the first 6 points can already be achieved with less than 1 hour of effort.
We recognized the difficulty of running a secure WordPress website at an early stage, offering our customers several maintenance service packages that keep their WordPress setup up-to-date, secure and backuped.
We also gladly take over the maintenance of your website. Whether you are running WordPress, Joomla, Drupal, Contao, Typo3, Processwire, Shopware, Magento or PrestaShop. Please contact us.