News, news analysis, and commentary on the latest trends in cybersecurity technology.

7 Ways SMBs Can Secure Their WordPress Sites

This Tech Tip outlines seven easy fixes that small and midsize businesses can use to prevent the seven most common WordPress vulnerabilities.

Suhaib Zaheer, Senior VP & General Manager, Cloudways

September 28, 2023

5 Min Read
Illustration of WordPress logo on wooden background with faint HTML wordcloud
Source: bilalulker via Alamy Stock Photo

Enterprises large and small rely on WordPress: At least 43% of websites on the entire Internet use WordPress to power their sites, e-commerce applications, and communities. Running WordPress has its risks, however. In 2022 alone, just two plug-ins led to 6 million users experiencing critical vulnerabilities that put at risk user data, financial information, login credentials, and more.

Securing WordPress can be expensive and complicated for small and midsize businesses (SMBs) with little to no dedicated security staff. Fortunately, seven of the most common issues plaguing WordPress sites can be countered by seven easy fixes.

1. Update WordPress Core

One of the leading issues for WordPress vulnerabilities is an out-of-date core — the foundational files that WordPress sites need to operate. WordPress releases core updates every three months, and missing one or two release cycles can easily leave a site vulnerable. Usage statistics from WordPress show that about 40% of sites are running on outdated versions.

Site administrators need to regularly check their site's WordPress dashboard for the latest updates and schedule maintenance windows when the site will be unavailable in order to apply the updates.

2. Update Themes and Plug-ins, Too

Thanks to a plethora of themes and plug-ins, users can easily customize and experiment with new functionalities. These same themes and plug-ins must also be updated regularly to work with the latest version of Core. The WordPress plug-in dashboard can display the newest versions of each installed plug-in that corresponds with the latest core version.

3. Run Regular Malware Scans

Attackers routinely exploit vulnerabilities in widely used plug-ins to compromise websites. Check plug-ins for flaws prior to installation (and always install the latest version). Regularly conducting security scans can help detect potential malware infections. In case of infection, WordPress offers several cybersecurity detection and removal plug-ins that can assist you in quickly rooting out threats. The primary goal is to confirm that your site core, theme, and plug-in are up to date and void of suspicious file injections or malware. Scanners are overarchingly set up to run at scheduled intervals, and all of them offer on-demand scan capabilities, which users can initiate from an administrative interface.

Note that there is no cybersecurity detection and removal plug-in from the core team. Independent researchers — such as Patchstack, WPScan, and Wordfence — can report vulnerabilities to the plug-in author and core team, and the core team may remove the plug-in from wordpress.org.

4. Sidestep Credit Card Skimming

Credit card skimming, where attackers insert malicious JavaScript code into an e-commerce application to harvest sensitive credit card information, is one of the primary methods with which hackers attack WordPress sites. Along with keeping the site and plug-ins up to date, site owners should install monitoring tools, firewalls, intrusion detection systems, and certificates to hold off cybertheft.

Business owners can protect themselves against this by using integrations like Stripe or PayPal, essentially verified payment merchants whose systems automatically protect clients from skimming. Conducting a PCI compliance audit alongside an auditor is critical, as they will share reports with recommended actions to get in compliance.

5. Block Unauthorized Logins

Brute-force attacks, where attackers repeatedly run through every possible password combination to gain access to the site, are another common method of attack. Make it difficult for attackers to launch brute-force attacks by using strong login credentials and making it hard to find the site's back-end login page. Configure your WordPress site to have a different wp-admin login URL, not the default path. Adding bot protection provides login protection against potential threats.

Additionally, incorporating CAPTCHAs into your site can quickly stonewall repeated login attempts. The most popular technology and plug-ins used include GoogleReCAPTCHA v3 (Invisible reCaptcha for WordPress) and Hcapchta (hCaptcha for WordPress). A user-friendly alternative is Cloudflare Turnstile or Simple Cloudflare Turnstile.

Attackers can take advantage of a site's outdated plug-ins and themes, undefined user roles, spam-like content, and weak security controls to insert spam keywords and pop-up ads. One sign of SEO spam is a malicious plug-in or theme. Clean up all suspicious-looking plug-ins and themes, install spam security plug-ins, and monitor your site frequently.

7. Plug Up File-Inclusion Vulnerability

WordPress installations rely on numerous sensitive files (for example, wp-config.php, install.php, and readme.html). If the proper precautions are not taken, these sensitive files can quickly be rendered vulnerable, allowing hackers to execute their code on your site by including dangerous code alongside these files.

To prevent these vulnerabilities, insert the following code into your .htaccess file:

Options All -Indexes
<Files .htaccess>
Order allow,deny
Deny from all
</Files>
<Files farhan.php>
Order allow,deny
Deny from all
</Files>
<Files license.txt>
Order allow,deny
Deny from all
</Files>
<Files install.php>
Order allow,deny
Deny from all
</Files>
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>
<Files error _log>
Order allow,deny
Deny from all
</Files>
<Files fantastico_fileslist.txt>
Order allow,deny
Deny from all
</Files>
<Files fantversion.php>
Order allow,deny
Deny from all
</Files>

This code can prevent access to sensitive user directories and keep critical WordPress files from being modified, as well as protect your files from unauthorized access.

Keeping Security Tight

Tight security is key to making the most out of WordPress. While WordPress can be a tempting target for many hackers, users can take easy steps to reduce cyber-risk and stave off attacks.

Repelling malicious actors can be as simple as ensuring that your WordPress is completely up to date and taking advantage of the wealth of security plug-in offerings available. Careful research of themes and plug-ins you are looking to use, as well as your host provider of choice, can go a long way toward preventing the pitfalls that have crippled millions of sites.

About the Author

Suhaib Zaheer

Senior VP & General Manager, Cloudways

Suhaib Zaheer is the Senior Vice President & General Manager of Cloudways, a cloud hosting provider that offer businesses, agencies, freelancers, and more a fully managed hosting management platform. Suhaib joined Cloudways in 2021 as its COO and helped Cloudways dedicate its services to small and midsize businesses (SMBs).

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights