WordPress is a very secure CMS but just like any other content management system, website or web application, it can be targeted by hackers.
How secure is WordPress?
WordPress is very secure and powers some of the largest, most highly-trafficked websites on earth, including WordPress.com, which is one of the top 25 most trafficked websites in the world, and the #1 network of websites in the United States. Like any software, vulnerabilities and security issues can be encountered if developers are not following up-to-date best practices or if the server setup, whether internal or managed by a third-party, isn’t optimized for WordPress use. However, if you’re running a fully optimized WordPress install, your site will be running software that is safe, secure, and scalable.
WordPress in Government FAQ
How can WordPress be attacked?
Brute force attacks – Bots (automated hacking software) attack your site looking for weaknesses. This generally means that a snippet of code tries to access your site’s login screen and gain access to the CMS. The bot forces a possible login combination by trying infinite variations.
Code injection – Hackers can find ways of injecting your site database with malicious code. These usually happen when server details have been compromised – either by a poor password management or an easy combination of login details.
Spam attacks – These are the most common attacks; the general purpose of these attacks is to slow your site down by overwhelming the database with 1000s of spam comments.
How to protect your WordPress website
Up-to-date WordPress version and all plugins
This is number 1 for a reason. The most important step you can take to ensure your WP site is safe from exploits is to keep the WP version and all installed plugins updated to the latest version. Every time WordPress gets updated, it comes with new security patches. A great tool that will help you to achieve this is WPremote.com.
Either install a backup plugin that creates a backup of all your WP files and database, or schedule a manual backing up system at server level so that you can restore your website to the latest version should it be hacked.
Custom login URL or IP whitelist
Every WordPress site has the same login URL, which is your URL followed by /wp-admin. All hackers know this, so it leaves your login screen exposed to whoever wants to try a brute force attack. Always customise your login URL to something unique, eg. /mycmslogin. Alternative approach is to allow access to /wp-admin URL only from a predefined list of IP addresses (eg. from your home or your office).
Change the name of the admin user
The default WordPress user comes with the name admin. Hackers know this and use the combination of this predictable username with random passwords when trying to break into your site. Always set up a unique admin user name or delete the default user called admin.
Install the Akismet plugin that helps defeat spam attacks that target comment boxes below your blog post articles.
Extra line of defence
Adding an extra line of defence when logging into your WordPress site can be vital. Yubico is a system that allows you to add a physical touch to the login process by only allowing people with a secure USB key (yubikey) and credentials to access the site. So even if the hackers / bots get your username and password, they still can’t get past your login screen without physically inserting the key into the machine they are using.
You can adjust your preferences below.
Essential Cookie should be enabled at all times so that we can save your preferences for cookie settings. If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.