Contents
- Is WordPress Safe or Is WordPress Secure?
- WordPress Security Guide: 13+ WordPress Security Issues You Need to Know for Your Directory Website
- 1. Unauthorized Logins
- 2. Outdated Core Software
- 3. Undefined User Roles
- 4. Outdated Themes and Plugins
- 5. Malware
- 6. Structured Query Language (SQL) Injections
- 7. Search Engine Optimization (SEO) Spam
- 8. Cross-Site Scripting
- 9. Distributed Denial of Service (DDoS) Attacks or Denial-of-Service (DoS) Attacks
- 10. Phishing
- 11. Supply Chain Attacks
- 12. Hotlinking
- 13. Lack of SSL Certificates or HTTPS
- Bonus: WordPress Security Guide (Advanced)
- Wrapping up
The Ultimate WordPress Security Guide for Directory Websites – Step by Step (2023)
Despite being the most popular CMS or Content Management System on the planet Earth, WordPress has a striking record of getting hacked. Luckily, there are so many ways to thwart the attempts of hackers, yet only a few people use them.
If you have a WordPress directory site, the pursuit of security is paramount. That’s because, you never want to lose time, money, and energy, do you? Once your website gets affected by hackers it can ruin your business’s reputation and can also snatch the authority away.
Thus, it is worth trying to check the threats and vulnerabilities of your website and take the necessary steps to prevent all unexpected disasters. Sadly, there are innumerable threats your website may face over the course of mere a day.
Luckily, most of the threats and attacks are interrelated and so detecting only a handful of them and blocking them will keep your website safe from almost all the disasters.
In today’s article, we will go over 10 WordPress security concerns of a WordPress directory website and the ways to deal with them. So, let’s get started.
Is WordPress Safe or Is WordPress Secure?
Definitely! WordPress core developers regularly come with necessary WordPress security updates to keep your website as safe as possible. In fact, it ticks all the boxes to keep your website secure. So, no worries!
However, from your end, you must make sure you are following the best practices to keep your WordPress website secure and safe. If you don’t know the best practices, go through the entire post. Please note that your WordPress website is vulnerable if you are not following these best security practices. Plus, make sure you never turn off any WordPress security services from the backend or by using any plugin.
WordPress Security Guide: 13+ WordPress Security Issues You Need to Know for Your Directory Website
We have not just handpicked these WordPress security problems but also explained ways to avoid them. You can use this article as a WordPress security guide for your website
- BruteForce Attacks via Unauthorized Logins
- Outdated WordPress Core
- Undefined User Roles
- Outdated Themes and Plugins
- Malware
- Structured Query Language (SQL) Injections
- Search Engine Optimization (SEO) Spam
- Cross-Site Scripting
- Distributed Denial of Service (DDoS) Attacks
- Phishing
- Supply Chain Attacks
- Hotlinking
- Lack of SSL or HTTPS
- Bonus: Advanced Tricks
Have you ever heard of “Brute Force” attacks? In case you didn’t know, a Brute-force attack is when a hacker tries to login billions of times by potential combinations of username and password with the assistance of a bot.
If they can somehow match with the exact credentials, you are done. Meaning the hackers will gain all the administrative access to all the protected and private data of your website.
Your WordPress directory site is vulnerable due to the comparatively easy-to-find default login page. Anyone, including a hacker, knows the default login page URL that is “append/wp-admin” or “append/wp-login.php”.
Most of the hackers take this opportunity and gain access to the login page to perform a brute force attack.
WordPress security check: How to avoid a Bruteforce attack on a WordPress Directory website?
- Customize the default URL of the login page so that it is harder to find for hackers. Get rid of the default “admin” and use a secret username to dodge the guess of the hackers.
- Deploy reputable WordPress security plugins that limit the login attempts by adding captchas, necessary to root the brute force attack out. These security tools will also conduct important WordPress security scans.
- Use two-factor authentication so that the hacker needs your other device to carry out the login attempts.
- As a WordPress user, never skimp on setting a complex password. That means use at least 12 character password lengths including uppercase, lowercase, special characters, as well as numbers.
Adding a bit of complexity to your password makes it surprisingly powerful to save your day. If you are not convinced yet, take a look at the following table showing an algorithm of how much time it would take to perform a brute-force attack at a rate of around a billion per second where:
LC = Lower Case Characters,
UC = Upper Case Characters,
SC = Special Characters, and
Digits.
As shown, using a password with a combination of character types and/or length will make it nearly impossible for a brute-force attempt to be successful.
See? Using a combination of all sorts of characters having a good length makes it nearly impossible for a hacker to perform a successful brute force attack.
