35% of websites around the world are made with WordPress.
Due to its easy-to-use management screen and high degree of freedom due to many plugins and themes, it is used by many people such as bloggers and publishers in Japan.
Although it is such WordPress, security may be anxious because it is easily targeted by black hackers because it is widely used.
Therefore, in this article, I will explain the WordPress security measures that should be taken.
- 1 Need for WordPress security measures
- 2 WordPress security measures
- 3 WordPress security diagnostics
- 4 How to enhance WordPress
- 5 Recommended plugins
Need for WordPress security measures
From here, I will explain the necessity of security measures for WordPress.
First of all, it is easy to think that “WordPress is weak in security”, but in reality, there is no particular problem with the security of WordPress itself.
The reason why it is easily misunderstood that security is weak is that it is easily targeted by malicious hackers because it is used by many people in the world. That’s why WordPress is updated frequently.
In addition, since even beginners can easily install it, there may be security problems such as not setting a strong password or being hijacked by logging in with something that is easy for a third party to understand.
Due to this, it is not uncommon for important information to be stolen or website data to be tampered with by hijacking a WordPress account.
It can be said that you need to think carefully about security measures when using WordPress.
WordPress security measures
Now that we know that WordPress needs security measures, let’s take a concrete look. Also, let’s introduce why WordPress is targeted and what kind of hacking methods are available.
Why WordPress is targeted
This is partly because it is used by many people around the world, but the login URL and management screen URL are often fixed, and it is easy to identify and “open source software” is also a major factor. is. If you are a hacker, the URL is easy to identify, so you can say that it is an easy partner.
What is open source? Software that publishes source code (character strings written in programming languages) free of charge so that anyone can freely improve and redistribute it.
The advantage of being open source is that various individuals and companies can actively cooperate in the development of software. On the other hand, since a lot of information about the system is open to the public, it may be exposed to the eyes of malicious people, and there is a risk that vulnerabilities may be easily exploited. Therefore, such an adverse effect is born.
Attacks / threats to WordPress
What exactly is a hacker attacking WordPress?
I would like to introduce some of the hacking methods that are available and what measures are available.
A hacking technique that inserts malicious code into older versions of WordPress.
Sites that neglect to upgrade are often the victims of this hack. Try to update when a new version is released.
[Brute force attack]
It is a hacking method that illegally breaks into a site by using a system that exploits a weak password and automatically repeatedly logs in by a hacker.
Be careful if you have set a simple password such as “aaabbb” or “123456”. We recommend that you keep your password complex to some extent, as you can significantly reduce the chance of damage by simply mixing alphanumeric characters and symbols into your password.
[Cross-site scripting (XSS)]
This is a hacking method that uses a website (target site) vulnerability (XSS vulnerability).
Specifically, in the case of WordPress, it is often the case that a malicious program is mixed into the plugin. Be very careful when adding unidentified plugins to your site.
WordPress security diagnostics
I will introduce how to make a security diagnosis of your WordPress.
Here is the service that allows you to perform security diagnosis most easily.
It is a service provided by security company Sucuri, and you can perform security diagnosis just by entering the URL.
The site’s risk rating is displayed in 5 stages from Minimal to Critical, and malware, blacklist stats, etc. are also displayed as a list.
Anyone can easily make a diagnosis immediately, so we recommend that you try it first.
This service is a security diagnosis of WordPress operated by a Japanese company.
It seems that the database is updated regularly, so it’s safe.
This can also be easily diagnosed from the site, but this company also provides a plug-in that can perform security diagnosis, and it is possible to perform more detailed security diagnosis by using the plug-in.
How to enhance WordPress
Here are some ways to enhance WordPress.
The countermeasures for each hacking method were mentioned a little in the item “Attack / Threat to WordPress”, but here, let’s explain the enhancement of WordPress security in more detail.
Strengthening of user name and password on the management screen
First of all, the basic thing is about “strengthening the user name and password of the management screen”.
Depending on the theme, the user name may be published in the blog, so it seems that it is not necessary to make it so complicated, but if the password is revealed together with the user name, login will be done at this point. Passwords must be treated with strictness, as they can be created.
It goes without saying that passwords that are easily broken by brute force programs such as “aaabbb” and “123456” are useless, but more than that, “reuse of passwords” is more likely to occur. This is also very dangerous because if one password is leaked, it is highly likely that all services with the same password will be damaged.
Also, try to avoid setting easy-to-understand numbers such as the year of birth and birthday in the password as much as possible. It is important to create the password with a string that is difficult for a third party to imagine.
In addition to making the password complicated by mixing alphanumeric characters and symbols, we recommend that you change the password regularly, about once a month. If you do not neglect these two things, you will be able to significantly reduce the risk of hacking.
Update the program
It is also dangerous to leave WordPress as an old version.
When the latest version comes out, please update as soon as possible.
It is important to note that older versions are more susceptible to hacking and will be greatly involved in support in the unlikely event of an encounter.
Remove unnecessary plugins
We also recommend that you remove unused plugins.
If you’ve been running a website for a long time, you probably have one or two plugins that you’ve tried once in the past but aren’t using at all.
If an unmanaged plug-in that is left unmanaged is automatically updated, unexpected programs may be included, and if it is malicious, it may lead to hacking damage. There is also.
Removing plugins will free up space on your website, so it’s important to remove unnecessary plugins.
Regardless of whether it is paid or free, if the plug-in provider does not update to address the vulnerability, it may become a security hole. It’s a good idea to remove unnecessary plugins.
Enhanced security with plugins
In the “WordPress Security Diagnosis” section, we introduced plugins that can perform security diagnosis, but there are also plugins that can enhance security itself.
Plugins are a security enhancement method that can be easily introduced by simply activating them, but some plugins can hide security enhancements and false malicious programs, so check the reputation of the plugin before using it. Let’s do it.
In the next “Recommended Plugins” section, we will introduce plugins that can enhance security.
WordPress has a wealth of plugins, and there are also some plugins for security measures.
For example, a plugin called “SiteGuard WP Plugin” allows you to configure some security settings. Also, because all the setting items are in Japanese, it is easy to use.
The WordPress login screen is usually “https: // domain / wp-admin”. Therefore, you can go to the login screen just by adding “wp-admin” after the URL.
However, by using this plugin, you can freely customize the URL of the login screen and prevent unauthorized login from hackers and the like.
There is also a function to install image authentication, which can prevent unauthorized access by robots and unnatural mass login.
The plugin introduced this time is just an example, and there are many other plugins for security measures, so it is a good idea to check them out.
SiteGuard WP Plugin