Lately, we’ve been noticing an increased amount of tickets relating to compromised WordPress installations, each compromise is reviewed in depth. I’m writing this blog post in response to the recently discovered vulnerabilities in WordPress SEO/Yoast and Duplicator.
Before I continue with this post I should mention that all our servers do have very powerful firewalls in place including mod security, we’ve recently deployed over 60 new mod security rules on our servers however if the WordPress site itself is insecure no matter how secure the actual servers are the site will get compromised sooner or later – below we’ll supply some tips that will help you keep your sites secure.
- Keeping your WordPress Core, Plugins, Themes up to date – this is probably the most important tip, the first step in securing your WordPress site is by keeping it fully up to date. What we usually recommend is setting aside an hour during your weekend and going through your sites and just click on the update button, if you have a lot of WordPress sites you can setup MainWP and add all your sites and with a push of a button you can update all your sites simultaneously.
- Premium Plugins & Themes – unfortunately, the majority of the premium plugins & themes don’t have automatic update utilities, this means that when they release a new update WordPress won’t prompt you to update to the new version since they don’t have any automatic update utility in their software. What this means is that if you use premium plugins & themes you need to manually check updates on the sites of the developers – a large majority of the compromises occur due to outdated premium plugins and as such it is very important you make sure they are up to date.
- The use of one-time plugins – a lot of times we install plugins that we’ll use once, for example, we install Duplicator to clone a site or we install a plugin to help optimize the database. Plugins that we install for this purpose should be removed as soon as we complete using them as that reduces the attack surface.
- The use of Security plugins – this is very important, your first step as soon as you setup a new WordPress installation should be to install a Security plugin, We actively recommend WordFence despite the fact that it does cause an increased resource usage under some circumstances – it still is one of the best security plugins that currently exist. WordFence will also alert you if you are using any outdated plugins (note that it can’t know if a premium plugin is outdated or not) – following all actions WordFence suggests is also very important.
- The use of outdated plugins – the majority of the hacking reports we’ve received recently we’ve noticed that there was at least one outdated plugin. Outdated plugin is any plugin that has not received an update in over 12 months, these plugins can contain serious vulnerabilities but since they are not actively been maintained it means there is no one to release fixes for vulnerabilities.
- WordPress users – A lot of us fall into the trap of creating a new WordPress user with a password of ‘password123’ so that we can remember it, this, however, leaves a huge security hole. You should always use a strong 16-character password, you can use online tools to generate difficult passwords. Additionally, whenever you supply the password to any external party to troubleshoot any issue you should always reset the password as soon as they are done – it is even better that you create a separate account for the 3rd party to use which you then delete as soon as they are completed.
- One site per cPanel – this only affects our cPanel servers, on cPanel you should always ensure you only one site per cPanel – having multiple WordPress sites in one single cPanel account just increases the attack surface for hackers and if one of the sites is hacked all the other sites will also be hacked. You can submit a ticket at any time to have us split your sites to separate cPanel accounts without any charge (this cannot be done on our Shared services as there is only access to one single cPanel account).
This concludes our tips for ensuring your sites don’t get hacked!
I hope that these tips prove useful to you. For any questions do feel free to leave a comment below and we’ll answer them as time permits!