When’s the last time you completed a WordPress security audit for your website? For many, the answer is never. WordPress is the most popular website builder out there – so many assume its security features are top notch and unhackable. This isn’t really the case!
More and more, we are seeing exploitable vulnerabilities in WordPress websites. Performing a WordPress security audit should move to the top of your list.
This is a service we provide for our Virtual CISO clients. Check out our services to determine if we’re the right service for you.
This article will describe the top 5 mistakes we see when performing a WordPress security audit. Let’s get to it!
This isn’t our first article about WordPress security. Check out Prevent a WordPress Hack in 5 Easy Steps to learn more about choosing a secure hosting provider, using strong credentials, finding a WordPress security plugin, and more.
Below are 5 common mistakes we see when performing a WordPress security audit. This isn’t an exhaustive list – when we do these reviews for clients, we are checking ~20 specific settings and sections. But these are 5 things you can check and fix on your own or with the help of your IT firm.
Hopefully you’re already using multi-factor authentication (MFA) for super important things like your email, banking, and social media sites. But you should really make sure it’s set up everywhere, especially your company website!
How to check for MFA: Are you able to log in to your website with just a username and password? You probably don’t have MFA set up.
You should be able to enable MFA with your hosting provider or with a security plugin (our article about WordPress hacks explains how to find a good one). Using MFA adds an extra layer of protection between your site and cyberattacks.
Older versions of PHP contain security vulnerabilities. What is PHP? It’s a widely-used scripting language. To update PHP, you’ll need to log into your hosting provider and follow their directions for updating PHP.
Updating PHP is not always just a click of a button. Your hosting provider may recommend creating a staging environment and testing the updated PHP – no idea what that means? Ask your IT firm or contact your web host for more information about updating PHP.
How to check your PHP version: Log into WordPress, choose Tools > Site Health in the sidebar. Click on ‘Info’ at the top, then expand the Server details. You’ll see your PHP version listed.
Security support (patches to address security issues) for PHP 7.4 is ending on November 28, 2022. We recommend updating to PHP 8.0 in the very near future.
Plug-ins on your website can make so many things easier. They add functionality, design, and sometimes security! But, plug-ins are not set-it-and-forget-it. They need to be updated. Fortunately, many plug-ins have the option to implement automatic plug-ins.
Each plug-in may represent a security threat if not updated in a timely manner. Also, plugins from unreputable providers may not be patched regularly, or may cause security issues that can not be fixed with simple patching.10-15 plugins typically seems appropriate for a company website. If you’re using more than that, you may want to consider hiring a specialized website developer to give you the functionality you’re looking for.
How to check for plug-ins: Log into WordPress, choose Plugins > Installed plugins. You’ll see which plugins need to be updated and how to activate auto-updates. If you have deactivated plugins that you don’t need, consider deleting them altogether.
What WordPress version are you using? Hopefully the latest version. But guess what – no one else should know or needs to know which version. Why? If a hacker knows what version you are using (even if it’s the latest one), they can specifically try to attack your site with vulnerabilities that exist in that version.
How to check: You’ll find the many ways to find this information with this article: https://kinsta.com/knowledgebase/check-wordpress-version/ Pay attention to #2, which is how ANYONE could look up this information about your website.
There are plenty of online tools to help you find the WordPress version of a website. You should take the time to hide the publicly viewable WordPress version. Certain security plugins will make this easy for you, but otherwise you can follow the manual method here: https://www.getastra.com/blog/cms/wordpress-security/how-to-hide-wordpress-version-number/
It’s pretty easy to find the login page for most WordPress sites. Why? They use a default admin page: yourwebsite.com/wp-admin
Why is this information worth hiding? It means ANYONE could access the login screen and spend time guessing some login credentials. And guess what - it’s easier than you might think.
Hackers use a method called Brute Force Attacks, which uses trial and error to guess login credentials. Combine that with people using poor password habits (like using password or 123456 as their password…), it’s no wonder that this is a successful hacking method.
How to check: look at the URL when you log into your WordPress site. If you see yourwebsite.com/wp-admin, you know you need to make some changes. Here’s how: https://geekflare.com/change-wordpress-admin-url/
As you can see, there’s a lot that goes into a WordPress security audit. This article is really just barely scratching the surface of the settings and choices you need to make when using a WordPress built website.
Adelia Risk offers a comprehensive Virtual CISO service that includes a WordPress security audit, cloud audits, monitoring, assessments, reports, training and more. If you need expert cybersecurity help on a contractual basis, contact us!