The best WordPress website security you can buy is a good backup. It won’t prevent your site from being hacked, but it will make recovery much faster and will help you avoid the worst case scenario—destruction of all of your data.
If you don’t have a good backup service, I suggest you stop reading this article right now and go find one. Then come back and read about all the ways to enhance your WordPress website security so that you never need to use your backup service.
SQL Injection: The Main WordPress Website Security Threat
The number one way hackers take over your website is using what is called a SQL injection attack. Simply put, this is when hackers find a flaw in your WordPress website security and use that flaw to directly inject Structured Query Language (SQL, pronounced sequel) into your WordPress database.
Almost everything about your site is stored in a SQL database. That includes your posts, your settings, your static pages, your comments, and more. The only thing not commonly stored in the database are images and downloadable files—it’s much quicker for your web server to transfer these files directly without going through WordPress. (However, the names and locations of these images and files are stored in your database.)
If hackers can directly inject SQL code into your database, they can do anything they want to your WordPress. It’s even more powerful than hacking your administrator account because they can use SQL to automate their takeover of your site.
Many for-profit hackers who use SQL injection to compromise your WordPress website security will replace many of your links with spam links. Others will create a hidden directory on your site for use in phishing attacks. Non-profit hackers, often called script kiddies, will probably just “tag” your site as hacked by replacing the front page with an obscene image.
Years ago I forgot to keep my WordPress website maintenance up to date and got hacked! One day I went to my site and found the homepage hyjacked and tagged. Of course I was hosting with Hostgator and they helped me get the site back under control. I learned a valuable lesson and this never happened to me again.
WordPress Website Security Against SQL Injection
The WordPress development team knows their software runs almost half of all active sites on the Internet, so they work very hard to make sure there are no security flaws which allow hackers to inject rouge SQL. However, every once in a while they do find a flaw (or they get WordPress website security reports from people like you that hackers have found a flaw) and they quickly work to fix it. When they have a fix, they release it as a free upgrade to WordPress.
If you don’t install this patch upgrade to WordPress immediately, you’re inviting hackers into your website. That’s because WordPress is completely free and open, so the hackers can download to the patch upgrade and see how it fixes the flaw—with that information, they can quickly create an attack that works against unpatched websites.
The best WordPress website hosting companies automatically upgrade their hosted sites so you should always have the latest version of WordPress. But if you occasionally get warnings about outdated software, do your WordPress website security a favor and get a better hosting company which provides free automatic updates.
Even Google sends you a message when your WordPress website is not secure. See the screenshot below.
The High Price Of Cheap Hosting
Website hosting companies keep prices down by hosting dozens or hundreds (or, sometimes, even thousands) of websites on each of their web servers. That’s great for them—they make money—and great for you—it keeps prices down. But it can have one disastrous effect: hacking one site hacks all the websites on the same server.
Imagine you’re very conscientious about your WordPress website security. You do everything right. But then imagine somebody on the same server as you does everything wrong. Or, even worse, imagine a hacker buys a website on the same server as you using a stolen credit card.
With direct access to the machine your website runs on, a hacker can often penetrate security in a few minutes or hours.
At least that used to be the case. High-quality website hosting companies have beefed up their WordPress website security using virtual machines and other tricks which create partitions between websites. These partitions slow down the servers a little bit, costing the company more money, but they greatly increase WordPress website security for customers like you.
Some companies advertise this service, but so few customers understand how it works that many companies don’t bother telling anyone about it. If you want to find out whether your hosting company offers good security, I suggest you search Google for “____ WordPress website security”. (Replace ____ with the name of the hosting company you use or plan to use.)
If you see a lot of complaints, either avoid the company or give them a call to see what they’ve done to fix the problem.
WordPress Website Security In The Cloud
Before you start moving parts of your website into the cloud using services such as Amazon S3, FeedBurner, or Disqus, consider whether these companies will keep your data safe and give it back to you if you change services.
A basic file hosting service such as Amazon S3 should be safe—especially if you setup a DNS alias.
For FeedBurner, consider that your WordPress blog feed is probably the second most important part of your site after your domain name. Hundreds or thousands of people are subscribed to your feed and if your feed goes down or if FeedBurner (Google) decides to start charging a huge rate for your feed, you could need to start your subscriber list all over again.
Again, you can mitigate much of the risk by using a DNS alias for your feed URL address. That way you can always move away from FeedBurner with a little technical know-how and (at most) 48 hours of downtime for the DNS change to propagate.
But customer interface systems such as Disqus may tell you in their terms of service that they own all the comments submitted through them. That means they could one day hold your comments hostage unless you pay them a large fee.
If your site depends on comments, this can be a huge problem. Even if your site doesn’t depend on comments, losing all of your comments all at once because you can’t or won’t pay the fee is basically the same as when a hacker overcomes your WordPress website security and deletes all of your comments using a SQL injection attack.
The only solution here is to read terms of service before you start using a service and consider what you’ll do if that service disappears so you don’t lose any WordPress website security.
The other main solution for your WordPress security is to check out WPpipeline as this amazing tool backups WordPress, clones, updates, install blogs and much much more.