This post was most recently updated on March 27th, 2014
I was having so many problems not only with my blog, but more importantly with the membership site I had created for my product.
This had me in a tizzy… everything was done, but my hosting company wasn’t able to connect different sites properly for me, nor were they helping me when I asked for support. Instead, they told me it was my fault. This is an all too common problem with using a shared hosting site.
I was lost for what to do, until… I got in touch with Kumar Gauraw’s Krishna World Wide Hosting. BOOM… Problem solved, and no more monkeying around with plugins or techie stuff I can’t even describe… not me!
Kumar’s hosting company impressed me so much with the quick customer service and meticulously managed care. Everything was taken care of for me, and I was able to finally on with marketing again, instead of tinkering.
I decided to invite Kumar to my blog to explain some important things that I think my readers ought to know.
Here, Kumar will explain 10 WordPress Security Holes You Must Close To Protect Yourself Online. So, take it away, Kumar…
When you are self-hosting your website, it is very exciting but you also assume the responsibility of protecting your home on the internet while you grow your business online.
Internet is a scary place as you know it. Often, we hear reports of brute force attacks or a major site being hacked in one or the other way. And that only tells us that our website security is a risk and we need to take and put our best efforts to protect ourselves against such things.
The Challenges With Self-Hosted Sites
Because of being in the Managed WordPress Hosting business, I get to review many websites (for our existing clients and prospective clients) and here are a few things we find which are not even known to them until I show it to them:
1. Using “admin” As Administrator
Every WordPress installation creates the default “admin” user automatically. Therefore, many new bloggers get used to using this account and keep using it forever.
It doesn’t hurt as long as you are a small site which isn’t getting any traffic or attention.
However, imagine that the whole world knows your administrator user ID if you are operating as the “admin”. So, half the work of hackers is already done with your help. It is that dangerous to keep this user as your administrator.
Solution: If you still have the “admin” user, it’s time to create another administrator user for yourself with a strong password and then downgrade the privilege of the “admin” user if you do not want to drop it.
2. Using Weak Passwords
I have seen live websites of some of the regular bloggers with password as “admin1234” or “testing123”, “password12” etc.
How difficult is it for intruders to try these and get into your admin area if this is you?
It is very important to use tough passwords and passwords that are unique to your website. I prefer to keep my passwords at least 15 characters long and preferably 22 characters as much as possible.
Solution: If you still have easy to guess passwords on your site, you may want to visit this website and generate a strong password for your administrator account and reset your password.
This may be the one thing that can probably be a life saver for you the next moment because you never know who is trying to get into your website right now.
3. WordPress Installation Not Locked Down
This one is a big concern. This is in addition to the above and it is a much broader area. In fact, this encompasses many vulnerabilities within a WordPress installation such as:
People can go to a browser and say http://DomainName.com/wp-content/ and browse through their website’s directory structure.
- People can go to a browser and say http://DomainName.com/wp-includes/ and browse through their directory structure.
- Their .htaccess file itself isn’t protected.
- Their wp-config.php is not protected exposing their database and probably database username and password as well.
- Their install.php, upgrade.php in admin directories are still not deleted or at least, protected.
…and so on. All of these security vulnerabilities can make hacking your website easier for your intruders.
Solution: Your website security should be your primary concern for sure. Imagine going through the pain of fixing your website after a hack or infection and that should motivate you to take your WordPress security as your top priority.
What you need to do is, get professional help in setting this up for you in case you are not sure how to do this.
But, if you do have a good handle on technical aspects of your website maintenance, install a good security plugin like WordFence Security and start to tighten your security today.
4. Not Tracking Unauthorized Login Attempts
You may have heard about Brute Force Attacks and DDoS attacks in recent months a lot. These attacks are aimed at bombarding your website’s wp-login.php with login attempts (mostly using the default user “admin”) to make your web server give up and die.
Now, if you have a way to know that your website is being attacked, you can do something about blocking those IP addresses which are trying these attacks. That is a good place to begin the protection against such attacks.
However, most self-hosted WordPress users don’t even have any way to even know that they are being attacked. They have no idea if somebody is trying to log into your website in an unauthorized way, right now.
Solution: If you haven’t installed it yet, get an awesome WordPress plugin called “Limit Login Attempts” and set it up correctly to ensure you get notified as soon as a set of unsuccessful login attempts are made.
Not only that, the plugin also blocks the infiltrating IP address for a number of hours defined by you. It is a must have plugin for security of your WordPress installation.
5. Not Keeping Themes And Plugins Updated
WordPress updates are released from time to time to fix bugs, introduce new features and also to patch security vulnerabilities.
Whenever WordPress releases new patches, it is very important to implement them. The same is true for plugins and themes updates as well.
I know that many of you feel trepidation when it comes to updating WordPress, afraid that it might break your theme or disrupt a plugin’s functionality. My response to this is simple: if you’re afraid of it, then you need to re-evaluate your theme and plugin strategy. Your theme will certainly get disrupted when a hacker injects half a page of a nasty encrypted code into it.
If a plugin or a theme isn’t updated regularly, then you are putting your website at risk.
Solution: Always keep your WordPress updated. Always keep your plugins updated. Always keep your themes updated. Whether or not a plugin or a theme is active, keeping them active is your need.
However, REMEMBER to take a backup before doing an update so you can be able to restore your website in case an update breaks your website for any reason.
6. Too Many Inactive Plugins And Themes
WordPress Plugins are awesome and we have plugins for pretty much getting anything and everything done by just using a plugin or two.
But, it so happens that a lot of us keep adding plugins into our WordPress installation and then forget to delete them even if we are not using them. I have come across such situations a number of times. It’s sometimes amazing to see that some webmasters had more inactive plugins than active ones.
