WordPress is a very secure CMS but just like any other content management system, website, or web application, it can be targeted by hackers.
How secure is WordPress?
WordPress is very secure and powers some of the largest, most highly-trafficked websites on earth, including WordPress.com, which is one of the top 25 most trafficked websites in the world, and the #1 network of websites in the United States. Like any software, vulnerabilities and security issues can be encountered if developers are not following up-to-date best practices or if the server setup, whether internal or managed by a third-party, isn’t optimized for WordPress use. However, if you’re running a fully optimized WordPress install, your site will be running software that is safe, secure, and scalable.
WordPress in Government FAQ
How can WordPress be attacked?
- Brute force attacks – Bots (automated hacking software) attack your site looking for weaknesses. This generally means that a snippet of code tries to access your site’s login screen and gain access to the CMS. The bot forces a possible login combination by trying infinite variations.
- Code injection – Hackers can find ways of injecting your site database with malicious code. These usually happen when server details have been compromised – either by poor password management or an easy combination of login details.
- Spam attacks – These are the most common attacks; the general purpose of these attacks is to slow your site down by overwhelming the database with 1000s of spam comments.
How to protect your WordPress website
Up-to-date WordPress version and all plugins
This is number 1 for a reason. The most important step you can take to ensure your WP site is safe from exploits is to keep the WP version and all installed plugins updated to the latest version. Every time WordPress gets updated, it comes with new security patches.
Website backup
Either install a backup plugin that creates a backup of all your WP files and database, or schedule a manual backing up system at server level so that you can restore your website to the latest version should it be hacked.
Custom login URL or IP whitelist
Every WordPress site has the same login URL, which is your URL followed by /wp-admin. All hackers know this, so it leaves your login screen exposed to whoever wants to try a brute force attack. Always customize your login URL to something unique, eg. /mycmslogin. The alternative approach is to allow access to /wp-admin URL only from a predefined list of IP addresses (eg. from your home or your office).
Change the name of the admin user
The default WordPress user comes with the name admin. Hackers know this and use the combination of this predictable username with random passwords when trying to break into your site. Always set up a unique admin user name or delete the default user called admin.
Anti-spam plugin
Install the Akismet plugin that helps defeat spam attacks that target comment boxes below your blog post articles.
Extra line of defence
Adding an extra line of defence when logging into your WordPress site can be vital. Yubico is a system that allows you to add a physical touch to the login process by only allowing people with a secure USB key (yubikey) and credentials to access the site. So even if the hackers/bots get your username and password, they still can’t get past your login screen without physically inserting the key into the machine they are using.