WordPress is a popular platform that simplifies the work of web developers using various website building tools. For many website owners, Internet security is the number one priority to protect their websites from security breaches. Several myths surround WordPress security. These myths actually do little to protect your website.

1. WordPress is an insecure CMS Platform

While it may be true that WordPress is subject to more attacks than other CMSs, it does not mean WordPress is inherently insecure. WordPress’ biggest vulnerability comes from users not taking steps for their own site protection.

WordPress consists of a WordPress core and also external WordPress plugins and themes. The large majority of hacking attacks, up to 80%, are due to the use of out of date software (add-ons and themes that have not been updated). A WordPress website can also be accessed through an outdated password or plugin, since this applies to virtually every CMS. Be sure to update your themes and plugins regularly, because if the site gets hacked, it’s not WordPress’ fault, it’s the users’ fault.

2. SSL certificates will keep the website safe

Secured communication between a website and its visitors is what an SSL certificate provides – it protects the data being passed between them. Especially those visitors who leave sensitive information like credit card numbers, contact information, etc. What WordPress users may ignore is that it only encrypts traffic, not the files and the website’s data. Regardless of SSL, the website is still vulnerable to hackers without the protection of WAF (Web Application Firewall).

3. By changing the database table prefix security will be improved

This is even a common recommendation. The idea is to replace the prefix “wp_” with another value and thus prevent attacks on the database (SQL injection). It gives the impression that work is being done to improve security, but actually not much is being achieved.

Hackers use various means to steal the database by finding vulnerabilities in the plugins and themes you use.

This method has not been proven to improve security, and if the change is not done correctly, the website could crash. To protect yourself from such attacks, you should take a three-pronged approach: Use WAF, monitor the site for malware and scam attempts, and also update plug-ins, themes, and the WordPress core.

4. Regular backups can help in all the critical security situations

Backing up your data is very important, but there’s a problem: most companies don’t have good backup security in place. In fact, a staggering number of security problems are due to poor backup management. We see this time and time again in the news and in surveys. Companies need to take better control of their backups. It’s important to do this properly, but it’s not enough.

5. My website isn’t big enough and it is not a profitable target to get attention from hackers

Such a statement makes no sense at all. Especially when you consider that smaller websites and blogs are the perfect target for attacks.

5 a) the smaller the site, the less likely it is to be maintained by competent administrators who would react quickly in the event of a hacker attack.

According to research, most hacking attacks affect the websites of small and medium sized businesses that don’t have enough resources to defend against such attacks as opposed to large and more bulkier websites.

The number of visitors to a website is not important to hackers. As soon as they gain control over your site, they can completely wreck it and use your server to transmit malware, send spam, or direct traffic to a malicious website.

5 b) even if the operators of smaller websites believe they are protected because they are crowded with other websites – it is the operators of blogs that try to stand out from the crowd and attract as much traffic to your website as possible, and if you work to attract attention, you will surely attract the unwanted ones.

Modern hacking is done by bots that focus more on quantity than quality, searching through a huge number of websites until they find a vulnerable page. All website owners must take precautions to protect themselves from being hacked, no matter how small the website is.

6. You should hide your wp-admin or wp-login URL and all hacker attacks will stop (brute force attacks can be stopped in this way)

To gain administrative access to your website, most malicious bots deploy Brute Force attacks against your site’s login page, targeting a username and password to obtain that information. These attacks target commonly used usernames like “admin,” which are paired up with tens of thousands of passwords in the hope one will work. Most WordPress administrators try to prevent this access by hiding their login page or wp-admin folder.

Despite the many plug-ins that are available to hide the login page, they should not be prioritized.

– Many plugins rely on the wp-admin folder, and if the path to that folder is changed, the plugin may no longer work as expected.

– Hiding the login page or access point is not sufficient protection against hackers who know how to find the moved folder. Furthermore, the majority of attacks are not focused on the login page,  but on another application that communicates with your website, XMLRPC.

Therefore, this method is not effective and can cause more problems than benefits.

7. Firewall can prevent DDoS attacks

By redirecting website traffic to their servers, firewalls and content delivery networks (CDNs) protect websites by filtering and forwarding traffic in compliance with firewall rules. This method of protection is meant to hide your original server, as anyone who visits your website is automatically redirected to the protection provider’s servers.

In reality, it is possible to bypass this protection method, discover the original IP address and attack it directly.

Because your data is protected where it resides, endpoint protection is more effective and reliable. The best strategy for preventing hacking and other forms of attack is to protect your data at its original location.

8. WordPress users can easily fix a hacked website manually

That would be wonderful, but usually it’s not.

In order to fix your website, you must first find out that it has been hacked. It can take days to become aware of the situation.

Then you need two things – a good knowledge of how to solve a problem, and a good tool(s) to clean the website. Virusdie cleaning function is your salvation. Automatically clean up and protect your site.

9. I’ll just install some security plugin(s) and that’ll take care of security for me

You know the song lyrics “You’re just too good to be true…”? Basically, it is the same. This is a serious mistake that leads to many security breaches. If your website gets hacked, it ruins your brand’s reputation and costs you money too. Think twice before you declare your website 100% secure.

10. Passwords are good enough to fix all website security issues

A complex password and username are important. It is definitely recommended to use upper and lower-case letters, numbers, punctuation, and other unique symbols during the creation of a password, but this will not protect you from all attacks. Of course, if one of your usernames is not “admin,” for example, you are one step ahead, but hackers use other methods – vulnerabilities in out of date themes or add-ons, tampering to get confidential information (e.g., identity theft), etc.

Consider two-step authentication, where a code is sent to your mobile phone any time you log in to the site, as another layer of security for your site.

Proper security hardening is very important to perform on all your websites, but it’s equally important to have proper security protection for all your websites, such as Virusdie. WordPress has an active worldwide developer and user community who work together on finding and closing security holes in the base files, but also in the ecosystem of add-ons and themes.

———

Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.

Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.