The problem is, inactive plugins are usually not updated and that means it creates a security risk in case the plugin has one. Therefore, my question is, why should I keep a plugin and let it occupy memory and resources on my server if I am not even using it?
The same applies in the case of themes too. Too many themes (when you can really have only one active at a time), is a waste of space and a security risk.
Solution: If you have a few plugins or themes that you are not using and don’t plan to use, remove them. If you ever need them again, you can always put them back. But, for now, remove them.
7. Disregarding Website Loading Speed
Your website’s loading speed (also known as page speed) has become one of the most important factors of your overall ranking in recent months. Everybody is talking about it because a better ranking on Google means better traffic, and having better traffic means a better business. It’s all interlinked.
Now, I have seen many awesome websites with great content which load very slow. I mean, why should you allow your website to load in 10 seconds when it could load in under 2 seconds?
But guess what? A lot of WordPress sites are too slow, mostly because of ignorance about it from the website owner. It costs in terms of traffic and people don’t even know that they can test this and improve this.
Solution: Test your website’s loading speed using such tools as Pingdom Tools and WebPageTest.org. If those websites show that your website is loading slow, you should be concerned and talk to your web hosting service provider to explore your options to speed up your website.
Sometimes, you may have to do your database optimization, removal of unwanted plugins and themes and optimization of images etc.
For Krishna World Wide clients, we take this responsibility and we ensure that our clients get the optimal performance they can get. We test their sites and provide them our suggestions and solutions as we find applicable to each of our individual client.
8. Failure To Keep Regular Backups Taken
When you are hosted in a shared environment, you know you need to do it it and you should take it very seriously.
But I have seen that many webmasters do not have a process to take automatic and regular backups of their websites.
Sometimes, they don’t know because they assume that their web host must be doing it for them. Some others don’t feel like taking it regularly.
In both cases, if something goes wrong, your website is under high risk. If your web host’s backup copy (if they are taking one) is corrupt for any reason or the server crashes or the hard disk fails, all of your website content can be lost.
I think that is a great risk and no blogger should knowingly take this risk. After all this is your content, this is your legacy and you don’t want to keep it so unprotected.
Solution: Ensure you have a dependable backup strategy in place. You can schedule an automatic backup using cPanel if you feel comfortable.
Or, you can sign up for a tool such as managewp.com or VaultPress.com and schedule an automatic backup to be stored on cloud or any third party location (such as Dropbox) where you feel it’s safe to keep your backup.
9. Not Keeping Your ‘MySQL’ Database Optimized
This is a kind of repetition of point number 7, but it deserves a separate mention because of its importance.
A bloated MySQL database means a bloated WordPress website and that means a significant slowdown in your page loading speed. The larger the size of the table, the more time it will take for WordPress to find the data needed to render your pages. So, you want to make sure your MySQL tables are optimized on a regular basis.
I recommend optimizing your MySQL tables once every 15 days if you are a blogger with a lot of comments (and spam comments) because comments consume a lot of disk space and spam comments are unnecessary anyway.
Solution: You can optimize your MySQL regularly using two/three methods. All of these options are very effective and depending upon your comfort level, you can choose any one:
- Use cPanel method for optimizing your MySQL. Login and use myPhpAdmin to optimize your tables. I prefer this over the next one.
- Install a WordPress plugin called WP Optimize and use it conveniently from your WordPress admin to perform the action.
- Signup for a service like managewp.com and get it done along with backup. This option will cost you money. But it’s worth it.
10. Not Monitoring Malware
This is one thing is considered a premium feature and most bloggers and small business owners ignore this. When you are not monitoring your website for possible malware attacks, obviously you will not be able to protect yourself. It’s that simple.
However, people don’t implement this feature because they think it’s not worth the investment.
But they couldn’t be more wrong. Once a website is infected, the cleaning service costs way more money than paying for protection in addition to the downtime which hurts you anyway every time your site is down.
Solution: Sucuri is one such service I highly recommend for malware monitoring. They do a great job of server-side scanning of your websites every 4 to 6 hours without overloading your server and help you detect any suspicious activities.
That is why we’ve partnered with them for the server-side scanning that we add to all the websites of all our Krishna World Wide Hosting customers. If you are hosted with us, you have nothing to worry about because Sucuri is already monitoring your websites every single day.
If you are not hosted with us, it is a good idea to subscribe to Sucuri and benefit from their world-class service and have a good night’s sleep knowing that you are being protected by professionals.
We Do It All For You At Krishna World Wide Hosting
Imagine you have all of the above problems taken care of for you by your web host. This is what Managed WordPress Hosting is all about. This is what we offer at the Krishna World Wide Hosting.
I’ve already told you about the server-side scanning by Sucuri. But the internet is always evolving and we can’t be 100% sure that we cannot be hacked or our sites cannot be infected by any means, although we strive for it.
Because of this risk, we also provide a malware cleanup guarantee to all of our customers at no charge. And that’s far from the only reason why our Managed WordPress Hosting is a great choice for the security-conscious and bloggers who want optimal performance for their WordPress powered websites.
If You Are In A Shared Hosting Service
If you are on a shared hosting server, that itself is a great risk because your threat is simply multiplied by the number of WordPress websites on the server where you are hosted. If any of the websites get hacked, your chances of being hacked dramatically increases.
And on top of all that, think of the toll it takes on your overall loading speed and scalability.
If you are serious about all the issues I have discussed so far and you still want to go with a shared hosting company, find a web host that takes security seriously. It should be one of your most important criteria.
Even then, you will have to personally take care of all the above 10 risk factors yourself and maintain it. Yes, it may seem like a tedious task. But let me tell you, it’s worth the effort and I highly encourage you to take time to look after these issues.