Top 5 WordPress Security Threats and How to Fix Them
WordPress is the most popular content management system (CMS) on the Internet today. There are around 74,652,825 sites running on WordPress and around half of those are hosted on the free WordPress.com site. The rest are hosted on private servers.
There is a reason so many CMS-based sites use WP. WordPress is a smart and intuitive platform that nearly anyone can learn to use. There are numerous plugins and themes available to help website owners customize the look and features of a site. Plus, those who understand coding can easily customize their sites even further.
However, WP is also susceptible to a few security threats. Hackers love to go in through the backdoor of your WP site and attempt to set up residence there. Fortunately, if you are aware of the most common security threats, then you can easily fix them and prevent hackers from taking over your site. Below are the top 5 WordPress security threats and how to fix them.
1. Password hacking
You've probably noticed that most sites requiring a password now require you to create a strong password with capitals, lower case, numbers and special characters. The more complicated you can make the password (but still remember what it is), the less chance hackers have of breaking into your site.
Understand that hackers often use bots and can try dozens of passwords in seconds. If your password is easy to crack, you can be certain they can and will crack your password. Creating a strong password includes tips such as:
- Not using the same password for everything
- Making the password at least 12 characters long
- Making sure all your devices used to sign in are secure (two-factor authentication helps)
2. SQL injections
Because WordPress runs on a database, it also uses PHP server side scripts. While this works well to deliver content quickly and create a WYSIWYG environment, it also makes your WP site open to URL insertions.
Basically, hackers embed malicious commands within a URL and the database responds and reveals sensitive information that could even allow the hackers to change the content on your site. A few methods to help prevent SQL injections include:
- Update to the latest version of WordPress. Any versions below the most current may be vulnerable to SQL injections.
- Use a site such as WordPress Security Scan to find vulnerabilities in your site and then fix them. The basic scan is free and will identify common errors, but you can also upgrade to a premium scan to check for lesser-known vulnerabilities.
- Update to the latest version of PHP that your web hosting server allows. The more up to date the PHP, the less vulnerable your WordPress site will be to hacking.
- Update plugins. Many vulnerabilities are found in plugins and themes, so make sure you update to the latest version. Also, pay attention to the last time the creator updated the plugin or theme. If they no longer offer updates, switch to a different plugin that does.
3. Database attacks
Because MySQL is the most common database used, it is also a target for hackers. When you use your server's one-click or easy install features, the default database prefix is
wp_. Using this prefix means that the hacker knows the prefix of your database.
If you are just setting up your WP site, it is simply a matter of changing the database prefix. However, if you already have an established WP site, you'll need to go in and make some changes to use a different prefix. You can change the prefix to your database fairly easily, though, by following these steps.
- Backup your database in case there is an issue when making changes. This allows you to easily restore the site if there is an error.
- Go to your root directory for your WordPress installation (you can use PHP or some servers allow access to files via the control panel) and open the
wp-config.phpfile. Look for a line that reads: $table_prefix = 'wp_';
wp_78398(Use numbers of your choice and make them random. You can also use letters). Save and close the file.
- Open your database through phpMyAdmin or similar program. If your server uses cPanel, then look for the phpMyAdmin button.
- Click on the tab that says SQL and use the following query (see below). You also can simply change each prefix manually, but if you have a lot of tables this is time-consuming. Note that you need to change
78398to the numbers or letters or combination of that you personally used.
RENAME table `wp_commentmeta` TO `wp_78398_commentmeta`; RENAME table `wp_comments` TO `wp_78398_comments`; RENAME table `wp_links` TO `wp_78398_links`; RENAME table `wp_options` TO `wp_78398_options`; RENAME table `wp_postmeta` TO `wp_78398_postmeta`; RENAME table `wp_posts` TO `wp_78398_posts`; RENAME table `wp_terms` TO `wp_78398_terms`; RENAME table `wp_termmeta` TO `wp_78398_termmeta`; RENAME table `wp_term_relationships` TO `wp_78398_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp_78398_term_taxonomy`; RENAME table `wp_usermeta` TO `wp_78398_usermeta`; RENAME table `wp_users` TO `wp_78398_users`;
You now need to fix any options. Use this query and fix any lines that pop up by changing to the new prefix you've chosen:
SELECT * FROM `wp_78398_options` WHERE `option_name` LIKE '%wp_%'
Finally, search usermeta for wp_ prefixes. Use this query:
SELECT * FROM `wp_78398_usermeta` WHERE `meta_key` LIKE '%wp_%'
Remember that you need to plug in what numbers or letters you chose in place of 78398.
Save the changes and check to make sure everything is working. You should create a second backup of the site with the new prefixes in place, but don't discard the original in case something breaks. It's always a good idea to keep a backup anytime you make any type of major change to your site.
4. Brute force attacks
Brute force attacks are when a hacker goes to the login page for a website and simply starts trying the word admin as username with dozens of password combinations. Fortunately, this is a pretty easy security threat to stop.
- Install the plugin Limit Login Attempts Reloaded. This plugin not only stops someone from a brute force attack, which can also slow down your website and eat up bandwidth, but it will completely lock an IP out of your site for attempting too many passwords in a short amount of time.
- Install a security plugin. Many of today's security plugins come with a firewall that blocks anyone attempting suspicious activity on your site. One good one is All in One WordPress Security and another is Wordfence. However, there are a number of options, so choose the one that works best for you and is affordable.
- There are some more advanced tactics you can use, such as
.htaccesspassword protection, but start with the plugins and if that doesn't stop the attacks you can get more in-depth with your protection levels. You can also change the default admin name to better protect your site.
- You can also change your username using the tutorial at Hostinger.
5. Hijacking an open user
If multiple people work on your site, there is a security risk for each one. If the person logs in and then walks away from their computer, it is vulnerable to anyone in the vicinity. This could be a problem in a shared workspace, for example. If that person's computer gets hijacked, your site could be vulnerable as well.
- Install the Inactive Logout plugin.
- Choose the settings that make sense for your site. You can set the length of time the person is inactive before you log them out and even the message they receive when being logged out.
Keeping your site secure
The number one thing you should do to keep your site secure is to backup your site regularly. Make sure you back up the complete site as well as your database. If the worst happens, and a hacker gets in, at least you'll have a clean copy of your site to reinstall. Seek out a server who will work with you on making sure your site is as secure as possible from their end and then do your part to ensure you close any windows that would allow a hacker into your site.