Hackers are always looking for new ways to compromise WordPress sites. The easiest way to get access is by leveraging a known vulnerability in an outdated plugin.
IT managers can nip this in the bud by regularly checking the version of PHP their site is running and updating it when necessary. They should also consider disabling PHP file execution in directories like /wp-content/uploads/ using.htaccess.
1. Upgrade Your PHP
Keeping your WordPress site up-to-date is one of the most important recurring tasks you can do to increase security. Fortunately, WordPress’s popularity means that vulnerabilities are discovered quickly and patched often. However, if you have an outdated version of PHP installed on your site, you are leaving yourself open to attack.
PHP is the primary programming language for WordPress websites, so it’s vital to keep your site running with the latest version. New versions are released regularly and typically include improvements to both speed and security. For example, the latest version of PHP includes an extension that provides improved data encryption and a more secure method for sending login credentials (usernames and passwords).
Upgrading your PHP isn’t difficult. Most hosting providers offer a one-click process that makes it easy. For instance, Kinsta’s MyKinsta dashboard lets you easily upgrade to the latest version of PHP.
While you’re upgrading your PHP, it’s a good idea to update all of your plugins as well. Ensure they are compatible with your new version of PHP and check for any errors in the plugins’ code.
One of the most common ways hackers gain access to a website is by exploiting vulnerabilities in plugins. In fact, a study by WordFence found that plugin vulnerabilities account for 55% of all known entry points for hackers.
Using a plugin like iThemes Security or WordFence will help to scan your website and identify any vulnerabilities. A more advanced tool, such as SecuPress, will not only scan your site but will also automatically patch the vulnerabilities. You can even get brute force protection, which is critical to protect against some of the most common attacks against WordPress sites.
2. Update Your Plugins
As an open-source software, WordPress’s developers are constantly upgrading the platform and fixing vulnerabilities. This is why it’s important to keep your WordPress plugins up-to-date. Not only does this ensure compatibility with new releases, but it also prevents hackers from exploiting outdated loopholes in your website’s security.
Before updating a plugin, be sure to check the changelog and backup its files. Also, make sure you know which plugins are crucial to your site’s functionality. These plugins are usually those that control the structure of your site, like page builders or galleries. If they’re updated erroneously, they can cause your entire site to malfunction. For this reason, you must update these plugins manually.
In addition, you can use a tool called the Integrity Checker to verify the integrity of your WordPress installation. This tool will display a list of all the files in your WordPress installation with their associated checksums. This will allow you to see which files have been added, deleted, or modified since the time of your initial installation.
Lastly, installing a security-based plugin is another great way to protect your site from cyber attacks. Some security plugins include a number of features to improve your site’s security, such as cross-site scripting protection, file change detection, and permission setting alerts. These features can be extremely useful in securing your site from malicious attacks and keeping it safe for your teammates, customers, and visitors.
3. Install a Security Plugin
Plugins are the largest entry point for hackers, especially if they’re out of date. According to WordFence, outdated plugins are responsible for more than 55% of the known hacks on WordPress sites. To protect your site from these vulnerabilities, we recommend that you install a security plugin to monitor your website for suspicious activity and prevent attacks.
A security plugin is a software application that helps protect your WordPress website against cyberattacks and other threats. These types of applications can be installed on your cPanel and help to monitor incoming traffic, detect malicious activities, and block these activities if they occur.
There are several free and premium plugins available for WordPress that can help you improve the security of your website. Many of these plugins are designed to provide prevention and detection of incoming attacks, while others offer more in-depth protection features such as a firewall, cloud WAF, and sandboxing.
One of the most popular and best-known security plugins for wordpress is Sucuri, which offers a complete suite of security tools that include malware scanning (which you can schedule ahead of time), brute force attack protection, and monitoring tools to alert you of any unusual activity on your website.
This security plugin also includes other useful features, such as the ability to change the default wp_ prefix for your database so that it’s harder for hackers to identify and access your database information. It also has a feature that hides the admin login page and can alert you when there are changes made to your file system. These alerts can be sent to the email address associated with your account or they can be sent to a third party, such as your IT department.
4. Delete Unused Plugins
Plugins are one of the main features that make WordPress popular and versatile, but they can also introduce security risks. For example, if a developer hasn’t updated their plugin in a long time and it has a vulnerability, hackers may use it as an entry point to your site. To prevent this, it’s important to know how to remove unused plugins properly.
Some plugins will leave behind files and data even when you deactivate them. This can slow down your website, increase the size of your backups, and create a security hazard. Using the right tools, it’s easy to clean up these plugins and keep your site safe.
To delete a plugin, you can log into your WordPress dashboard and go to Plugins > Installed Plugins > Deactivate. However, if you want to fully uninstall it, you’ll need to use an FTP client like FileZilla or WinSCP and navigate to your public_html > wp-content > plugins folder. Here you’ll find all of the plugins installed on your site, and they’re saved as unique folders with the name of the plugin inside.
Once you find a plugin folder, right-click on it and select Delete. Repeat this step for any other plugins you’re no longer using. Once you’ve removed all of the leftover folders, you can also clear out any tables that have been created by plugins in your database. For instance, the Social Snap plugin has a table called “wp_socialsnap_stats,” and you can delete it with a simple click in the phpMyAdmin tool. It’s important to clean up these tables because they can be used by hackers to gain access to your website. The best way to protect your website is to always keep your plugins up-to-date and delete any that you don’t use anymore.
5. Change Your Password
The password is one of the most important pieces of security on any WordPress site. It is what keeps hackers from accessing your database and stealing your customers’ personal information. That is why you need to make sure that your password is strong and difficult to guess. Avoid using common phrases, your date of birth, or the name of a family member, and use special characters, letters, and numbers. It would also be wise to keep a backup of your database and website in case something goes wrong when you change your password.
WordPress has a built-in feature that allows you to change your password without having to contact your hosting company or use an outside plugin. You can use this by navigating to the Users – All Users section of your dashboard and clicking on the password reset link next to the user you wish to edit. However, this method only works if you have access to the email account the user is using to register with your site.
Another option is to use phpMyAdmin to edit the database directly. This will require you to have a valid login for your cPanel account and to know the database table prefix of your WordPress website, which is usually wp_ but may be different depending on how your hosting provider set it up.
Once you are logged in to your cPanel, go to the databases section and click on phpMyAdmin. Then, select the database for which you want to change the password. Click on the edit icon (may look like a pencil in some versions of phpMyAdmin).
In the wp_users table, find the user_id for the user you want to change the password. Then, remove the old password from the Password column and add a new password in the new Password column. Make sure that your password is at least 8 characters long and includes both lower and uppercase letters as well as special characters.