WordPress Security | Blog | Hush Digital

You may have heard some horror stories from WordPress website owners that have been badly burnt by notorious hackers – and I’m sure their stories are pretty horrific! But another thing I’m almost certainly sure of is that they will have blamed the hack on WordPress being an ‘insecure platform’. Well, I’m going to try and bust that myth in this article!

The truth is, it’s not WordPress that is the problem… It’s the website owner. More often than not, hackers get into WordPress websites through totally preventable security flaws, such as poor passwords and out-of-date plugins and themes.

Popularity of WordPress

According to a recent study carried out by DMR, WordPress currently powers a whopping 26% of all websites! That’s approximately 37 million websites worldwide.

In fact, WordPress is so popular that some of the biggest names in the music industry are using it! Pop giants include the likes of Queen Bey and her beloved rapper hubby, Jay-Z, as well as pop-princess Katy Perry, and rock sensations, The Rolling Stones! WordPress is also used by some of America’s most influential news outlets and publications, such as The New York Times, CNN and Forbes.

Why do hackers target certain websites?

Hackers have targeted websites that are built on extremely popular platforms for years. If a serial hacker wants to take over a number of websites, for whatever perplexing reason, they are going to target a platform hosting millions of websites. But it’s not just WordPress; hackers target all other popular CMS platforms too, including Joomla and Drupal. Why? Because hackers know that a lot of website users either neglect, or don’t know how to update their website’s security.

So why WordPress? Well to put it simply, WordPress has the most number of users. By targeting a platform as popular as WordPress, cyber snakes know it won’t be hard to find a vulnerable website!

Here are 9 ways to ensure WordPress security

1. Don’t choose an obvious username

When installing WordPress, the likelihood is you were probably given the default username, ‘Admin’. Even though you’ll have been given the option to change this at the start – if you’re like the majority of WordPress website owners – you’ll have probably just kept ‘admin’ for ease.

Simple usernames such as ‘admin’ or even the name of your business are a hacker’s paradise, because they’re so obvious. And the likelihood is, if you’ve chosen an easy username, you’ve probably chosen an easy password too!

2. Create a secure password

An easy password combined with a simple username is just a recipe for disaster! If, like a lot of people, you’re guilty of having the same password for every online portal, social media profile and eCommerce website you’ve ever visited, chances are you’re a super easy target!

You should choose an alphanumeric password, meaning a combination of letters and numbers. To ensure your password is extra secure, you could add a mixture of upper and lowercase letters, and even symbols such as asterisks, hyphens and percentage signs. Basically, the more complex the password, the more secure it is – just make sure you can remember it!

3. Secure your login path.

The login path of your website is the URL that you type into your browser to gain access to your website’s login page. A typical WordPress login path might look something like this, www.mywebsite.com/wp-admin.php.

This is just a minor stepping stone to securing your site, but making it difficult for a hacker to find where to login to your website is a good start!

You can create custom login URLs using the WordPress Stealth Login plugin.

4. Keep WordPress up-to-date

Although WordPress is already pretty secure as a platform, some of the older versions are open to vulnerabilities and security threats. Security improves with each version of WordPress, and the tech whiz-kids over at WordPress HQ – also known as the hacking gurus – are always looking for new ways to improve security!

Unfortunately, if your website is running on an old version of WordPress you are leaving your website open to hackers, so make sure you update it at every given opportunity.

5. Ensure your plugins and themes are up-to-date

WordPress offers an abundance of installations including plugins and themes to help enhance the performance of your website. With each update comes a neat little package of new features, bug fixes and security fixes.

Many website admins and owners simply don’t bother to update WordPress installations for fear of them breaking or changing the appearance of the site. However, this can pose major security threats in the long-run, as hackers tend to target the security weaknesses in older installations.

6. Choose SFTP over FTP

To put it simply, SFTP is secure and FTP is not. FTP wasn’t designed with security in mind when it first came into play around 30 years ago. However, as technology becomes more advanced, so do the hackers and the need for a more secure way of transferring files becomes apparent!

SFTP is encrypted – or in it other words, it’s completely hacker-proof! Whereas if a sneaky hacker gets hold of your FTP login details – just like if they got hold of your password – you’re pretty much screwed!

7. Install a firewall plugin

WordPress offers a library full of firewall plugins to help prevent attacks from hackers. Firewall plugins help protect your WordPress website by blocking potentially dangerous, harmful or suspicious users. We would recommend Securi or WordFence.

You can find out more information about how firewalls work from Comodo.

8. Don’t give permissions to everyone who’ll be updating your website

There are five different WordPress user roles, all with different levels of access and capabilities. An admin role is the highest level and gives the user full power and control over the website, including writing, publishing and editing all posts, add and remove users, and have control over plugins and themes.

It is important to only grant full permission to users that you know and trust. Don’t grant permissions to the nuisance web developer who sent you a spam email claiming he can fix your SEO for £100, because the chances are:

He can’t fix your SEO – infact he will probably make it ten times worse
He’s an untrustworthy, good-for-nothing hacker!

9. Don’t tell anyone your password!

Okay, so this one might seem as obvious as a slap around the chops, but it has to be said – in this digital age, it can be hard to tell friend from foe! Keep your password locked away at the back of your brain and remember not to store any digital or written versions of your password!

Want some help from the professionals?

At Hush, we pride ourselves on our stringent security measures across all platforms, and we’re pleased to say that compromises are an extremely rare occurrence. Do you need help securing your WordPress security? Feel free to give our development team a call on 01325 361729, or email us via [email protected]!

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Analytics" category .
cookielawinfo-checkbox-functional	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Necessary" category .
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Others".
cookielawinfo-checkbox-performance	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to store the user consent for cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin to store whether or not the user has consented to the use of cookies. It does not store any personal data.
wpcerber_LUmfaIsxeXT	1 day	This cookie allows us to differentiate logged in users and non-logged in visitors as well as search engine bots and spammers. This cookie has the sole purpose of securing your website by detecting and mitigating malicious activity. All these cookies have randomly generated names and contain randomly generated values. No personal or sensitive data is stored in the cookies.
wpcerber_ruZtPEA	1 day	This cookie allows us to differentiate logged in users and non-logged in visitors as well as search engine bots and spammers. This cookie has the sole purpose of securing your website by detecting and mitigating malicious activity. All these cookies have randomly generated names and contain randomly generated values. No personal or sensitive data is stored in the cookies.
wpcerber_X-EAvqZLOyBVw	1 day	This cookie allows us to differentiate logged in users and non-logged in visitors as well as search engine bots and spammers. This cookie has the sole purpose of securing your website by detecting and mitigating malicious activity. All these cookies have randomly generated names and contain randomly generated values. No personal or sensitive data is stored in the cookies.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	1 year	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
li_gc	5 months 27 days	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_YY020T2WSR	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_19169359_1	1 minute	Set by Google to distinguish users.
_gat_UA-19169359-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
AnalyticsSyncHistory	1 month	Linkedin set this cookie to store information about the time a sync took place with the lms_analytics cookie.
ln_or	1 day	Used to determine if Oribi analytics can be carried out on a specific domain

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.

9 Ways To Ensure Your WordPress Security