We recently interviewed four WPMU DEV members, who provide professional WordPress security services, about keeping WordPress secure. Here’s what they said…
Earlier this month we published a series of tutorials on WordPress security, ran a discussion on our members’ forum about WordPress security issues, and put out a request to interview WordPress security experts about…well, you guessed it…WordPress security!
We then collated and published the responses from our experts along with many great tips raised by members in our discussion forum.
Here are the topics we covered:
- Meet Our WordPress Security Experts
- What Our Experts Had To Say About WordPress Security
- What kind of WordPress sites do you normally work with?
- What are the most common security issues you run across on client WordPress sites?
- What’s the worst security issue you have had to solve for clients?
- Can you share a little about the process you use to secure WordPress sites, and how you approach security breaches on client sites?
- Which WordPress security plugin(s) do you use or recommend and why?
- What would you suggest WordPress users should never overlook when it comes to securing their website?
- Do you have a security tip or favorite resource you’d like to share with other WordPress web developers?
- Anything else you’d like to add related to WordPress security?
- Additional WordPress Security Tips from Members
- Have your sites been attacked online? What happened and how did you fix it?
- What security tool(s) could you not live without?
- When was the last time you did a thorough check of your WordPress security?
So without further ado, let’s meet our WordPress security experts and see what they had to say about keeping WordPress sites safe and secure.
Meet Our WordPress Security Experts
Richard van Denderen is the founder of WPHelpdesk.nl.
Richard has been creating websites since the age of 14 and began using WordPress in 2008.
He is very active in the Dutch WordPress community as an organizer and volunteer of Meetups and WordCamps, and moderator on the Dutch WordPress.org support forum.
As Richard states, “At WPHelpdesk we help to troubleshoot and solve problems, although we prefer to prevent them. A common problem we solve is websites that give errors or strange redirects because of malicious code. Over the years we have helped hundreds of website owners with the cleanup of hacked websites.”
Jesse Waitz provides hosting and website development services at FlagstaffConnection.com and works from Flagstaff AZ, USA.
A local WordPress developer and an expert with Codeable.io, Jesse has been hosting and developing websites since 1999.
His expertise has come from long, hard-won, and sometimes painful experiences. As he states, “after 20+ years of hosting sites, you figure out what works and what doesn’t. I have made every mistake in the book, but have learned from those mistakes, and evolved to be better, and more aware of what works, and what doesn’t.”
Cliff Rohde is the owner and CEO of GoatCloud Communications LLC, which he formed in 2013.
Cliff is passionate about the intersection of communications and technology and assists many different types of businesses and nonprofits to thrive online.
Cliff built his first website in 1995, and his first WordPress website around 2007. He is a former attorney and left the practice of law to focus exclusively on GoatCloud.
Logan Lenz, is Chief of Awesomeness at Awesome Website Guys. Logan is a website innovator and digital marketer with over twenty years of industry experience.
As a digital business agency owner, Logan utilizes a myriad of technologies, tools, and resources to ensure that their clients’ digital needs are met and more.
As Logan says, “I have been using WordPress for decades, as this open-source platform provides complete customization, which is necessary to truly personalize each client’s website. As an open-source platform, my agency can use our go-to plugins to build client sites that are fast, secure, optimized, and relevant.”
What Our Experts Had To Say About WordPress Security
1. What kind of WordPress sites do you normally work with?
Richard: I would describe our clients’ websites as small-medium and also eCommerce. Most of the clients we work with have one or more people who work as content managers or do the communications as a whole. We take over the technical parts of their website.
Jesse: I split my time mostly between development, maintenance, and hosting of WordPress-based sites. I work mostly on small to medium-sized client sites. I have about a dozen successful eCommerce sites and about a dozen multisite setups. I host over 200+ sites across 7 servers, provide ongoing maintenance and security for about 150 WordPress sites, and I have a separate mail server where I host 180+ email accounts for more than 60+ companies.
Cliff: Sites that GoatCloud maintains are primarily for small businesses and solo practitioners. That said, we also maintain a number of sites for sizable non-profits and mid-size businesses.
