WordPress websites account for more than one-third of all websites on the Internet. WordPress is both flexible and powerful and runs some of the most used Internet sites such as Disney, FaceBook, and Sony. It is also heavily used by Small to Medium-sized Businesses (SMBs). Unfortunately, these SMBs can neglect the security of their WordPress sites. Timothy Chiu, VP of Marketing at K2 CyberSecurity, found more than 1.5 million WordPress sites with critical vulnerabilities, often linked to one of 50,000+ plugins that improve WordPress functionality. CyberHoot has written extensively about insecure plugins publishing a Blog article on dangerous Chrome Browser extensions. WordPress plugins are no different. Security gaps continue to be found within the plugins of WordPress sites with alarming frequency. This makes it critical to have proper measures in place to defend against these clear and present dangers.
How To Secure Your Site
CyberHoot runs on WordPress and, as a cybersecurity focused company, we take great pains to secure our site from attack. Here are our best practices for protecting WordPress.
Minimize Plugins; Update and Patch everything else
According to a survey from Wordfence, 55.9% of WordPress sites get hacked due to a plugin vulnerability. WordPress Administrators should start by removing unused or unnecessary plugins to reduce risk. Then patch and update everything left including WordPress itself, WordPress plugins, the underlying operating system, and even the web server. One of WordPress’s strengths is its notifications which advises you whenever there’s a new plugin version or patch available. Follow these notices and patch at least monthly, but more often when something critical is released. Develop a Vulnerability Alert Management Policy (VAMP) that dictates how quickly you must patch based upon the level of threat you face. CyberHoot has a VAMP template available for its customers.
Install a security plugin
Googling security plugins for WordPress sites will show you many articles detailing additional security plugins that can harden your WordPress site, inspect your plugins for missing patches, older versions, and even insecure plugins. CyberHoot runs a security plugin that shall remain nameless to protect our site. Here are some security plugin articles where you can find something to protect your site with:
- HubSpot: WordPress Plugins to Detect Malicious Code
- 17 Security Plugins to Lockout the Bad Guys
- 9 WordPress Scanners to Find Security Vulnerabilities
Scan and Check Your Site
Businesses should scan their WordPress sites. Scans are efficient, inexpensive, and give information that helps in later assessment stages. Most hackers run scans themselves, so it’s smart to do the same to see what hackers see. It’s important to know that scanning doesn’t provide a complete list of security vulnerabilities. It’s just one piece of the overall strategy. Scanning tests for common vulnerabilities include:
- Cross-Site Scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users;
- Cross-Site Request Forgery (CSRF), a third-party web page can trick a user’s browser into sending unauthorized commands to a Web application;
- Broken authentication, a failure to verify user identity; and
- Broken access control, a failure to enforce user permissions.
If the company doesn’t have the expertise to run these processes in-house, a third-party cybersecurity specialist can usually run these processes instead.
Manage Passwords and Site Access
It’s necessary to use unique 14+ character passwords for all admin accounts. With the average person using more than 90 online accounts (Source: Dashlane), CyberHoot recommends you adopt a password manager. Many free for personal use password manager options exist today including: LastPass, 1Password, and Dashlane.
Enable Two-Factor Authentication (2FA)
Using long and unique 14+ character passwords is not enough. You must also enable Two-Factor Authentication for content developers and administrators of your Word Press site. Two-Factor Authentication is the combination of two of three of the following identification factors:
- Something you know – Most often a password for your account;
- Something you have – Such as a cell phone with a temporary authentication code; and
- Something you are – Such as your fingerprint or facial recognition.
Concluding Thoughts On WordPress Websites
It’s important to manage your cybersecurity, especially on the website for your business. Work with your IT staff to secure your WordPress site and ensure you have strong cybersecurity hygiene throughout your business.