WordPress Security expert Paul Irvine reveals the simple steps you can take to stop 99% of all hacking attempts dead in their tracks. Even non-techies can implement these simple strategies, and if you don’t do it you’re unnecessarily risking YOUR website and business.
- Paul’s Recommended Hosting Company: Liquid Web
- Plugin to Obscure Login Page: WPS Hide Login
- Pauls Download Exclusively for Project Ignite Listeners: paul-irvine.com/eispecial
Transcription Episode 66: WordPress Security Tips For Non-Techie Entrepreneurs With Paul Irvine
Welcome to the Project Ignite Podcast, a podcast designed to skip the hype, skip all that BS and just give your real actionable tips and strategies to help grow your business and income on the internet. This is your host, Derek Gehl, and today we’re going to be diving deep into WordPress security tips.
Before you start yawning, I want to emphasize the importance of this discussion on WordPress security tips because I’m going to go out on a limb here and say a large majority of the WordPress websites that I see or work with are not taking the necessary steps to protect themselves.
They have vulnerabilities that they’re unaware of that could be easily exploited, that would cause massive grief if they aren’t corrected. I’m talking about downtime, lost business, lost intellectual property, compromised customer data and worst of all a damaged reputation. It’s really so unnecessary because so much of this is easy to avoid with some simple WordPress security tips.
I guess another way to put this is what we’re going to be talking about today is a lot like insurance. You need to have it, you don’t like paying for it and you hope you’ll never have to use it, but man are you glad you have it when you need it.
Website and WordPress security is the same but like I said, the good news is most of the things you need to do to really lock down and protect your WordPress website are cheap and easy.
To help us explore this topic and give us some real powerful and practical WordPress security tips to help you secure your website, our guest today is a self-proclaimed technology geek with a corporate IT background of over 15 years working with big businesses. He now runs his own business specializing in making business technology more accessible to everyone, including securing your WordPress website.
Without further ado I would like to welcome Paul Irvine to the show.
Paul, thanks for being here today.
Hi Derek, lovely to be with you.
Fantastic. Now, before we get started on WordPress security tips, just take a second and expand on my introduction. More specifically, after spending 15 years working corporate IT, how did you get into this … The website and specifically the WordPress security tips side of things?
I used to run a lot of the security side of things in my corporate days.
When I first came in to the internet marketing world, I noticed that it was all about make money online, and magic buttons and all the rest of it. The crucial thing was that if your site is down for any reason or if it’s hacked nobody was really paying attention to those specifics.
I took the direction of increasing the awareness of the importance of having even basic security in place on your business website.
Awesome. Like I said, I don’t think enough people pay attention to this.
Let’s start here, WordPress, it’s a powerful platform, it’s become sort of the de facto platform for small businesses. I run all my websites on WordPress, I love it, but there’s no denying hackers seem to be really targeting WordPress websites, and when I look at my weblogs, I can see the attacks happening on just about a daily basis at one level or another.
The question is why? Why are they going after WordPress? What are your thoughts on that?
The thing with WordPress, it’s a fantastic platform for building websites, the downside to it is the way WordPress is structured, because there are so many updates regularly between the WordPress core, themes and the plugins. The updates take place because either there’s a new feature added or there’s been a vulnerability found in the code that makes up that part of WordPress.
When these exploits are found by the security experts, they are then obviously picked up on by the hacker community who then run their automated scripts attacking the websites to find the vulnerabilities and then exploit them to take control.
I think you just said something interesting there, and I think it will tie in to my next question is, how are hackers picking their targets?
You said something there which was automated scripts, and I know a question I get a lot of the time is from small businesses. It’s some guy or girl that’s just set up their blog, and they’re just going along their happy way and they’re like, “Why are they picking on me?” and so people will be, “How do they pick their targets?”
They don’t specifically pick a target based on how big your business is, it’s irrelevant. If you’re running WordPress then you’re going to become a target.
The scripts I’m referring to are … They’re basically programs that they run on their computer and then they’ll send it to the internet.