Logan: Awesome Website Guys specializes in working with other small businesses, which include a wide range of different industry websites. This includes e-commerce, multisite, nonprofit, restaurant, community, hotel, event, construction, automotive, health and wellness, fitness, real estate, other agencies, and much more.
2. What are the most common security issues you run across on client WordPress sites?
Richard: The most common security issue is overdue maintenance. Plugins that no longer receive updates from the developer, where sometimes the latest version was released 9+ years ago. Related to this are often premium plugins and themes, without a valid license, causing to not report available updates. The end-user is then convinced that they are up to date as WordPress is not displaying those available updates.
Another common security issue that I come across way too often is multiple sites within the same (budget) web hosting package, where they are not well isolated from each other, resulting in cross-site contamination.
Jesse: Brute force attacks on the WordPress login are the most prevalent issue for me right now. But, Defender takes care of that for me. I would say that the next most common vector is through weak or out-of-date plugins and themes. I address this by updating all of my sites’ core, themes, and plugins on a weekly basis. Keeping everything up-to-date is the best defense against this issue.
Years ago I used to have my sites on a single server that provided email and hosting services, and this really caused a lot of issues, either site activity would affect email delivery, or email viruses could be a trojan horse for attackers, but in the last few years I have separated email from sites on different servers, and I could not be happier, the crossover issues are gone, and it is way more secure.
Cliff: Many times when I inherit a site I discover just how lax either the site owner or the site developer was when setting up accounts. Software is often out of date and either passwords are not sufficient or usernames are easy to guess, or both. It’s often the case, too, that inherited sites have no software on the site or at the host aimed at protecting the site.
Logan: For clients’ WordPress sites, the most common security issues are DoS attacks. For those new to the term, DoS attacks are when several requests are sent to a client’s website at the same time, which overloads the server and crashes the site. Hackers can use data queries on client’s sites, which can add, remove, or even steal their site content. Another common security issue is hackers breaking into client’s sites, where they then add new users, random content (usually code or dummy content), and modify admin site settings.
3. What’s the worst security issue you have had to solve for clients?
Richard: The worst security issue I’ve seen was a hosting account with eight websites. Only 1 website was used and had all kinds of issues, they already tried something themselves with backups but that didn’t help. Before they came to us for help there was also another ‘WordPress developer’ who was supposed to solve the problem. He sold them a complete new website which was “hacked” again within a day or so.
When I started working on this issue it became clear that the cause was in a few of the other 7 websites, within the hosting package, which were no longer used and maintained but still online. All just for the domain names. Those old sites had some really old versions of Mambo, Drupal, and WordPress, from 12 years ago. After the primary website had received its own hosting package, it was just a matter of some cleanup and the hack was solved in no-time. The customer had decided to delete the other 7 websites later on, as those weren’t worth the money to fix.
Jesse: As an expert at Codeable I help clients with hack cleanups all the time. These are NOT people hosted on my servers, but in desperate need. I had a client that was breached through an outdated poorly-written plugin. The attacker was able to create a user on the site, promote the user to admin through a SQL injection, and then as an admin they injected spammy content on every single page of the site. This was not visible content, it was hidden on the page (ie. white font on a white background), and it was intended to help their SEO for their illicit products.
This content got their site blacklisted on Google search, browsers would not load the page without the big red warning page coming up, and the Google search results said “warning, this page is hacked.”
The attacker also used his access to inject code into every plugin and theme on the site, so that if you tried to delete the admin user and clean up the content, he had trojan horses all over the site, to let him back in and repeat his attack.
This job required removing the user, replacing every plugin and wp core file on the site, scanning, with my eyes, every file in the theme to make sure all of the injected content was removed, and then analyzing the database page by page to make sure all of the spammy content was removed. I then installed a combination of plugins that I rely on to lock this site down and prevent this from happening again. Finally, I had to submit a request to Google through their search console to remove the blacklisting, and to assure them that the site was no longer hacked.
It has been over a year since that all happened, and there has not been another occurrence.