Remember, a brute-force attack can be performed anywhere a login is required using a username and a password. So, never forget to fortify your credentials to nip the brute-force attack and stay carefree.
2. Outdated Core Software
Gone are the days when people had to create a professional website from scratch hiring web developers. It was not only an expensive but also a time-consuming process. The best part of using WordPress is you can build a professional website without having any coding know-how or hiring professional web developers.
For development and maintenance purposes and to address other security concerns, the WordPress team regularly enhances its features and sends updates over the air. Generally, they roll out updates every other 3 months or so. Unfortunately, although it might be cool, WordPress does not update your website on its own.
Now, as the update is not automatic, the onus falls on the user on whether to update. If you do not update your WordPress core as a CMS, you are pushing your website to vulnerabilities.
If you are not updating your core software, you may not be able to update the other themes and plugins either. Which makes your website more susceptible to hackers.
WordPress security guide: What You Should Do
- Since WordPress does not make your site automatically updated, you have to do it on your own. To update your WordPress core, log in to navigate to the WP Admin Dashboard and click on the ‘Updates’ option. Hit the ‘Updates’ option:
Now, you can click on the “Update Now” button to start the process.
Please note that you should take a backup of the database file before upgrading the core software.
- Another way to do it is, once you login to your WP Dashboard, you will usually see the following message:
From here, you can easily upgrade your WordPress core.
Keep in mind that WordPress core developers always try to provide you a safe, seamless, and snappy experience via software updates.
3. Undefined User Roles
In a WordPress site, you will get 6 different user roles. They are:
- Subscriber
- Contributor
- Author
- Editor
- Admin
- Super Admin
Now, if you do not assign these user roles to the right individuals, hackers might gain access to your backend too easily. For example, a user with an editor role has not only the power to write and publish content but also has the control to delete any content.
Then again, a user with an Administrator role can have all the permissions to take any action throughout your website such as changing the password of other admins, modifying the themes, plugins, and even core software.
WordPress security guide: What You Should Do
When you are giving too many permissions to certain users by assigning admin, editor, author, and contributor user roles make sure they are trustworthy and won’t mar your website.
“To err is human”. So, check and double-check your website’s users who are particularly enjoying the admin, editor, author, and contributor user roles. Remember, the wrong person with these user roles might give their credentials to the hackers to steal priceless data.
4. Outdated Themes and Plugins
As WordPress is customizable with hundreds of themes and plugins, chances are very high that you will use a bunch of plugins or themes on your website.
However, like core WordPress updates, the authors of themes and plugins also release updates with security patches. Now, like WordPress core, you must update these plugins and themes too.
If you only update the WordPress core and skip updating the themes and plugins, hackers might use them as entry points to gain access to your site.
WordPress security audit: What You Should Do
Simply go to the WP Admin Dashboard > Plugins then manually update the plugins. Or, you can also use an automatic plugin updater to do so to avoid vulnerabilities or WordPress security issues.
5. Malware
Malware is when a hacker places malware files or implants code in your website’s existing files to steal sensitive data from your website.
As we already mentioned, if you do not update your WordPress core and its themes and plugins, hackers might take this opportunity to attempt an unauthorized login via “backdoor files” and thus eventually wreak havoc on your website.
What You Should Do
- Carefully vet your plugin or themes on WordPress.org before you install them.
- In the world of WordPress, everything can be done just by using plugins. So, simply, use a reputed WordPress security plugin to check if any Malware exists on your site and repair damaged files.
6. Structured Query Language (SQL) Injections
Attackers use this language to inject malicious codes and quickly gain access to the stored data of your website. During such an attack, hackers gain the opportunity to directly view and edit your site’s database.
With SQL injections, hackers can add unauthorized links and contents, make new accounts, leak, edit and delete data.
Most of the time, hackers use the visitors’ endpoint to insert malicious codes. For example, attackers take the opportunity to insert malicious codes using front-end submissions like contact forms or things like this.
What You Should Do
- Restrict inserting any kind of data using special characters to make a string of malicious codes into harmless gibberish. If you are a non-techy user, deploy WordPress security plugins to make it work for you.
- Consider using reCaptcha images to stop bots from inserting malicious codes on the contact forms or any other input fields.
7. Search Engine Optimization (SEO) Spam
Search Engine Optimization Spam is similar to SQL injections but in this case, the hackers target your top-ranking pages. The hackers fill out your pages with spammy keywords, popup ads to sell their items or counterfeit merchandise.