The scripts go out onto the internet, they’ll find the sites that are run in WordPress through a number of identifiers that WordPress sites have that normal sites don’t. Then they start going through the different exploits or the different vulnerabilities that these sites could have and then if these flags are found they then take their attack to the next level and then attempt to actually take over or plant a malware or do whatever the bot is designed to do.
It’s automated and it’s really scary stuff.
Yeah. As I was saying, when I look into my weblog, and you can see how often it gets hit with people trying to maliciously hack in or just brute force guess passwords and stuff. That makes your WordPress security tips so important.
It’s amazing and most people don’t realize it’s happening because they’re not looking at their weblogs at maybe the same level I do.
I guess the only reassuring message there is you’re not actually being targeted. Some guy behind his computer, if I understand you correctly, he’s not sitting there saying, “Hey, I’m going to go over to Paul’s website and I’m going to find a way into it manually.”
That’s right. Yeah.
Yeah. I’m sure Google, Amazon, NASA, those guys they deal with that level but … Yeah, so we’re dealing with automated scripts.
I guess one of the things a lot of people don’t understand as well is, what are the consequences of being hacked? What are hackers doing? What are they trying to achieve? Why are they even trying to get into our websites? What are the consequences that make these WordPress security tips so crucial?
Okay. There’s a number of reasons hackers go after websites, there’s an exhaustive list but I’ll give you the main ones.
One of the reasons is to plant malware onto the server. What happens is the malware program is planted, and then if a visitor comes to the website, and they don’t have adequate protection on their computer, that malware is then downloaded to their machine, and that could range from anything from questionable redirects to other websites that could be a keylogger.
If they’re putting confidential information into their browser such as username or password to their bank, PayPal, or that kind of thing, that information could be logged on their machine and then every so often, that log is then sent to the source of the hacks. That could then in turn turn into their bank accounts or their PayPal being hacked as an example.
Another reason they could install it on email servers. I know this sounds highly unlikely but what they can actually do is they take over the server that your website is hosted on and they put their own email server.
It could be anything between sending spam email to bypass any blocks that they’ve had before, so that in turn can then lead to your IP address being banned because you’re a source of spam. It doesn’t matter if your site’s been hacked, if the source of the spam is your server, is your IP, you are liable for that, and then there’s legal consequences attached to that as well.
There’s also severely nasty, nasty stuff that can be done.
Yeah. I mean over my last 20 years online, I’ve had a few of those horror stories. One of the ones that intrigued me the most was, one day I went to one of my sites that I hadn’t looked at in a while, and I had not run some updates and it got hacked. I got there and all they’d done was replace my homepage with their … Effectively their hacker tag I guess you could say.
That was it and I was baffled. I guess it was just … Some people hack for the sake of hacking.
To the point of the email, I’ve had that happen on servers that my company manages because somebody was running plugins that were not up to date, or a theme, I’m not sure what to was, but these people got in and next thing you know our IPs are getting blacklisted by Gmail, Yahoo, Hotmail. Simple WordPress security tips really can’t be ignored.
Our mails not getting through and we have to clean the mess up, nobody is there to help you and you can’t just call up at Google and say, “Hey, I was hacked.” Right?
Sure. That’s it exactly.
A real pain in the butt. Okay, the threat is real, it’s an automated threat, so let’s dig into WordPress security tips specifically. What are the bigger vulnerabilities and what are some simple things that everybody should be doing today to be locking down their WordPress websites?
Okay. Primarily, as far as WordPress security tips the best thing that anyone can do, that’s listening, is to … You want to be hosting your website … If it’s a business website, you want to be hosting on a business class web hosting company.
I won’t name specific names but if you are an established business online and you’re making 4 figures and above, and you’re still on a $2, $3 a month web host package, you want to shift off that as a primary objective.
This is because you’re sharing your IP address, your server, with hundreds … potentially multiple hundreds of other people. From that point of view, even if you secure your website like Fort Knox, if another account gets hacked on that server, and the host hasn’t got the software up to date, which I’ve come across at a scary rate recently, then they can actually get into your stuff as well.
