7 Popular WordPress Security Myths
Because of its incredible popularity as a platform, WordPress enjoys a sizable, generous community of users that spend their time sharing information, resources, tips and insights with other WordPress users online. Understandably, online security is at the forefront of concerns for many site owners, and a lot of the online conversation about WordPress centers around the best ways to keep your site safe from hackers and security breaches. Despite the best of intentions from most users, there are a few myths surrounding WordPress security that persist and spread like wildfire, even if the recommendations they make don’t do anything to keep your site safe.
1. Moving or Hiding ‘wp-admin’ Will Stop Brute Force Attacks
Brute force attacks occur when malicious bots hammer your login pages over and over attempting to guess your username and password in order to get admin access to your website’s back-end. From there, they can lock you out, compromise your data and deface or even take down your website. Most commonly, these bots try common usernames like “admin” alongside tens of thousands of passwords, hoping that one of them will work and allow them access to your site.
Because these bots target the login pages of your site, the logical next step for many users is to look for a way to hide their site’s wp-admin folder, or at least their login page. There are many plugins in the WordPress repository that help you accomplish exactly that, and we here at Wordfence get regular requests from our users to incorporate that feature into the plugin, too. And while it may be something we look into adding to the plugin in the future, we haven’t yet made it a priority for a couple of very good reasons.
First, many plugins and website features depend on the wp-admin folder being exactly where they expect it to be, and when anything changes the path of that folder, the plugin or feature can break. This is why we recommend changing or password-protecting the wp-login.php page only when users ask us about this approach.
Secondly, and perhaps most importantly, this approach is a way of implementing what’s called “security through obscurity” – an attempt to increase the security of your data by hiding an access point. Depending on something in your site being hidden or secret is generally not considered a best-practice approach to online security, and the truth is that any hacker who has the tools to try to break into your site will also be likely to easily find where your login page is hiding, no matter where you put it. It’s just not a very effective way of adding a layer of security to your website, and may be more trouble than it’s worth.
Lastly, as we reported in on this blog in January, the majority of attacks don’t attack the login page that you use to protect your site. Instead, they attempt to log in via XMLRPC, which is how other applications log in to communicate with your site.
2. Changing the WordPress Table Prefix Will Improve Security
A couple of years ago, we started seeing a rise in popularity for the idea that changing the prefix of your WordPress database tables would help prevent SQL injection attacks on your site, in which the attacker uses a vulnerability in one of your WordPress plugins or themes to gain access to your database. (You can read more about how a SQL injection attack works over on our Learning Center article about them.) The idea was that if you changed the database table prefix from the predictable and default “wp_” to something else, it would somehow prevent these types of attacks.
We’ve covered this topic at length fairly recently, but the bottom line is that there’s no reason to believe that changing the database table prefixes will do anything to improve the security of your site, and doing so may actually put your entire site at risk if it isn’t executed perfectly the first time. We consider it a form of “security theater” – actions that make you feel like you’re doing a lot to improve the security of your site while actually accomplishing little or nothing to that end. The best protection against SQL injection attacks is a three-pronged approach of using a powerful Web Application Firewall, monitoring your site continually against malware and keeping your website’s plugins, themes and core files up-to-date and patched – all of which Wordfence and Gravityscan help you accomplish.
3. All That’s Needed to Lock Down a Site Is a Secure Username and Password
Certainly, using a strong password and unique admin username on your WordPress website is an important part of securing your site. After all, one of the basic tactics of hacker bots is to try a few thousand passwords with the default WordPress username “admin.” Simply by having your admin username be something other than “admin,” you’re already getting one step ahead of malicious entities that may try to break into your site, and if your password happens to be a long hard-to-guess unique string of a combination of capital and lowercase letters, numbers and special characters, that’s even better.
But the truth is that even if you have a secure username and password for your website, hackers may still be able to break into and take down your website using other means, such as security vulnerabilities in outdated plugins, data breaches or phishing.
Sites that aren’t protected by two-factor authentication, which sends a code to your cell phone every time you log in as an admin, are especially at risk of exposure. Secure usernames and passwords are a valuable line of defense against hackers, but they can’t be the only strategy you use to secure your site. Implementing two-factor authentication on your website adds a crucial second layer of security to your login credentials that make it that much harder for the bad guys to break in.
4. My Site Isn’t Important Enough to Be Interesting to Attackers
Many website owners mistakenly believe that their sites will enjoy a relative degree of safety from hackers because they also believe that hackers only target high-profile companies, and their businesses or websites are too small or unimportant to be a target.
Unfortunately, that’s just not true. According to a 2014 study, 60% of all online website attacks were small and midsize businesses. An even more sobering statistic: because these smaller online entities simply don’t have the resources or safety nets necessary to immediately rebound from these attacks, another study found that 60% of small businesses that suffer a cyberattack close down within the year. If anything, because your organization is small, your website may have fewer security resources in play and be more vulnerable than larger, more robust websites.
