You must have read the news about a WordPress plugin vulnerability that can be exploited for total website takeover-
Read the news here- WordPress isn’t safe
A WordPress plugin was recently found to have “easily exploitable” security issues that can be used to exploit your WordPress website security to completely take over.
Security researchers recently discovered a serious vulnerability present in the popular WordPress plugin Code Snippets ( older versions ) that could allow the attackers to completely take over a person’s website remotely. The developer of the plugin has recently released a new update patch to fix the bug, but there are still over 200,000 websites at risk.
Code Snippets allows WordPress sites to run small bits of PHP code to add extra features without needing extra plugins, and you can even use pre-written code to make the process easy. It’s a helpful tool for folks who may not have the programming skills to write plugins themselves, but as Threat Post explains in its report of the bug, Code Snippet’s import tool fails to check the source and safety of the code first, meaning users could unwittingly import and run malicious code. This could open their sites up to various attacks—including allowing hackers to execute commands without administrator access.
It’s a scary bug, but it’s fixable. If your WordPress page uses Code Snippets, you should update the plugin right away—especially before adding or running any new code to your site. You can grab the update by logging into your website’s backend then going to the “Updates” section from the WordPress dashboard. You can also download and install the latest version from Code Snippet’s WordPress Plugins page.
Let’s discuss some of the better security precautions and plugins you can use to protect your site.
If something seems too good to be true, it probably is. Building software is a lot of work, and while there are people who code just for the fun of it, supporting a commercial product requires revenue, which means charging for products.
If you see a plugin that normally has a fee, but some site is offering it for free, that’s not an opportunity. That’s a red flag. You’re not putting something over on a “greedy” plugin developer by stealing their code for free. What you’re doing is setting yourself and your site’s visitors up for a world of misery when they get infected by seriously nasty malware.
In almost all cases, there are free alternatives to commercial plugins. So if you don’t want to pay for professional development and support, visit the official WordPress plugin repository and look for what you need.
Given that so much of the web is run by WordPress, it’s a juicy target for hackers and they’re constantly finding and exploiting vulnerabilities in either the core code or in the code of plugins and themes. Fortunately, the entire WordPress developer community actively updates their programming, closing any holes hackers find, often within hours.
But if you don’t run updates, you won’t get those fixes. There’s no excuse for not keeping your site up to date. WordPress has both automatic and one-click update features that allow you to update all the plugins, all themes, and the core code of your entire site at once.
Of course, it’s a good idea to make a backup first, just in case something bad happens during the update. And that brings me to my next critical bit of advice.
MAKE REGULAR BACKUPS
It’s not hard to make a backup of your WordPress site. There are a bunch of free plugins, and you can even do it just by copying files and backing up your database. There are also many excellent commercial plugins and services that automate the process for you. Let’s talk about a few of them below.
CHOOSE A HOSTING PROVIDER WISELY
All hosting providers are not alike. Some are very diligent and perform regular security updates and malware scans. These companies also make sure their underlying software is also up to date. Others, not so much. If you’re going to use a hosting provider, check on their underlying software, read reviews, and make sure you’re relying on one that’s doing the maintenance.
It can be compelling to sign up for a service that charges less than a buck a month to host your site, but think about it: how can they make any money? They’ve got to be cutting corners somewhere. You can find inexpensive hosting, but don’t sacrifice your future just because you want to save a few bucks. Do your research.
Security plugins and services
We’ve covered some best-practices. Now, let’s look at some of the best security plugins and services for WordPress. Most of them are commercial, and most of them are worth it.
Wordfence came out of nowhere a few years ago and took the WordPress world by storm. With over 3 million active installations, almost 3,500 reviews and a five-star average, and almost 200,000 downloads in the last week alone, the base free Wordfence plugin is a powerhouse.
The commercial version is great for managing a bunch of websites. Wordfence not only scans for malware but builds its own firewall to help prevent hacking in the first place. It, like all the other plugins I’m going to discuss, can’t prevent self-inflicted hacks like those from WP-VCD, but it’s a top-notch go-to solution for end-to-end WordPress site coverage.
The Sucuri plugin will do regular malware scanning and the company offers a web application firewall that’s designed to block assaults at the application level, rather than at the packet level your hardware firewall is designed to manage.
As with Wordfence (and most of these products), Sucuri offers both a free plugin with over 600,000 active installations and a paid premium service.
This is a giant bundle of additional WordPress features and functions put out by Automattic, the commercial company behind WordPress. The idea of Jetpack was to make it easier for new site operators to have a wide range of helpful features, but it’s a huge plugin that adds a ton of cruft to your interface.
