WordPress is used by many people all over the world because anyone can easily create a website.
Did you know that while convenient and versatile, it is vulnerable to hacking ?
WordPress has a simple structure that anyone can use, making it easy for malicious hackers to target.
If a website is hacked, files may be tampered with or access to your site may be automatically transferred to another site.
When you hear such a story, many people may wonder, “Isn’t it dangerous to use WordPress?”
However, you can prevent damage before it happens by taking security measures in advance and performing regular maintenance.
Here, we will introduce WordPress security measures that even beginners who are not familiar with the Web can easily do.
Why WordPress Security Measures Needed
There are two main reasons why WordPress security measures are necessary .
- Easy to be targeted by malicious hackers
- Frequent damage caused by malware embedding
Let’s take a closer look one by one.
Easy to be targeted by malicious hackers
The first reason you need security is that WordPress sites are being targeted by hackers around the world .
WordPress has the largest number of users in the world, and its share in CMS in 2020 will exceed 60%.
The file structure of WordPress is basically the same for all sites , so a malicious hacker can do a lot of hacking if he can find even one flaw.
In other words, it is the most popular in the world and has the same file structure, so it is the most efficient and easy to abuse.
What’s more , WordPress is open source so that anyone can easily understand the code , which is another reason why it is easy to target.
You can tell if the website is made with WordPress from your browser’s validation tool .
For Chrome, press F12 on your keyboard to open the verification tool.
If “wp-〇〇” is included in the folder in the Sources tab of the verification tool, it means that the site was created by WordPress.
Frequent damage caused by malware embedding
Another reason why security measures are needed is that WordPress sites are prone to malware embedding .
Malware is simply a malicious program. Specifically, there are the following damages.
- When you open a WordPress site, you will be automatically transferred to a fraudulent site (phishing site)
- A large number of images and sentences are inserted and the capacity of the folder is filled up.
- Text and links are tampered with and information is rewritten
- You can create an entrance that anyone can break into the site
In some cases, these are causing damage to others without your knowledge.
However, not all WordPress has malware embedded in it.
If the version of WordPress itself is old or if the plugin has a vulnerability (a structure that is easy for hackers to tamper with from the outside), it can be said that it is vulnerable to attack.
In the past, vulnerabilities were found in plugins such as “Yuzo Related Posts” and “File Manager”, causing a lot of damage.
It’s important to check daily to see if your site has been attacked by malware.
Let’s diagnose the security of your site
You can easily diagnose your site for malware attacks or security vulnerabilities using external services.
Here are two security diagnostic services that even those who are not familiar with WordPress can use easily and for free .
In both cases, you can easily find the diagnosis result by simply pasting the URL of your site.
This time, I will take up ” WPdoctor ” which is explained in Japanese in an easy-to-understand manner .
First, on the WordPress Doctor Security Scanner page of WPdoctor, enter the URL of your site.
After waiting for about 1 to 5 minutes, the diagnosis result report will appear.
You can enhance the security of WordPress by addressing the items pointed out in the report.
If it is difficult to deal with it on your own, you can directly contact WPdoctor for consultation or request for security measures.
If you haven’t checked your security measures yet, let’s make a diagnosis with WP doctor first.
How to enhance WordPress security
In order to prevent your WordPress site from being damaged, it is important to take security measures in advance .
By setting it properly first, you will not have to deal with the damage.
You can also keep your security up-to-date on a regular basis .
The following five security measures are introduced here.
- Get regular backups
- Update software, plugins and themes
- Restrict access with server-side settings
- Strengthen login screen authentication
- Remove unnecessary plugins
If you are damaged by malware, your search ranking may drop and recovery may be expensive.
In the worst case, personal information may be leaked, which may lead to a big problem.
We will explain detailed countermeasures one by one, so be sure to check them.
Get regular backups
First of all, it is important to back up WordPress regularly .
By making a backup, you can easily restore the previous state even if you are attacked.
However, it is difficult to back up every day, and many people may not know when they backed up or inadvertently forget to back it up.
Therefore, I would like to introduce a plug-in that automatically backs up .
Among the many plugins, ” UpdraftPlus ” is recommended for beginners.
We recommend the following three reasons.
- Easy to set up automatic backup
- You can restore the backup with one click
- Flexible change of backup settings
The backup work itself can be done in about 3 minutes even for beginners by following the procedure below.
- step 1Download and activate the plugin “Updraft Plus”
- Step 2Click “Updraft Plus Backups” from the settings
- Step 3Click “Backup Now” in UpdraftPlus Backups
If you make a backup here, you can easily restore the file even if it is tampered with.
If you created a site with WordPress, be sure to set the backup settings.
Update software, plugins and themes
WordPress itself is being updated every day to enhance security .
WordPress needs to be updated by yourself.
Also, don’t forget to update the following at the same time as WordPress.
- PHP version
- WordPress theme
When an update occurs, a notification will be displayed on the WordPress administration screen as shown below.
Be sure to keep anything that needs to be updated up to date.
Restrict access with server-side settings
To further enhance security, we recommend that you take measures not only on WordPress but also on the server side .
Check the settings of the following items that are basically provided on every server.
- Unique SSL settings
- IP access restrictions
- Directory access restrictions
- WordPress security
By setting these, you can repel malicious access from home and abroad.
Once these settings are done, there is no need to modify them later.
If you haven’t done it yet, let’s set it now.
Strengthen login screen authentication (image authentication, two-step verification, URL change, etc.)
The most vulnerable part of WordPress is the login screen .
This is because the default WordPress site has the same URL structure for the login screen.
You can access the login screen by opening the WordPress site with “/wp-admin” or “/wp-login.php” like http (s): //○○○.com/wp-admin/. I will.
In other words, a malicious hacker can easily reach the WordPress login screen and enter a password in a brute force attack to hack .
In the unlikely event that the ID and password match and allow intrusion, damage such as falsification of files and extraction of information will occur.
We recommend that you take the following security measures to prevent such damage.
- Image authentication
- Two-step verification
- Change login screen URL
These can be easily set by installing the following plugins .
With just ” SiteGuard WP Plugin “, you can change the login screen URL of WordPress and perform two-step verification of login.
SiteGuard WP Plugin is one of the plugins that beginners should definitely install because it is easy to set up.
Remove unnecessary plugins
The plugin itself is also one of the vulnerable elements of WordPress.
Since it is easy for anyone to handle, it is highly extensible and convenient, I think that many people have installed many plugins in their WordPress.
If a vulnerability is found in a program included in a plug-in, a hacker can break into it and embed a malicious program.
Inadvertently installing plugins increases the risk of being hacked.
In addition, the design of the site may be corrupted or may not work properly due to the interference between multiple plugins.
As much as possible, remove plugins that you use infrequently or that you don’t have to worry about.
Security measures that can be done with ConoHa WING
Among the many rental servers, ConoHa WING is characterized by its simple security measures and easy handling even for beginners.
In ConoHa WING, all security settings can be set from the “Site Management> Site Security” item.
For basic operations, simply select the item for which you want to take security measures, select “ON / OFF” with a single click, or paste the IP address.