The business class hosting has everything locked down, so everything is kept up to date so that can’t actually happen. That’s the first thing definitely.
Just to dig into that a little bit, let’s define business class hosting, because if I go to HostGator, I can sign up for their $4 a month beginner package which is shared hosting, but then they also have something that they call their business plan, which is maybe $20 a month.
Yes. That’s right. I wouldn’t recommend … There’s a big company called EIG and they have a portfolio of I think it’s maybe 40 or 50 different web hosting companies.
The thing with EIG … I’ll be careful with what I’m saying here. The thing with EIG is, take HostGator for example, 4, 5 years ago, they were a wonderful web host, the servers run sweet, the software was kept up to date and everything was nice and manageable, nice and easy and reliable.
Fast forward a couple of years, probably to about 2013, EIG bought HostGator and they shifted all their servers onto less prepared equipment, let’s just say that. The server speeds was reduced, the levels of security above WordPress, you know were not even on the WordPress level yet, so all that is up in the air and it brought about a whole host of issues before you even got to your WordPress website.
On the flip side of that, you have another company that I love to bits, it’s called Liquid Web.
That’s where I’m hosted.
There you go. There you go. Liquid Web, they’ve built their reputation up. They’ve been online since I think it’s ’94, ’95. They’ve been around a long, long time. The way they have their stuff set up is, everything is solid, everything is secure.
When there’s a software update it’s applied, so the actual server that you’re hosting on is locked down, it’s kept up to date and all the good stuff that you would expect. It’s certainly something that’s a mean driver if you’re running a proper business. Proper WordPress security updates are crucial for a good hosting company.
For a VPS, which is a level up from the standard shared package, you’re looking at $55 a month. For a business making 4 figures and above, that’s an absolute investment that you have to make.
Yeah. That’s the server side of things.
When it comes to WordPress security tips for WordPress itself, there’s 3 core areas.
There’s WordPress core, which is your actual WordPress installation, there’s the themes and then there’s the plugins.
The WordPress core is updated every so often. A couple of hours ago version 4.5 was released. That’s the latest version of WordPress, it’s up to date. WordPress security updates should be run as soon as they become available.
Unfortunately some of your listeners are possibly even on version 3 just now, which is over a year out of date. I know it sounds scary, it really does, but it’s getting into the mentality that if there’s WordPress security updates available, you’ve got to install onto your site; if it’s WordPress core, a theme update, or a plugin. This is one of the key WordPress security tips.
As I said, one of the main reasons that these updates come out is because there’s an exploit, there’s a problem found in the code by the people that check these things. They update the code to ensure WordPress website security and then they release the update to patch that exploit, to stop hackers getting in and that’s why they release the updates. That’s the 3 key areas of WordPress security tips.
I guess the moral of the story right out of the gate is make sure you’re running updates. If there’s an update, run it as quickly as possible.
Yes. If there’s an orange number next to updates inside WordPress, for goodness sake, please go inside and update it. Whatever it is, update it.
Absolutely. I think there’s … To dig a little deeper here into WordPress security tips, is when it comes to themes and plugins, it goes a little bit even beyond just updates because it depends where you’re getting them from. I’ve had plugins and themes that have been abandoned by the developer and they’re just not being updated any longer.
Okay. First, I was going to give you an example. I had a well-known internet marketer contact me about a month ago. He had five websites that were all hacked. We’re talking a prolific marketer here.
He hired me to go and fix the sites, and I went and one of the sites was running … The WordPress version was about a year and half out of date. There were … This is a good key point that you mentioned here.
There were about 3 or 4 plugins that had been released by members of the IM community; the magic button. If it’s an opt-in system or if it’s a LESS build or a LESS kind of thing and as you said, that was … There was one on there that was 4 years out of date, and it actually turned out that it was that plugin, that was the source of that site being hacked which then led to the other sites being hacked.