That said, with over five million active installations, it’s definitely popular. It offers brute-force attack protection, spam filtering, downtime monitoring, site backup, a secure login upgrade, malware scanning, and a log of all site changes. And those are just the security features!
There are a lot of upsells with this install, but given that they’re by the company that runs WordPress, you can be sure they are solid offerings. If you’re not sure what to do to protect your site, you could do a lot worse than just installing Jetpack, enabling some of its features, and buying one of the cheaper plans.
TWO FACTOR AND GOOGLE AUTHENTICATOR
WordPress does not offer two-factor authentication out of the box (out of the download?). When you’re connecting to the back-end management interface, all you need is a user name or email address and a strong password.
Fortunately, it’s pretty easy to add two-factor auth using either Two Factor or Google Authenticator. Installing and setting up either of these plugins makes quick work of adding another security layer to your site.
The free version of Two Factor has 10,000+ active sites, and there is no premium upgrade. It’s just plain free. Google Authenticator is a very deep tool with a bunch of paid upgrade options, ranging from additional authentication methods up to enterprise-level authentication and user management features.
ManageWP, which is now owned by GoDaddy, is my go-to solution for keeping my 10+ sites up to date. There are premium options (and I pay for some of those features for a few of my sites), but you can get solid update management and backups with ManageWP for free.
You install a ManageWP worker plugin (900,000+ active installs), which talks to the ManageWP service. All the magic is done in the ManageWP.com web interface. We use it as one of my primary backup tools and it does a daily or monthly backup of my sites to a cloud storage provider. Some of my sites won’t ever change again, so the free monthly backup works perfectly for us.
But the real secret sauce is in update management. Rather than having to log in to the admin interface for all my sites, you just log in once to ManageWP, hit update, cross my fingers, and wait for all your sites, all your themes, all plugins, and all your WordPress core files to update automatically.
LIMIT LOGIN ATTEMPTS RELOADED
There used to be a plugin called Limit Login Attempts, but it hasn’t been updated for a while. Limit Login Attempts Reloaded is a fork of that original open-source project that’s been kept current by its developers.
This free plugin (with more than one million active installs) does one thing and does it well (and for free): It blocks excessive brute-force login attempts. If some hacker out there is trying to pound on your site to login, Limit Login Attempts Reloaded will stop responding after a set number of attempts.
Like the 2FA plugins and ManageWP discussed above, this is a no-brainer install. Even if you’re not willing to spend a penny on security, you can reduce your threat profile measurably with this one install.
BBQ: BLOCK BAD QUERIES
BBQ is another web application firewall, but that’s pretty much all it does. The free version (with 100,000+ active installations) intercepts all URL requests to your site and filters out anything that might be a hacker trying to find a weakness in your site through the URL parameter interface.
BBQ has a ton of depth for what it does and it’s another smart install. There is a pro version that goes even further.
MORE SECURITY SUITES
There are almost a thousand security-related plugins in the WordPress.org repository. We’ve talked about eight of the best above. While we can’t discuss all thousand plugins, we wanted to give an honorable mention to the following popular packages. Each of these has both free and premium offerings.
All In One WP Security & Firewall: Tons of features, a clear user interface, and completely free. With 800,000+ installs,
iThemes Security: Another comprehensive security plugin by a company that’s been selling WordPress add-ons for years. The free version has 900,000+ active installs. This is a good buy if you’re using some of iThemes’ other products, particularly BackupBuddy.
SecuPress: Developed by well-known WordPress add-on developers, SecuPress (with only 20,000+ active installations, but don’t hold that against it) has one of the cleanest user interfaces in this category. It’s still relatively new, but worth checking out.
SiteGuard WP Plugin: With 200,000+ active installations, SiteGuard adds a lot of security features but focuses on logins as its core. It’s free only, and a little difficult to get started with, but the default settings will work for most sites.
Anti-Malware Security and Brute-Force Firewall: The free version has 200,000+ active installs and almost all five-star reviews. It offers basic login protection, malware scanning, and scans for some WordPress-unique historic vulnerabilities. It’s a smart take on WordPress defense.
BulletProof Security: This is at the end of our list because while it does its job, it’s a bit hard to use. That said, the premium version is a one-time fee, unlike the subscription programs increasingly favored by WordPress plugin developers.
So there you go. WordPress security is not a fun topic, but as one of the most popular website building environments, it’s a very tempting target. 90% of people run all their sites on WordPress and believe it’s worth it, but you do need to take the time (and spend a few bucks) to keep your visitors safe.