Cliff: The worst was a site being hacked, prior to my engagement with the business. I was hired to eliminate the hack and maintain the site going forward. The hack was, thankfully, just the imposition of extraneous data on the website, with links to third party bad-actor sites and the like. Complicating matters was that it was a multisite installation. It took a good number of hours to work through the WordPress tables to clean everything up!
Logan: We’ve had a few really intelligent phishing scams to have to thwart. I remember one day a client called panicked having just realized they gave bank credentials to who they thought was their CFO at the time. Lo and behold, it was a hacker that we later found out had infiated all sorts of the clients’ systems before finding ways to get information that could lead to money for them. The issue ended up being taken care of before it got out of hand, but it was somewhat of a wake-up call as it pertains to the importance of high security in business.
4. Can you share a little about the process you use to secure WordPress sites, and how you approach security breaches on client sites?
Richard: One of the first points in my process is to check if the website has a hosting package of its own or that there are multiple & older sites.
Then, file permissions and limiting public access and execution of .php files in folders where this is not required. Further, checking users and their roles, pending updates/outdated themes and plugins. Also, auditing all plugins and themes that are present but not actively used.
All in all, I currently have an extensive checklist that I use and continuously update with new points whenever I come across a good addition.
When there is a breach it depends a bit on what kind of breach it is. In general, one of the first things I do is add deny from all in the .htaccess and then go through the log files to determine the how and what of the breach.
The vast majority of breaches in client sites I maintain happen because of fired and laid-off employees that try to cause havoc. In those cases, it is to revoke access, change passwords, and audit the changes they have made in recent months.
I notice that a lot of the (smaller) companies are really easy with giving their employees login credentials to all kinds of systems and tools but didn’t think about how to revoke the access and the consequences involved.
Jesse: This is not an easy question to answer. I use a combination of server and site-based solutions.
On the server, I have several bash scripts that run automatically on the server every night to lock things down. One script runs rkhunter, LMD scan, and clamscan every night to search for and remove injected content or files. I also have a script that checks every public-facing file and folder and makes sure that they are using the correct permissions (644 for files and 755 for directories). If the script finds anything, it changes them on the fly. I also have a script that backs up all of my sites and databases to an off-site Digital Ocean space every day.
On the sites, I use Defender to lock down all of the normal attack points, and I use a program called NinjaFirewall to create a Web Application Firewall for my site. This is a plugin, but it actually creates a firewall that is loaded before a single line of PHP is read or a single MySQL queries is run. This is the most important site-based solution that you can implement. I chose NinjaFirewall because it is Free, Wordfence’s WAF is expensive, and NinjaFirewall’s WAF just as good as Wordfence’s WAF, in fact, I think it is better, because it only does the WAF, and it does it really well.
Regarding breaches, every problem has a different solution, but I generally try to figure out how they got in, and then work back from there.
Cliff: First, update all software: WordPress core, plugins, themes, and hosting environment (e.g., PHP). I use usernames that are not easy to guess. I use secure passwords (long and not guessable; a Password manager comes in handy). I install basic security software on the website – Wordfence and anti-spam most often. I will often protect login by requiring a recaptcha and, in some instances, require two-factor for login. For many sites, I will also put them through the Cloudflare network. Cloudflare itself offers security enhancements and I also create firewall rules at Cloudflare aimed at keeping bad actors off the site.
Logan: To keep our clients’ WordPress sites secure, we combine security best practices and reliable security plugins to help us continually monitor and defend against cyber attacks and threats. Like other website agencies, cybersecurity is a top priority for our clients and ourselves. To offer additional security protection, we recently introduced a new security partnership with Protected By Dragon, a digital security consultancy to help protect what matters most to clients.
As for security breaches, we receive regular reports and notifications when there is a red flag on our clients’ sites. Our servers not only detect bad actors and irregular activity but also restricts site access when necessary. Thus, we can immediately identify the security breach, assess the damage, and notify clients when a vulnerability is detected.