Yes, that’s right; where you locate, where you source, where you buy your plugins and your themes is of the utmost importance to your WordPress website security. You have to make sure it comes from a reliable and an established source. That’s one of the really important WordPress security tips.
For everybody that’s listening, I know it’s really easy to click on plugins, add new, search for a plugin and just grab something that looks like it’s going to do it out of the plugin directory.
I don’t know what your WordPress security tips general rule is, but if I see a plugin hasn’t been updated in the last few months, unless it’s absolutely something so dead simple of a function, I don’t typically trust it.
I want to see plugins that are evolving, developing and haven’t been abandoned for the last year.
Yeah. That’s the safest option.
Even the WordPress repository, where the WordPress plugins can be downloaded, as you’ve said, you can see when the plugin was last updated. WordPress also added a feature a short while ago where it will tell you, underneath at the bottom, when the plugin was last updated, but also which version of WordPress it’s compatible with.
The ones that are being updated will be … As I said 4.5 has just been released, so the WordPress plugins are being constantly updated, constantly reengineered and all the rest of that. They will have that they are compatible up to 4.5.
The number of downloads is quite good of an indicator as well. It’s similar to … If you think of it, when you go on to eBay to buy something on there, you check out a number of things; you check out the ratings that are there, the number of units that’s been sold by the vendor, how long the vendor has been established for.
You’re given all that information when you’re inside the repository on WordPress, so use your due diligence and just don’t go for something that’s not been updated for a long time, and just use a bit of common sense when you’re picking the plugins.
That brings me to an interesting question about WordPress security tips. I don’t actually know if you have an answer to this, because I know I don’t, and that is, it’s easy to go into the plugin directory and say, “Yeah, this is good. This is bad,” based on updates.
What about when you head into CodeCanyon or ThemeForest, or all these different sites where there’s multiple developers contributing and they’re commercial in nature, so you’d assume that they’re well built.
Is there any way to tell if you’re dealing with a high quality plugin or a theme? I’m not a coder but I have people that I work with that are, we’ll look behind on a plugin and it’s just spaghetti. How does the average person know if they’re getting quality or not? Do you have any WordPress security tips in this area?
That’s actually a fantastic WordPress security tips question. I love ThemeForest, I love CodeCanyon as well, but again, I suppose if something new has been released in CodeCanyon for example, it’s a WordPress plugin, it does what you want it to do, but it’s not established, it’s not been there a long time.
CodeCanyon will do a certain amount of, not background checks but they’ll check if the coder … They’ll have a look at the coder as well, but they don’t go into the infinite degree. If it’s a new plugin or a new theme, then I personally, I’d stay clear unless it’s well established.
I’m a safe guy when it comes to that kind of thing, even if it does the perfect thing I want a plugin to do or a theme to look, I will tend to let it stew for a while, let it boil away, or let it grow, give it a few weeks or months, or whatever it takes.
I then start seeing the reviews, other websites will review those plugins and they’ll have their coder guys strap it to death to find out exactly what’s happening behind the scenes and all that kind of thing. If something is new to the marketplace, I tend to advise to steer clear to start with.
Got it. Okay. Now let’s shift to one of the other WordPress security tips issues, what I believe to be one of the most vulnerable points of almost every WordPress website and that is good old /wp-admin.
Yeah. Let’s talk about that because that’s … There’re so many mistakes that I see being made there. What are your thoughts? Any WordPress security tips here?
/wp-admin is one of the first things that I advise people to change. There’s kind of a bit of a split discussion going on in the security community. One side says, “Leave /wp-admin in place. It’s there for a reason. Don’t use security by obscurity.” In other words hiding something that’s there.
I’m on the other side of the fence. I’m more a case of, if you can reduce the number of macros, the number of things that show that your site is running on WordPress, then I’m all for it, absolutely.
One of the WordPress security tips is that there’s a very simple plugin, WPS Hide Login, that you can get from the WordPress repository; that allows you to install the plugin and then you just type a new name for the login page to ensure you’re obscuring that. As soon as you’ve done that, you change the login to something that only you know, and keep it that way obviously. Change it to something only you know and that then becomes the login page.