For instance, they will inject keywords like “best mobile phone under 10k dollars”. So, if people search for keywords like “best mobile phone under 10k dollars”, your already ranked page will appear on the SERPs which you will never want.
These attacks are much harder to detect as after getting access to the pages the hackers wait to insert those spammy keywords or ads so as not to make their activities discernible.
Hackers can perform these attacks for the same reason SQL injection happens, that is when you use outdated WordPress core, outdated themes, or plugins.
WordPress security guide: What You Should Do
- Use a quality WordPress security plugin to detect or protect from SEO spam.
- Watch your top-ranked web pages to determine if they are ranking for any spammy keywords, not related to your website.
- Go over to your website’s analytics data to see a sudden change in any webpage’s SERP positions or even in any event like a sudden influx of traffic without any apparent reason.
Regardless of the routes you choose, you must take action early on so that you can avoid any search engine crawler’s strike to your high-performing page to save the hard work you put in.
8. Cross-Site Scripting
Similar to SQL injections, Cross-site Scripting or XSS attacks occur when a hacker tries to implant and run malicious code to the backend files of your website to target your website’s functionalities.
During a Cross-site Scripting attack, the hacker gains access to the backend and shows fake input fields on the frontend like fake contact forms to steal user data or shows disguised links to a low DA(Domain Authority) website or any other faulty websites.
Again, outdated WordPress core, outdated themes, and plugins are the reason Cross-site Scripting attacks happen.
WordPress security guide: What You Should Do
- Update your plugins, themes, and WordPress core in time so that the hackers can’t make their way to the backend.
- Use WAF (web application firewall) plugins to prevent the hackers from exploiting your plugins to access files dictating to your website’s frontend and protect your WordPress site from XSS, SQL injections, and other attacks.
- Be careful when implementing any third-party plugins.
9. Distributed Denial of Service (DDoS) Attacks or Denial-of-Service (DoS) Attacks
When a Denial of Service or DoS happens, your site may become down and you may find it hard to rebuild your reputation. During such an attack, the hackers usually send too much traffic to the server at a time by using multiple machines. Consequently, the server crashes taking down all its hosted websites. It’s a much worse attack than you might think.
That’s because the site administrator along with all the visitors gets blocked from accessing the website.
WordPress security guide: What You Should Do
- Find a reliable WordPress hosting service provider who prevents any DoS attack on your website.
10. Phishing
Phishing is a term that came from actual fishing. In an attempt to phish someone, the hackers write compelling texts with spammy links showing credible email addresses or phone numbers or so. If someone clicks on such malicious links, they might lose all their personal data.
Unfortunately, WordPress does not prevent you and your visitors from such malicious click baits. Once, your users lose their valuable personal information on your website by hitting these spammy links, you will eventually lose their trust.
For your information, we have come up with the following spammy comment which persuades a reader to click:
WordPress security guide: What You Should Do
- Conduct regular updates, monitor site activity, and use secure passwords
- Use reCAPTCHA images to differentiate bot and human submissions.
11. Supply Chain Attacks
WordPress websites are vulnerable to Supply Chain Attacks because they are based on something you can not go away with. These attacks capitalize on the most important features of WordPress – themes and plugins!
Usually, there are two ways this attack can happen. One is when a plugin or theme owner himself or herself injects malware or spammy codes and the other is when a hacker purchases a plugin or theme and injects malware.
In either of the cases, they can get access to the secure files and wreak havoc such as SEO stealing valuable data, spamming, phishing, collecting customer data showing counterfeit forms to the users, and so forth.
Again, these attacks might happen due to the usage of outdated versions of themes and plugins. Thankfully, these types of attacks have a short span of life because they are supervised by the WordPress core developers’ relentless work.
WordPress security guide: What You Should Do
- Install WordPress security plugins that regularly check updates on your website.
- Consider taking a backup of the data of your website.
12. Hotlinking
Hotlinking is when other websites’ owners directly use your hosted image or video links to their site instead of downloading and uploading these. As a result, you will have to pay higher monthly bills to your hosting provider.
Technically, a Hotlinker is not a hacker but he or she is actually using your hosting storage and your copyrighted contents on their website without even giving credit. It’s illegal.
Thankfully, search engines generally take action against such illegal and poor practices.
WordPress security guide: What You Should Do
- Use discernible watermarks on your content like on images or videos.
- Use tried-and-true WordPress photography plugins to easily add watermarks to your content.
13. Lack of SSL Certificates or HTTPS
Be it a WordPress site or any other website, if you have not secured your website with SSL or HTTPS, your site is in danger. For your information, SSL or Secure Sockets Layer is a protocol that encrypts data transferred between the user and your website. This encryption process makes it harder for hackers to sniff around confidential data and steal them.
