9 WordPress Security Myths (and Why Securing WordPress Matters)

With over 72 million sites now being powered by WordPress (that’s almost 20 percent of the web!), the issue of WordPress security tends to crop up a lot. And while it’s important to secure your site to avoid becoming a mindless botnet zombie, it’s also important to know what’s true and what’s not. In this post we’re going to cover the most common myths in regards to securing WordPress, what’s true about them, and what’s just plain fiction.

Top 9 most common WordPress security myths:

  1. No one is interested in hacking my small WordPress site.
  2. Securing my website is easy, all I have to do is keep the plugins and WordPress up to date.
  3. My WordPress powered site is totally secure.
  4. WordPress is inherently insecure.
  5. It’s my host’s responsibility to protect me, my website, and my visitors. I don’t have to worry.
  6. Everyone is using WordPress, it must be secure. I don’t need to do anything more than just install it.
  7. I already have a guy that takes care of my WordPress site
  8. I’ve already got X security plugin installed. I don’t need to do anything more for security.
  9. My password is just fine.

Myth #1: No one is interested in hacking my small WordPress site

Actually, a large percentage of attacks and hacking attempts are completely automated. They are most often conducted by automated programs sniffing around looking for vulnerabilities in a site. The issue here is, these programs that don’t care how big your site is, if you make money from it, or how many visitors you get.

In reality, hackers are usually trying to break into your site for the resources it has to offer, or in order to turn a profit from your site. Even if you don’t have any personal or client information stored on your site, an attacker can use your website to boost another site’s SEO, infect your visitor’s computers with malware (to steal their financial information), or redirect all your traffic to a site of their own choosing.

Myth #2: Securing my website is easy, all I have to do is keep the plugins and WordPress up to date.

While it’s true that keeping plugins and the WordPress core up to dare are super important, securing WordPress isn’t quite that simple.

To protect yourself, your brand, your visitors, and your clients from attackers and malicious, automated bots, you’ll need to do the following at the very least:

  • Check your passwords for strength
  • Limit login attempts
  • Regularly check your file structure
  • Perform regular backups
  • Weed out insecure plugins
  • Harden your WordPress install to prevent common attack vectors
  • Block bad bots

In addition to much more. Securing WordPress is certainly doable, but it’s important to realize that keeping your plugins and the WordPress core updated only covers a small portion of what’s necessary protect your site.

Myth #3: My WordPress powered site is totally secure.

Regretfully, there’s not a site on the web today that’s 100 percent secure. As long as your site is accessible from the web, it will always have weaknesses and security vulnerabilities.

It’s for this reason that you need backups and a solid disaster recovery plan. There are few worse feelings that when your site has been hacked and you don’t have a decent backup available. Both fortune and site repair favor the prepared.

Myth #4: WordPress is inherently insecure.

Nope! The WordPress core is super secure, and the developers are incredibly responsive when it comes to making security updates. That being said, it also needs to be hardened in order to protect you from the rigors of the wild wild internet. Beware.

Myth #5: It’s my host’s responsibility to protect me, my website, and my visitors. I don’t have to worry.

Your host’s responsibility is to host your site and protect it at the server level. This doesn’t include software issues, and WordPress is 100 percent software. Unless you’re using a host like WPEngine, it’s very much your responsibility to make sure your site, visitors, clients, and customers are secure.

Myth #6: Everyone is using WordPress, it must be secure. I don’t need to do anything more than just install it.

While the WordPress core is extremely secure, it actually does need some TLC and security hardening to keep people from turning your site into a crazy mindless botnet zombie. And also to keep your sensitive information and valuable resources out of the hands of malicious attackers.

Myth #7: I already have a guy that takes care of my WordPress site

Unless that guy is the Hulk Hogan slash Chuck Norris slash super-WordPress-ninja-hero-of-awesomeness of securing WordPress, you should probably at least ask him how secure your website is, and how much he’s done to secure it. Any guy taking care of your site that’s worth his salt will at least be taking regular backups. If he’s not, then you should get a new guy to take care of your WordPress site.

Myth #8: I’ve already got X security plugin installed. I don’t need to do anything more for security.

Great job! You’re on the road to securing WordPress!

There’s still a long way to go, however, so don’t stop now. Are you limiting logins, blocking bad bots, detecting intrusions, backing up your files, and closing down brute force attack vectors? If not, you’ll need to do so, among other things.

Myth #9: My WordPress Password is just fine.

Unless you’re using a 30-character, random password (with numbers and special characters) that you could never possibly memorize, and is entirely unique to your WordPress site,  you probably need to change your password. Try LastPass, KeepPass, Roboform, or 1Password to help you generate and remember that new 30-character password you’re going to use.

Be sure to change your FTP and control panel passwords as well. It’s no good only having one strong password. Your site is only as strong as its weakest link.

Why Securing WordPress Matters

We don’t call it the “Word Wide Web” for nothing. Whether we like it or not, your site is a part of a huge network of interrelated sites, which are a part of an even bigger network of interrelated people. If your site is compromised, it doesn’t only hurt you. Your WordPress install (and the server on which it’s hosted) can be used against those sites and the people connected to them to cause far greater damage than you could ever imagine. DDoS attacks, malware, even traffic redirection can cause thousands, even millions of dollars in damage. And if your site is hosted on a shared server, your site is a risk to every other site on that server, should it be compromised.

In 2012, more than 170,000 sites built with WordPress were hacked or compromised, and with the growing popularity of WordPress, the number promises to be much higher this year. So don’t believe the myths, and don’t wait until your site has been hacked to secure your site, take action to protect yourself and your fellow netizens today.

[button link=”http://pancakecreative.com/feature/wordpress-security-audit/” size=”large” color=”#00A9C7″]Hire Me to Secure Your Site[/button]