The other thing is you can team that with another plugin that allows you to … If anyone hits wp-admin, then you can instantly block off their IP address because A, you know you’ve shifted it to the new address, and B, if anyone is hitting wp-admin that shouldn’t be, you can block them off there and then. This is another one of the simple WordPress security tips.
For everybody that’s listening, just to understand why this is so important is because … Correct me if I’m off base here. I think it’s because most of the software, these automated bots that are out there looking for vulnerabilities, they’re programmed to look for wp-admin.
That’s correct. That’s one of the things, one of the first flags, or one of the first indicators that the bot programs look for, that’s right.
Yeah, so if you move it, it’s gone. The other challenge that I see all the time is the good old default username that comes with WordPress.
Admin, and everybody … That’s the easy … I need to assume that most bots that are doing brute force passwords or guessing are just looking for wp-admin and running passwords against the admin username. What are the WordPress security tips there?
That’s right. Yep. They’ll go for the admin username and as you said they brute force it.
Brute force is they load up a file that’s full of words from the dictionary and the program literally batters the login page with the username admin and then all these password combinations.
Because too many people are using things like Friday, chocolate, football, all these simple passwords, even the name of their spouse or a child, is guaranteed that that site will be hacked into. If it’s a simple combination like that, it’s pretty much a guarantee, as soon as a bot has locked onto your site, they’re going to get in.
Yeah. Change admin, use a strong password, you’re good. Simple WordPress security tips. Now, let’s shift to one more. Let’s talk about actual security plugins. Personally, I use Wordfence on my websites.
It does some marvelous things, what are your thoughts on plugins like Wordfence?
Wordfence is my number one.
It’s my favorite because the amount of stuff you get, even with the free option, is fantastic. It gives you a firewall that will deflect certain attacks from your website. It will even send you an email if your site is under attack or people are trying to get in with their hacks as well.
Overall, I think there’s over a million, probably closer to 2 million, installations of Wordfence on WordPress installations. Well established and very, very powerful plugin.
Yeah, and for everybody listening, if you’re not running Wordfence on your WordPress websites, you can get a free version of it. It does incredible stuff, monitors it, and it’s free. One of the more important WordPress security tips you’ll get here.
I think I use the paid version and I forget what I get it at that, but nonetheless, it’s an absolute no brainer. It’s like having a virus scan on your windows computer, you just should have it.
It basically … Yes, that’s it. Every WordPress installation should have a Wordfence plugin installed with it as well.
Here’s a question that I don’t really know the answer to, and I’m hoping that you can enlighten me.
There’s so much talk now about CloudFlare, and they act as a bit of CDN (content distribution network) and stuff like that. I have CloudFlare set up on my website, although I’m not really 100% sure what it does, but somebody told me it was cool.
What is the benefit of services like those from a security standpoint, or is there much?
Okay. A CDN like CloudFlare is a content delivery network.
The primary thing, the main thing that CloudFlare does is, say you’re down in Australia and you want to visit a website that’s based in America. Then obviously due to the distance between yourself and where that website is hosted, it’s going to add a lot of seconds to the load time.
The prime thing that CloudFlare does is it has servers around the world and they take a copy of that website, so the Australian visitor will then, instead of having to wait for the American site to load, they can access that in an Australian CloudFlare server.
It’s like a local access. I don’t actually think there’s servers in Australia, I think it’s Japan, but it’s certainly closer on a geographical level.
In their advertising and marketing they mention something about DDoS protection.
That’s right. Distributed denial of service attacks.
This is another thing that hackers can do. What a DDoS is, is at any given time, and this isn’t … It is automated but it’s not the same as what we were talking about earlier on. At any time, say the CIA website, say the hacker group wanted to bring it down, they can launch what’s called a DDoS attack.