5. Which WordPress security plugin(s) do you use or recommend and why?
Richard: To be honest, I haven’t used Defender for a while except for the sites that are also hosted at WPMU DEV. In 2016, when Defender was still fairly new I used it but it sometimes caused problems with the CPU at some providers. I probably should do some tests with it again, as 5 internet-years is a very very long time ago, so that experience is not even relevant anymore.
Looking at Defender now in terms of the recommendations and checks it offers, Defender seems fine, logs and scans are also nice features to have. I also think GOTMLS is a nice plugin that often gives solid results during a scan.
Jesse: See #4 above.
Cliff: I use Wordfence primarily, including its Wordfence Central interface, which allows the management of multiple sites from a single login. I’m not familiar with Defender.
Logan: In the past, we have primarily used WPMU Defender as our go-to security plugin on WordPress. This plugin is effective, easy to use, and allows users to set up weekly reports for clients. These reports can include everything from SEO to security updates. While we have enjoyed using Defender, we are transitioning to a new security solution known as InfiniteWP. This move will make it easier to manage our clients’ sites in a central location, as well as send out automated weekly security reports.
[Editor’s Note: WPMU DEV’s The Hub lets you manage the security of “infinite” WP sites using Defender ;)]
6. What would you suggest WordPress users should never overlook when it comes to securing their website?
Richard: Remove inactive users, especially with an administrator role. Use strong passwords and, whenever possible, let everyone use their own login details. Do not share an account with multiple people. Use 2FA when available and possible.
Jesse: Updates, updates, updates! And strong passwords. And if your clients are savvy enough to handle it, 2fa is probably the best defense against brute force attacks on the WP login you can implement.
Cliff: Everything I mentioned in the answer to Question 4!
Logan: As WordPress users, you should never ignore digital security measures to protect your site. If you do, you can compromise your site by making it more susceptible to cyber attacks and threats. Depending on the type of WordPress site you own, this can open the door for hackers to easily break into your site, steal your site content, and change admin settings to keep you out of your site. This will lead to losing all that time, energy, and money you invested in your site, which can be devastating for businesses. There are plenty of free WordPress security plugins that make it easy to prevent cyber attacks, so it’s recommended that users shouldn’t ignore using a security plugin for their site. It’s as easy as a few clicks and bam, their site is more secure than before.
7. Do you have a security tip or favorite resource you’d like to share with other WordPress web developers?
Richard: I guess a lot of the professionals are already familiar with WPScan.com (formerly wpvulndb). I highly recommend their mailing list. Most of it is now behind a paywall but in my opinion, it is still worth it. It is useful for looking up plugins and the email alerts for new vulnerabilities is very valuable.
Also, I can’t go without mentioning the blogs of Sucuri, WordFence, and NinTechNet, who always seem to be on top of new vulnerabilities with great detail!
Jesse: First, and I know that you probably don’t want to hear this, but I use MainWP for all of my site maintenance. Second, good hosting is probably the best investment you can make. If you can’t afford someone like me to take care of your sites for you, don’t use cheap hosting. Find a service that will secure and update your site on a weekly basis for you (this is NOT GoDaddy or Bluehost). You WILL get what you pay for… Third, do not host your site and your email on the same server! Finally, do not ever, EVER, use a host that uses cPanel. It is slow, out-of-date, and it opens up so many things on a server that hardly ever get used and/or should not be used (like email on a website server). I think I am done with my soapbox rant!
Cliff: Bad actors love to hit WordPress login and try to just brute force their way in. Wordfence does a good job of blocking too many bad attempts. But I also set a firewall rule at Cloudflare for many clients to block foreign IPs that try to access login, period. Obviously, that does not work if the site owner needs people to be able to log in outside the United States, which is increasingly common. But many small U.S.-based businesses have no need or interest in website visits from foreign IPs, let alone to the login URL.
Logan: It’s better to be overly safe than sorry when it comes to website security. Cybersecurity is becoming more advanced every day and hackers are finding loopholes to harm your clients’ sites. Stay informed by constantly researching best security practices, utilizing the best security plugins for your clients, and regularly monitoring clients’ sites. Most security plugins give you an option to set up automated weekly reports, in which clients receive key information about their site. If there is a security vulnerability, this is an ideal opportunity to address and fix the vulnerability. Thus, your clients’ site is more secure and less susceptible to becoming a hacker’s next target.