Many of you may only use HTTP in lieu of HTTPS. But the latter is much safer than the former. Once you enable HTTPS, you will be able to see a padlock sign next to your website address on your browser.
WordPress security guide: What You Should Do
- Get a free SSL from your Domain or Hosting provider. However, if you do not get a free SSL consider buying a paid SSL for your website for the safety of your data and your site’s reputation.
Bonus: WordPress Security Guide (Advanced)
If you do have technical know-how you can try out these tips otherwise we highly recommend you leave it for the professionals:
Disable File Editing
The dynamism of WordPress may also make your WordPress vulnerable. Don’t get me wrong. The built-in code editor for themes and plugins on the admin backend is unquestionably a good feature but it poses a significant WordPress safety threat. So, we suggest you turn this feature off.
Go to the wp-config.php file and copy and paste the following code:
// Disallow file editdefine( ‘DISALLOW_FILE_EDIT’, true ); |
Don’t forget to save the changes.
Alternatively, with the free Succuri plugin, you can do this with just a single click using the Hardening feature.
Disable PHP File Execution in Certain WordPress Directories
You can strengthen your WordPress security by simply disabling the PHP file execution in certain WordPress directories where you do not need them. For instance, you don’t need PHP file execution in /wp-content/uploads/.
To stop this feature, open a text editor like notepad ++ and copy and paste the following code snippet:
<Files *.php>deny from all</Files> |
Next up, save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using the FTP client.
Alternatively, again, as mentioned above, you can use the Hardening feature in the free Succuri plugin with just a single click to do so.
Change WordPress Database Prefix
WordPress uses the “wp_” as the default prefix for the database. Thus hackers can easily guess what your table name is and so your site becomes vulnerable. However, if do have good coding know-how, you can proceed otherwise, your site can break.
Disable Directory Indexing & Browsing
Directory browsing can make your WordPress site vulnerable because a hacker can easily find out your directory structure, sniff around your files and look into sensitive data. So, we highly recommend you to turn it off.
You can turn it off by simply connecting your website using File Transfer Protocol or FTP or cPanel’s file manager. Then from your site’s root directory, locate the .htaccess file and then add the following line at the end of the .htaccess file:
Options -Indexes
Finally, save and upload the .htaccess file back to your site to take an effect.
Disable XML-RPC in WordPress
From the WordPress 3.5 release XML-RPC feature was enabled by default. It helps your WordPress website to connect with mobile apps and the web. Unfortunately, hackers grab this opportunity to perform BruteForce attacks, though it is a powerful and effective feature.
Usually, if you use a login lockdown plugin, a hacker can only try out a few login attempts. After that, all the suspicious login attempts get caught by the plugin.
However, with the XML-RPC feature enabled, the same hacker can call the system.multicall function to try out thousands of login attempts which is flat-out dangerous for your WordPress website’s security and safety.
Luckily, the web application firewall we mentioned earlier can take care of this issue.
Automatically log out Idle Users in WordPress
Like many other banking and financial applications, you can implement this feature on your WordPress website to increase its safety. Because, a user can wander away from his or her session, which amplifies the risk of getting hijacked.
This poses the risk of changing passwords or making other changes to their account. So, we recommend you implement this feature. You can do this by simply using a WordPress inactive logout plugin.
Add Security Questions to WordPress Login Screen
If you add a security question to log in to your WordPress website, it makes it even harder for hackers to perform unauthorized login. You can effortlessly add security questions using a WordPress security question plugin.
Wrapping up
That’s all! We hope this article will help you keep your WordPresss directory website secure and safe. However, we will be updating this post over time with newer tips and tricks. So, stay connected for future updates.
If you liked our posts, don’t forget to subscribe to our blog so that we can notify you once any post is published. Directorist is now on Facebook, Twitter, and LinkedIn! You can also join the Directorist Community for sharing your thoughts and experiences relating to the directory niche. Come and join us to see what we’re up to.
2 Comments
Leave a Reply
You must be logged in to post a comment.
andrew
August 24, 2022This was a very informative blog and I really enjoyed reading it. But I also have a few points regarding it to discuss with you.
WordPress is the most popular Content Management System (CMS) for websites. The free version makes it easier to get started. Businesses rely on WordPress every day to create their sites.
Here are some factors that you must consider in order to secure your WordPress website:-
1. Protect against SQL injections
2. Get a web application firewall
3. Hardening Database Security
Md. Hamim Khan
September 6, 2022Thanks for your points