When it comes to operating your business with WordPress Hosting, security is the most important consideration. WordPress sites are among the most targeted by attackers due to relatively common vulnerabilities that are easily secured with a small amount of effort. In a sample size of 4,322 WordPress websites hosted on Liquid Web’s network, we blocked and logged over 628,722 attacks in a 72 hour period; that’s over 48 blocked attacks per day per website. Some websites are more highly targeted and see four to five times more attacks per day than the average. Our proactive Security Team uses ModSecurity (a request filtering module for Apache) as one method of protecting our customers’ WordPress sites, but we can’t protect your server from every threat. If you’re looking to secure your WordPress site against such a deluge of attacks, here are four tips that will lead you in the right direction.
Update Your Plugins & Themes
Regularly updating all of your existing plugins and themes is the most effective method of securing your website. This is especially important given that outdated plugins and themes are a popular attack vectors for WordPress sites. While updating plugins is ultimately our customers’ responsibility, we do our best to help our customers as much as possible. For example, we have ModSecurity rules in place that prevent some outdated plugins from being exploited, providing our customers a small amount of leeway in their plugin maintenance. However, this service does not replace the need to monitor your plugins and we strongly recommend updating them whenever possible. It is possible to set at least the WordPress Core to automatically update. To learn how, check out our Knowledge Base article on enabling automatic background updates.
Create Strong Passwords
Another popular attack vector for WordPress sites is weak passwords. We have an in-depth Knowledge Base article with tips on how to create strong passwords, including which types of passwords to avoid. Attackers often use brute-force attacks that attempt to guess passwords, an effort that is only made easier by simple, dictionary word passwords. Our customers ultimately have the final authority on what passwords they choose, but in an effort to help secure their servers as much as possible we do utilize ModSecurity on most of our servers to block brute-force attacks.
Maintain Regular Backups
It is impossible to guarantee your server will never be successfully hacked, which is why it is vitally important to take regular backups of your site and data. You can recover from nearly any attack if you have a solid backup solution in place. Our Heroic Support® team can help you configure cPanel backups or our Guardian backup solution on your dedicated or Storm® server. For customers with Storm® servers, Storm® backups can be easily enabled from within your account. Up-to-date, secure, and offsite backups are critical to protect your site data in the event of an unavoidable attack.
Utilize Security Plugins
Once you have taken the proper precautions by updating your site, strengthening your passwords, and backing up your files, it’s time to think about a security plugin. The Liquid Web Security Team recommends a few WordPress plugins that are highly ranked and widely used across the industry. Learn more about our team’s WordPress security plugin recommendations.
The four tips above will go a long way toward protecting your WordPress site from would-be hackers. While themes, plugins, and custom modifications are not covered with our fully managed Heroic Support®, our team will provide Best Effort Support for those and other third-party plugins and issues. As always, our Heroic Support® is here to help, 24/7/365.
Want WordPress without the hassle? Check out WordPress Without Limits, a managed WordPress solution, with one-click staging, one-click backup restoration, automatic updates, automatic backups, and free SSL.