8. Anything else you’d like to add related to WordPress security?
Richard: A security plugin is a tool, not a solution.
Jesse: I think I covered it all above.
Cliff: Keep spreading the word about security!
Logan: As mentioned before, WordPress security will continue evolving and improving. This is good news because cyber criminals are also evolving. If you use your due diligence and stay aware of current cyber attacks and threats, this can help you implement plugins and technologies necessary to keep your clients’ sites safe and secure.
Additional WordPress Security Tips from Members
In addition to the many excellent points provided by our interviewed experts, we also ran a forum discussion on WordPress security, where we asked our members the following :
- Have you ever run or managed a site that’s been the victim of an online attack? If so, tell us what went down and how it was fixed!
- What security tool/s could you not live without?
- When was the last time you did a thorough check of your WordPress security? Do you think it’s something you need to dedicate more time to?
Here are some of their answers:
1. Have your sites been attacked online? What happened and how did you fix it?
What I see way too often is a neglected website. No updates for years or premium themes/plugins without licenses that are the culprit. Also had once a malware cleanup where somebody mailed me the WordPress password that actually was in the top 10 of most used unsecured passwords. – Richard
Fortunately not. Thanks to Defender, strong passwords, and 2FA. – PS
Yes, someone gained access to the hosting account and deleted the site and all the backups. The intruder guessed the client’s password (which was their company name and the number 1). Booted new user, changed password, enabled 2FA and restored the site from an offline backup. – Chris
The last client I was able to fix with Defender Pro and get it all cleaned up and resubmitted to Google and clients were SOOOO thankful! Made me look like the superhero! Thanks to you all! – Victoria
I remember one specifically where the customer called me because their website (that I didn’t create) had been hacked. It was hard as I didn’t create the website I didn’t know what dependencies were between plugins and so. It took me a few download/scan/clean/re-upload to fill all the security breaches and I finally asked all the employees to change their mail password and all their passwords to add a security layer. – Guigro
I’ve taken over two sites that had been hacked. The problem for both was outdated core and plugins. Luckily both had come to me with requests to take the hacked site down and create a new one, so it was a matter of doing a fresh install with a coming soon page during the build. – Keith
Yes, a number of years ago had a site that fell victim to script injections, Was on shared hosting with some outdated plugins, clean involved a shit ton of manually scrubbing files. That was when I learned there was even a need for security beyond passwords. More recently brute force login attempts, which Defender locked out for me, but I did then change the admin login URL, & things have been quiet since then. – Danny
Yes, my website has been hacked more than once. I have WebARX and it was still hacked. I used Anti-Malware Security and Brute-Force Firewall by ELI to clean it. Installed and ran the program and it cleaned all of the malware. – Shala
After 15 years in WordPress and 20 in Web development, I have dealt with many hacked sites. Everything from DDoS and Brute force to a pissed off ex-wife that logged in and replace all her husband’s blog post images with less than flattering photos of him. In most cases, I find restoring a backup fastest and easiest. If one does not exist, then we have to do it the hard way and root out the malicious content and remove it or sometimes totally rebuild the site. – wolf Bishop
I have worked on cleaning several compromised WP websites. Almost every time the reason was missing plugins or WP updates. – Catalin I.