Once they’ve planted their malware via infected websites to people’s computers … It’s quite similar to the whole Skynet scenario that was shown in Terminator 3: Rise of the Machines. Skynet wasn’t based inside the mountain, it was actually on the internet. It was on PCs and servers all over the place.
If you think of a massive scale of computers, all running this one program to attempt to take down the CIA site by just trying to open the website. Because of the amount of people, because the amount of programs accessing the site at the same time, the server can’t deal with it and it falls over.
That’s what the DDoS is. It just takes a site out completely because it floods the website, it just cannot deal with the amount of requests and it takes it out of the game completely.
What CloudFlare does is it has a really clever system that it can detect when these things are happening. If a website has a certain level of visitors over a certain period of time, CloudFlare tracks that and maps it.
If that suddenly spikes … Say you’re getting 100 visitors every hours, let’s just keep that simple, 100 visitors every hour. If that suddenly spikes up to 10,000, then CloudFlare systems detect that and then they put into place the DDoS protection to keep the website from falling over.
It basically bends, it discards all the IP addresses that are trying to access a site purely to bring it down, and allows the site to continue as it should.
Got it. I guess for the average listener here, a DDoS attack is not really a huge concern. I suspect that that’s more … We’ve seen them take down big, big, big players with those DDoS attacks but that’s interesting. I was wondering where the benefit was with CloudFlare.
Now, the last WordPress security tips question that I have is, WordPress, now starting to capture payment, capture sales data. What level of complexity does this add? Should people be hosting their order forms on their pages or should they be using softwares or service models using other people’s systems for that?
It really depends on the website itself and the website owner’s needs.
If you are using what’s called https, in other words allowing people to access the pages securely, everything is encrypted, everything is scrambled, mixed up between the visitor’s computer and the server, and it’s been implemented by someone who specializes in that, that’s fine.
There’s other options obviously; you can send them to a PayPal checkout, there’s different shopping carts that can be used as well.
As long as there’s a layer of security in there that protects both yourself and the visitor, the buyer, then that’s fine.
What you don’t want to be happening is people purchasing stuff off your website without using any security. If you’re sending them to a plain http page to make a purchase, then that’s a big no, no because the data is readable.
If the site has been hacked, and again, if there’s a keylogger in place, then credit card details can be stolen and all other sorts of problems can take place.
Absolutely. We’ve covered a lot of WordPress security tips stuff here and I was looking at your website before the call and I know you’ve got some really good resources there. Before we wrap things up here, where can people learn more from you about how to do this? What if they don’t want to do it themselves, where can they go?
Sure. What I’ve actually done for everyone listening is I’ve set up a special page for only Project Ignite listeners. paul-irvine.com/eispecial
What I’ve put on that page is a nice easy to read, easy to follow checklist to cover website security for your WordPress website. It’s a free download for them, it’s got most of the things that they’ll need to get started with, and in all honesty, even if they implement one step in that checklist, then it’s going to make their website a heck of a lot securer than it is just now.
Awesome. That’s fantastic. Paul, first thank you for sharing so much and giving our listeners so many great WordPress security tips. If they just implement what you told them today, they’re going to be in a great spot.
Again, thanks for putting together that download on WordPress security tips, that’s fantastic. Thanks so much Paul.
No problem at all Derek. It’s been fantastic to chat with you.
Awesome. Now, everyone that was a WordPress security expert, Paul Irvine. As always, any of the links mentioned in the interview will be included in the show note along with the link to the free checklist that Paul so kindly put together for everyone.
I’d recommend going to check that out, and then heading back to your website and making sure you implement what you just learned because if there’s one essential ingredient to using what we’ve taught you about here today, that is action.
Once again everybody, thank you so much for being here and if you haven’t done so already please head on over to iTunes or SoundCloud, click subscribe and leave us a rating or a review if you like what you heard.
Now it’s time to take action, apply what you’ve learned and stay tuned for more info-packed episodes of The Project Ignite Podcast, a podcast designed to simplify online business so you can reap the rewards.
This is your host Derek Gehl, signing off.