Your website doesn’t need to have a high profile or millions of visitors to be useful to a hacker. Once they’ve gained access to your site’s admin capabilities and back-end, they can wreak all kinds of havoc, including defacing or outright destroying your site, using your server to send spam to other people, distribute malware to your visitors, post link spam or redirect your visitors to a malicious website.
The reality is that no website is too small to be hacked, and all website owners should take every precaution they can to protect their data from malicious hackers and cyberattacks.
5. My Site Is Safe Because It Has an SSL Certificate
An SSL (or Secure Socket Layer) certificate adds a layer of security to the communication that takes place between your website and your visitors. Having an SSL certificate on your website is an important step toward ensuring that communication between your site and your visitors, especially visitors that submit sensitive personal data such as a credit card number or their contact information, is encrypted and unable to be viewed in plain text in case of a data breach on your website.
Sites with an SSL certificate have URLs that start with “https://” instead of “http://” to indicate that it’s properly encrypted. Many customers know to look for that padlock symbol in their browsers that indicate a site has SSL protection, and in January of 2017, Google started requiring HTTPS for secure data in Chrome browsers, visibly marking any site that didn’t have one while collecting personal information as “Not Secure.”
Unfortunately, the security that an SSL certificate offers your website is purely transactional: it protects the information being passed between your site and your visitors, but – crucially – not the data housed on the site itself. Without a Web Application Firewall, up-to-date plugins and software, and other endpoint security measures, your website will remain completely open to hackers even if it has an SSL certificate – and that could still put the customer data stored on your site at risk.
6. My Site Uses a CDN or Cloud-based Firewall, Which Is the Same as the Wordfence Firewall
Content delivery networks (CDNs) and cloud firewall providers such as GoDaddy/Sucuri and Cloudflare can offer your site protection by rerouting traffic to their servers, filtering the traffic based on their firewall rules, and then only forwarding the traffic that passes those rules over to your website. The expectation is that this route will hide your website’s actual server origin because anyone visiting your domain name gets automatically forwarded to the cloud firewall provider’s servers instead of yours.
The reality is that it’s extremely easy for virtually anyone to bypass cloud firewalls by discovering your website’s originating IP address and attacking it directly. Keeping your site’s originating IP address a secret is extremely difficult, if not altogether impossible. This is a well-documented problem with cloud firewall solutions, and we’ve written about this in detail before, if you’d like to see exactly how this works, but the bottom line is that endpoint security is a much more robust and reliable approach to website security. Wordfence supports protecting your data where it originates as the best front-line defense against potential attacks.
7. WordPress Itself Is an Insecure Platform
WordPress is the most popular content management software right now, powering more than one in every four websites on the Internet, and being used nearly 4 times as often as Drupal and Joomla combined. Due to its popularity, WordPress has endured a few high-profile security scares in the past few years. A WordPress exploit or vulnerability means that a much larger base of websites are put at risk, and as a result, many people have come away from these scares with the belief that it’s an inherently insecure platform – but this is simply not true.
While it may be the case that WordPress may be subject to more attacks than less popular CMSs, this doesn’t mean that WordPress is inherently less secure. On the contrary, because it powers millions of websites, WordPress has a passionately active international community of users and developers that collectively work 24/7/365 to find and patch any possible security vulnerabilities both in the core software files and its huge ecosystem of plugins and themes. Because of this enormous global community – which no other CMS even comes close to matching – almost as soon as a potential threat or vulnerability is identified, there’s a fix or a patch made available.
The overwhelming vast majority of security compromises and hacking incidents – nearly 80% – are the result of outdated software and/or password exploits – that is, they’re due to either a weak username/password combo, or due to a vulnerability that the site admins failed to patch or fix in time, not an inherent flaw in the software itself. Put simply, the easiest and most common points of entry into a website for a hacker will always be via a username/password access exploit or an outdated plugin, and this will hold equally true for any CMS, not just WordPress. You need to keep the software that powers your website as updated as humanly possible. This is why one of the core features of Wordfence is its alerts, which let you know the moment that an update your site becomes available, so that you can easily stay on top of keeping your site patched and current.
Maintaining and optimizing the security of your website can seem like a very daunting and complicated undertaking. Site owners may struggle to parse an endless stream of information and advice that sometimes may even conflict. Determining what will really work and what is simply “security theater” can be extremely challenging, but armed with a good endpoint firewall, a secure username and password with two-factor authentication, and the most up-to-date site software, you can get a lot of peace of mind knowing that you’re making it as hard as possible for anyone to get through your website’s well-maintained defenses.