Top 10 WordPress Security Myths for 2019

black background with black hooded & shadowed person holding crystal ball
CMS and WordPress / Security

TLDR;

WordPress enjoys a growing community of worldwide users and being the number 1 Content Management Platform powering the web places a large target on its back for attacks. Understandably, you’ll find a lot of WordPress security advice floating around from people that genuinely want to help. This has led to many myths that don’t actually add and additional security to your WP website. It’s quite possible that some of these security “tips” may leave your site more vulnerable, or create issues and conflicts.

In this post, we’ll be busting some of the most popular WordPress security myths. Take the time to read them all and leave your thoughts in the comments.

Myth 1: WordPress Is The Problem

We hear this statement all the time. This may be the most damaging WordPress security myth in circulation. WordPress is the most popular content management system in the world and it didn’t get that way by being insecure and not taking security seriously.

WordPress comprises of three key codebases. WordPress Core, Plugins and lastly themes. The Core is developed and maintained by a group of highly-proficient PHP and WordPress developers. This Core WordPress team is responsible for addressing any security-related issues. According to CodeinWP, the Core team releases a significant update every 152 days on average. These updates include precautionary measures to help protect against malicious attacks.

By comparison, your WordPress site is more likely to be compromised through an insecure plugin or theme. Statistics show that 54% of security-related flaws and vulnerabilities are found in plugins, while 14.3% are accounted for in themes. Choosing well known and proven plugins and themes will help guard against this.

Myth 2: Regular Updates Will Keep Your Site Completely Safe

Don’t get us wrong, applying security updates on a constant basis is necessary to the security of your WordPress site. Yet, it doesn’t guarantee complete protection.

The truth is that WordPress contains over 37,000 plugins in the repository. More than 17,300 of these plugins have not been updated since 2015! Many plugins are abandoned by their developers, while remaining available for install in your WordPress site.

Beyond increasing your WordPress security vulnerabilities, installing unmaintained plugins could contain deprecated features, slowing your site load time or worse, breaking your site.

Always remove outdated and unused plugins from the plugins folder regularly.

Myth 3: Backups Will Fix Your Site

This is one of the most commonly used solutions to fix a site that has been compromised. This solution is flawed in it’s thinking.

While having a “full” backup of your site allows you to quickly restore your site to a clean state, and minimizing the outward damage your visitors see. What it doesn’t accomplish is solving the “how” your site was compromised.

Backups cannot be a replacement for a complete and through site cleanup following a successful hack. You will loose the data and transactions that happened after your last backup. It is better to be proactive in applying patches to actual code flaws before an attack is successful.

Myth 4: “Hide Backend” Will Stop Brute Force Attacks

“You should hide your wp-admin or /wp-login.php URL”. This statement comes from the thinking that hackers can’t hack what they can’t find. If you’re not using standard WordPress URL’s, aren’t you protected from brute force attacks?

Simply put, security through obscurity is not a bullet-proof security strategy. While hiding your backend wp-admin URL can help mitigate basic attacks on your login, the reality is that any hacker who has the tools to try to break into your site will most likely and easily find where your login page is hiding. It’s just not a very effective layer of security and may be more trouble than it’s worth.

Customizing the login URL and wp-admin folder is known to cause conflicts. There are many plugins, themes and third party apps that hard code the wp-login.php and wp-admin folder into their code base. When a hardcoded piece of software is looking for yoursite.com/wp-login.php, it finds an error instead.

Currently, the majority of attacks don’t take place on the login page you spent time protecting. Instead, they attempt to log in via XMLRPC or the REST API, which is how other applications log in to communicate with your site.

Myth 5: Changing the WordPress Table Prefix Improves Security

A popular recommendation is that changing the prefix of the WP database tables would help prevent the occurrence of SQL injection attacks on your website. If only it were as simple as changing the prefix from the default “wp_” to some other value.

The bottom line is that there is no reason or proof that changing the database table prefixes will do anything to improve the security of your site, and doing so may actually put your entire site at risk if it isn’t executed perfectly the first time. Actions like this are considered “security theatre” – they make your feel like your doing a lot to improve security, while accomplishing very little.

