WordPress remains the most popular platform for both blogs and e-commerce websites. It’s versatile. It’s supported by almost all web hosts out there. It’s free. It’s also reasonably SEO friendly out of the box and owners get access to just about any type of functionality they might need with the library of plugins. However, nothing is perfect, and WordPress is no exception to that rule.
While it is very secure, WordPress as a platform is not un-hackable. It is the job of website owners everywhere to ensure that they have done their due diligence in order to improve security and reduce the risk of being targeted by hackers. How do you tell if your WordPress site is not secure? Let’s take a closer look at some of the most important signs.
You’re Using a Nulled Theme
Nulled themes are pretty popular – it’s a way to take premium, paid-for themes and remove the price tag without running into the limitations imposed by a free trial. In other words, they’ve been cracked by someone. They’re the WordPress site version of a pirated movie.
Besides the moral and ethical issues posed by using a nulled theme, there is also the fact that they’re inherently insecure because most contain malicious code injected by whoever did the hacking/cracking in the first place. Sure, a nulled theme might be able to save you some cash up front, but it will ultimately cost you peace of mind and security.
Your Passwords Stink
No website is more secure than its usernames and passwords. Sadly, too many WordPress website owners give no more than a nod to security best practices like password management. Passwords like “12345”, “password”, and “456789” are too common. They’re also too weak.
An attacker could guess those without the help of any software, and even stronger passwords are at risk in the face of some of today’s better hacking software. If you cannot practice good password management and create robust protection for your website, then it might be time to rethink your role as a WordPress site owner.
Strong passwords contain at least eight characters, a mix of upper and lowercase letters, as well as special characters, such as &,*,$, and #. Check out our Guide to WordPress Password and Username Security.
You Don’t Have an SSL Certificate
Ok, if this is true, you probably have bigger problems than just an overall lack of security. Chances are good that you’re not seeing the web traffic that you should, either, despite your SEO and digital marketing efforts. That’s because Google now insists that all sites have an SSL certificate. If your URL does not start with https, then you do not have a secure website, and Google will penalize you in the SERPs.
It’s also important to realize that any site that handles sensitive information, such as consumer credit card numbers, is required by law to have an SSL certificate. Learn the basics of SSL certificates.
This is what encrypts all that information and keeps it out of the hands of information thieves. Really, the best practice for modern WordPress site owners is just to ensure that you have an SSL certificate for security and peace of mind, even if you don’t deal with sensitive information.
You Have Not Limited Login Attempts
The most likely point of entry to your WordPress site for an attacker is the login page. All they need is a username and a password. And, because so many site owners fail to follow through with the creation of strong passwords, and because so many people use easy to guess usernames, such as “admin”, this is a major weak point in your defenses. An attacker only needs to sit on the login page and keep attempting to guess usernames and passwords until they eventually get the right combination.
That’s because WordPress’ out of the box configuration is to allow as many login attempts as necessary. The good news is that this is easily fixed by installing a WordPress login limit attempt plugin, and then going to settings à login limit attempts.
You’re Running an Old Version of WordPress
The developers at Automattic regularly release updates and new versions of the core WordPress code, but that doesn’t mean anything if you don’t actually update your site. Understand from the outset that website updates are designed to improve performance and to address vulnerabilities.
If you do not update your site, or have your site updated by whoever handles your maintenance, then your site is inherently risky. It’s only a matter of time before attackers spot it and exploit your inability to stay on top of updates.
You’re Not Using Two Factor Authentication
No, two-factor authentication on its own does not guarantee protection from attackers, but it is a good place to start, and it’s a critical consideration to add along with the other steps we’ve discussed. Combining two-factor authentication with login attempt limits, regular maintenance, and good password management practices can significantly reduce your overall risk and help prevent you from becoming yet another statistic.
How do you add this protection to your site? It’s as simple as installing the right plugin. There are quite a few different plugins that offer this functionality, including Google Authenticator, Two-Factor, WordPress 2-Step Verification, and Unloq, to name just a few.
When it’s all said and done, WordPress site security is in the hands of site owners. It is your responsibility to protect your site, your database, and your users’ information from attackers.
Thankfully, there are many ways that you can do this, and when you add them all together, the result is a secure website that is at a significantly reduced risk level for any type of attack.