People are constantly trying to login into my accounts, for WordPress, Defender Pro helps. I also get a lot of spam for that I use a plugin called Stop Spammers. A lot of bots and hackers target plugin file paths to reveal site info. – Jonathan
2. What security tool(s) could you not live without?
No plugin can give you 100% security. Most of the time in one way or the other the user/site owner was at fault or made a mistake. You could harden your WP site a lot without any tools or plugins. Something you shouldn’t go without is an antivirus program on your PC. It doesn’t matter how good your site security is, if you have a keylogger on your pc you’re pretty much done for. – Richard
Anti-Malware Security and Brute-Force Firewall by ELI. Now, all WPMUDev plugins. – Diaz
Backup, for sure. – Alvaro
Defender. I need it on every single WordPress installation. I also need AntiSpam-Bee on every site with a comment section. – PS
Defender Pro, can’t believe it took me this long to find you!!!!! – Victoria
Backup tools, migration tools, scanners & firewalls. – djohns
Defender. I used to have a Sitelock account but eventually realized they are a waste of money. Then I used a few different WP plugins, but have since replaced most of them with Defender. – kahnfusion
I take security seriously. I did not have any sites hacked. I’ve been using Wordfence and Defender mainly. Also keeping watch on the vulnerabilities WPSCAN database. Frequent updates, backups. – Chip
For a few years, Defender Pro. The learning curve is quite easy to approach but I’m surprised I’m still learning every month. About recommendations, how to set them up properly, how to avoid spams, and things like that. – Guigro
Defender and WPMUDev hosting. It’s just so easy to use, and all the options for security headers + vulnerability scanning + WAF show that the devs were thinking of the right things. – Phil
With Defender, I block IPs after 3 login failures within 60 minutes, not the generous 5 failures in 5 minutes as is the Defender default. And I block for anywhere from an hour to a week. I also use the login mask, banned usernames, and other features in Defender. – Tony
Defender and WPMU DEV WAF. – Keith
Hosting that is active in their customers’ security, Regular backups, Firewalls, & 2FA – Danny
WAF is a big one. Stop them before it starts. I also use Defender which helps pull a whole bunch of common security measures into one place. – Lee
Anti-Malware Security and Brute-Force Firewall by ELI (gotmls), it’s a great plugin and the best part is that it’s reasonably priced, unlike others that are very expensive and not as effective. It’s just used for cleaning malware, not for detecting it, so another plugin is needed for that, unfortunately. – Shala
Defender, WPScan, SQLMap. – wolf Bishop
I’d say Malwarebytes for a security tool perspective & now Defender Pro for websites. However, also keen on Windows Security. – Shiv Patel
3. When was the last time you did a thorough check of your WordPress security?
I keep a close watch on all the sites I maintain and keep track of all the plugin and theme vulnerabilities. A thorough check is done at least yearly when no suspicious behavior is seen. So far *knock on wood* had 1 WP site that I’m responsible for that got hacked because of a zero-day vulnerability. Also, once my webhosting provider was a victim of a ransomware hack. Luckily, I had my own off-site backups, because at the same time his backup server got corrupted. I was back online in a few hours with a different host. His other customers were offline for 3 days. – Richard
I check almost every day or at least once a week – Diaz
At least weekly. – Chris
Once I set up Defender, I usually check sites weekly. Thanks to Defender, I don’t need to spend as much time on it like I used to! – Victoria
The last time I spent time on security was when I set up Defender on another site a couple of weeks ago. Once I’ve got everything set up, I don’t really focus on security. As long as I keep regular offline backups, I’m not too worried about getting hacked anymore. – kahnfusion
I try to take half a day every two months to make a good check of the 20-ish websites I’m managing. Seems fair enough to me, as I read Defender Pro summaries once in a while and made a good setup of my notifications to be sure to receive a mail if something REAL happens. – Guigro
I don’t do specific deep dives, since I just build in Defender into my processes. – Phil
I go through the Defender reports and actively ban IPs for any somewhat suspicious activity. Generally, I trust Defender and WPMU DEV to keep things secure for me. – Keith
I ensure to run a complete scan/review monthly for all my clients. Seems like the right amount for me. – Lee
We run scans on every site daily. We also do a deeper semi-annual Security Review which includes pentesting the client’s site. – wolf Bishop
I aim to have a step by step inspection check when installing all the available plugins in each site I host. But WP Security is a crucial aspect of all sites. – Shiv Patel
My working protocol includes weekly routine security checks and monthly deep security checks for the websites/servers I manage/run. – Catalin I.
Thank you to everyone who participated in our interviews and discussions.