If you really want to protect against SQL injection attacks, you need a three-pronged approach. This includes using a powerful Web Application Firewall, monitoring your site continually against malware and keeping your website’s core, plugins and themes patched and up to date.

Myth 6: Hide Your Theme Name and WordPress Version Number

The idea behind hiding your theme name and WP version is that if a malicious visitor has this information they will have the blueprint to break into your site.

The issue with this myth is that there isn’t an actual guy behind a keyboard looking for these holes to attack in WordPress sites. Maybe we can blame Hollywood’s hacker portrayals for this. What is actually happening is, there are mindless bots that scour the internet looking for known vulnerabilities in the actual code running on your website, so hiding your theme name and WP version does not protect you.

Instead keep your WordPress software up to date and ensure you have the latest security patches installed in your plugins, themes and server software.

Myth 7: Rename Your “wp-content” Directory

It’s understandable why people want to be proactive in securing this folder. The wp-content folder contains your themes, plugins and media uploads. That’s a ton of good stuff all in one place.

Unfortunately, like the other myths, changing the wp-content name won’t add any extra security. Seriously, it won’t. A quick view source and we can easily find the name of your changed wp-content folder.

What changing the name of the wp-content folder will most likely do is cause conflicts for plugins and themes that have hardcoded the /wp-content/ folder path.

Take the time to stay up to date on vulnerabilities that may be present in the plugins and themes your are using. Updating or removing these files is your best protection.

Myth 8: My Site Has an SSL Certificate

Do you know why this is our eighth myth? The security that an SSL certificate provides your website is purely transactional: it protects and encrypts the information being passed between your site and your visitors, example, the personal and credit card information when completing a purchase on your site. It does not protect the files and data housed on the site itself. Without a Web Application Firewall, up-to-date plugins and software and other endpoint security measures, your website remains completely open to hackers and malicious attacks that once they succeed, could put your customer data stored on your site at risk.

Myth 9: My Site Uses a CDN or Cloud-based Firewall

Content delivery networks (CDNs) and cloud firewall providers like Cloudflare and GoDaddy/Sucuri can offer your site protection by rerouting traffic to their servers, filtering the traffic based on their firewall rules and if the traffic passes those rules, forwarding it to your site. The expectation is that this routing will hide your website’s actual server origin.

The reality is, keeping your site’s originating IP address a secret is extremely difficult, if not altogether impossible. This has been a well-documented problem with cloud firewall solutions, the bottom line is that endpoint security is a much more robust and reliable approach to website security. Protecting your data where it originates is the best front-line defense against potential attacks.

Myth 10: My Site Isn’t Big Enough to Get Attention From Hackers

This is one of our favorite myths. We equate this myth to the same as, “Our store isn’t large enough to be broken into.” Because of this myth, a lot of sites are left vulnerable. No matter what size your site is, or the amount of traffic, we can’t stress enough that you need to be proactive in securing your website.

According to a 2014 study, 60% of all online website attacks were small and midsize businesses. The reality: another study found that 60% of small businesses that suffer a malicious attack close down within the year. They just don’t have the resources or plans to quickly bounce back from the attack.

Your insecure site is a hackers utopia to destroy your brand and business as you try to build it, redirect your visitors to malicious sites, send out spam from your mail-server, spread viruses, mine Bitcoin, and show ads. Your site may be small, but the money adds up for these users as they take advantage of hundreds of sites at a time.

Fix this by taking active measures to protect your website. Keep your WordPress Core, themes, plugins updated. Install a trusted WordPress security plugin. use quality WordPress hosting and activate WordPress two-factor authentication.

Conclusion

After reading these myths your may be feeling that maintaining and optimizing the security of your website is a daunting and complicated task. With all of the information available, determining what will really work and what is simply “security theatre” can be extremely difficult, that is where My Brother Darryl comes in. While no website can be deemed 100% hacker safe, we follow the right security practices to reduce the vulnerability of your site, providing you a lot of peace of mind knowing that we’re making it as hard as possible for anyone to get through your website’s well-maintained defenses.