As the biggest CMS platform in the world, WordPress has become the largest target for those who are determined to do damage. This doesn’t immediately translate into it being unsecure, although there are those who will go for the kill with that argument. What it means is that while there are risks, as with doing anything really, most of the potential security issues are definitely avoidable on users’ side of things or ultimately show to be unpredictable. Here are 5 biggest myths as far as WordPress security is concerned.
MYTH #1: There are bigger fish in the sea, why attack me?
Small business owners mistakenly believe that their websites are secure simply because there are bigger names in the field to go after and that there is more to be gained by attacking brand names instead of them. However, that logic is faulty because high-profile companies have more resources (money, skilled professionals and equipment) to protect themselves against threats. Therefore, they may be more obvious targets (and better to hide behind), but the chances of them actually going down are slim.
On the other hand, small and midsize businesses (as well as bloggers) tend to be hacked or even attacked more often than brands – as many as 60% of all attacks on online websites are aimed at the little guy! Moreover, because they are unable to defend themselves properly, 60% of the businesses whose websites are hit by a cyberattack are unable to recover and therefore have to close down in a year’s time. Just because there is no sensitive information to steal (like credit card info), that doesn’t mean that smaller websites are not in danger. Remember, most cyberattacks are actually performed by automated bots, which are only after the targeted website’s resources. Once they’ve gained access to website’s admin privileges and back-end, the site is all but defaced or even completely destroyed, since its server is used to send or link spam, distribute malware and redirect to other malicious websites.
MYTH #2: The WordPress platform itself is unsecure.
People generally think that WordPress is an unsecure platform because it has been targeted the most times and has open source code. Well, let me put your mind at ease – that is simply not true. Yes, the websites powered by this particular platform have been in the crosshairs of black hat hackers more times than the ones built upon other platforms such as Joomla or Drupal, but that shouldn’t even be an issue, since WordPress alone powers 4 times more sites than the other two combined!
Moreover, concerns regarding the WordPress source code being open and available for use and modification to everyone and anyone are more than unfounded since the people willing to poke around the code actually know what they are doing. The WordPress community is massive and constantly active, which is a good thing in this case, because it is alert and determined to lend a helping hand whenever a problem arises. Therefore, with any security issue, there is an immediate security patch eliminating the threat to both the source code and the massive ecosystem of themes and plugins.
Actually, the majority of WordPress security risks originate on the user’s side – weak username and/or password, outdated software or plugins, themes and plugins downloaded from unsecured sources, hosting issues, as well as stolen FTP credentials and admin passwords. This means that WordPress platform is secure on its end, but a lot can be done on the user’s end to keep websites secure overall.
MYTH #3: Plugins are my safety net and I don’t even need to update them.
If you think that downloading and installing security plugins is all you need to do to never have to worry about malicious cyberattacks again, you are sorely mistaken. For one, they are not almighty and cannot defend your WordPress powered website on their own. You need to deal with the security of your username/password combination, add other login requirements, use a secure FTP program and have a virus and malware-free computer.
Even if you think that an installed, but inactive plugin is the way to go, you are wrong. Having such a plugin creates a security risk to your website for one simple reason – If you’re not using the plugin, you’re not updating it and if you’re not updating it, you’re missing on the new security measures. Thus, that plugin creates a security hole in your website, the one that hackers like to exploit the most these days. Review the plugins you have and whether you really need them, examine why you’re not using them and update them if you decide they will be useful to you in the future.
MYTH #4: I already have a secure username and password. What more do I need?
Numerous webmasters are of the opinion that setting up a unique username and a strong password is enough to secure their website, which is true, but only partly. Yes, changing the username into something other than “admin” is advisable, and brings you one step ahead of the bad guys. And yes, making your password a unique and long combination of upper and lower-case letters with numbers and special characters makes it that much more difficult to crack.
However, there is more you can do to secure your website. One of the safest options thus far has been two-factor verification, because not only do you need to know the password to login, but you also have to use your cell phone (and that is the one thing people are never without these days). Moreover, changing your username from “admin” is as important as what you are changing it into – avoid using the domain or company name, as well as the names of the people working for you that are listed anywhere on the website.
MYTH #5: If I hide “wp-admin”, I will prevent brute force attacks on my website.
Since brute force attacks are aimed at the login page of a website, webmasters have thought of a way to prevent that from happening by hiding or moving either their site’s “wp-admin” folder or their login page. The logic has some merit, but it is not completely harmless to the website neither.
Firstly, as is the case of many WordPress plugins and website features, the “wp-admin” folder has to be exactly where they “expect” it to be, or they will cease to work properly. For that reason, the recommended course of action would be to only password-protect the “wp-login.php” page.
Secondly, by implementing the Security-Through-Obscurity strategy and simply hiding the access point to your website will eventually prove to be insufficient and more trouble than it’s worth. Any hacker skilled enough to get into your website is also good enough to find where you have hidden the login page, no matter how well you think you’ve done the job.
Lastly, most hackers don’t even go for the login page (your biggest concern), but try to login via XMLRPC – the way other applications login to communicate with your website, thus rendering useless your efforts to protect it that way.
Having all this in mind, you can now go and make your WordPress powered website secure.