Did you know that 43.1% of websites on the Internet run on WordPress, according to W3Techs? Most WordPress websites run on Linux servers, which makes them prime targets for hackers—these servers experience approximately 90,000 attacks each minute!
As the owner or admin of a WordPress website, security should always be your top priority. You must monitor vulnerabilities within WordPress and third-party plugins for potential vulnerabilities and exploits that could result in website defacement, malware infections, data breaches, downtime, and other damaging repercussions.
Luckily, there are proven strategies for securing your WordPress website, which we'll discuss here.
Why Is WordPress Security Critically Important?
Maintaining the security of a WordPress site is paramount, whether for personal or professional use. 
Unfortunately, many beginners overlook security when setting up new WordPress sites, which can prove costly in terms of reputation damage and lost business revenue.
WordPress security risks are on the rise mainly because it's so popular, making it a prime target for cybercriminals. Many sites rely on a lot of third-party plugins for added features, but if these plugins aren't updated regularly or properly vetted, they can introduce vulnerabilities. Many WordPress sites are running outdated plugins that haven't been patched in years. Even when patches are available, not everyone updates right away. The enormous variety of themes and plugins, all created by different developers, adds to the difficulty in maintaining robust security across the entire WordPress ecosystem.
Worse yet is the persistent ransomware threat to WordPress sites. Hackers can gain entry to vulnerable WordPress sites and lock up all files before demanding payment to unlock them. Worse yet, sometimes these attackers can’t even unlock these files themselves, leaving you with financial damage and a broken site!
Below, we will examine some common WordPress vulnerabilities and security threats that admins face.
What Are Common WordPress Vulnerabilities?
To protect your WordPress site from persistent and emerging attacks, you must first understand some common vulnerabilities that hackers exploit. The following are the most prevalent and problematic WordPress vulnerabilities that may lurk within a typical WordPress installation.
Outdated Software
The most common vulnerability you'll find in WordPress websites is outdated software. This may include the use of an outdated WordPress version, as well as the use of outdated plugins inside the CMS. You need to update a WordPress installation and its plugins to ensure your site is secure from software flaws that newer versions don't have. Worse still, many of those flaws become common knowledge to hackers once developers issue a software update, placing outdated sites at even greater risk. Despite the risk, over 21% of known WordPress websites still use older, unsupported versions of the CMS.
Vulnerable Plugins & Themes
Vulnerable WordPress plugins can be a real headache and danger for users because they open the door to various security problems. Imagine these plugins like unlocked windows in your house—hackers can easily slip through to wreak havoc. They might install other dodgy plugins without you knowing or even mess with your website’s code to do harmful things like steal data. It's essential to monitor your plugins and ensure they're updated to the latest, safest versions. Otherwise, you're leaving your site vulnerable to an array of attacks.
A recent critical vulnerability in the Hunk Companion plugin (tracked as CVE-2024-11972) demonstrates the risk of vulnerable WordPress plugins. This flaw, found by WPScan, is being actively exploited to install vulnerable plugins, creating significant security risks. This flaw, which affects all versions of Hunk Companion before 1.9.0 and has a CVSS score of 9.8, enables attackers to exploit Remote Code Execution (RCE), SQL Injection, Cross-Site Scripting (XSS), and other malicious activities by installing or reactivating compromised or outdated plugins. Despite the availability of the fix, only 11.6% of users have upgraded, leaving approximately 8,800 sites still at risk.
Another critical vulnerability was recently found in the popular WordPress security plugin Really Simple Securit, which has put over four million websites at risk. This bug allows attackers to log in as any user, including admins, without needing a password, thereby gaining full access to the site's permissions. The ease of exploitation and potential for severe consequences, such as malware injection, unauthorized content changes, and attacks on visitors, have earned this vulnerability a CVSS score of 9.8 out of 10.
Just recently, some big security holes were found in the Woffice WordPress theme, used on thousands of websites. These issues could let bad actors take control of your site by registering with admin privileges or logging in as any user - including you!
Weak Passwords
Weak passwords are also a persistent vulnerability for WordPress websites. Hackers exploit weak passwords by targeting administrator accounts that can grant them complete control of a WordPress site. From there, nothing stops them from wreaking havoc and making whatever changes they wish.
Shared Hosting
Although shared hosting is popular for WordPress website owners, it has significant security vulnerabilities. If an attacker manages to execute a privilege escalation attack on the underlying server, they gain unfettered access to every WordPress website it hosts, too.
Lack of Server Hardening
Another common vulnerability present in WordPress websites is a lack of server hardening. The default installation of the WordPress CMS leaves various features turned on for the convenience of the site's owner. However, some of those features, such as the built-in file editor, the hotlinking function, PHP execution, and directory browsing, can be powerful weapons in the hands of an attacker. Using those functions, an attacker could execute malicious code, conduct a cross-site scripting attack, or enable a denial-of-service attack.
Incorrect File Permissions
Misconfigured file permissions are another common vulnerability found in WordPress websites. Generally speaking, the underlying wp-content and wp-admin folders that house most of a WordPress site's files should have restricted file permissions, including a restriction on who can write to them. However, plenty of novice admins change those default permissions while trying to troubleshoot configuration issues and fail to change them back, creating a major vulnerability.
Essential WordPress Security Tips & Best Practices for Linux Users
To combat the vulnerabilities discussed above, owners and operators of WordPress Websites must follow established WordPress security best practices to the letter. Here's what they are and some other tips on keeping WordPress sites secure.
Keep Software & Plugins Updated
The most important way to keep a WordPress website secure is to update the CMS to the latest version and enable auto-updates for the future. Plus, it's equally important to keep all installed plugins up to date, too. This means checking with plugin developers regularly or installing software that can check for new plugin versions and make the necessary updates for you. Keeping WordPress plugins up-to-date will protect against bugs like the previously mentioned CVE-2024-11972 and the recently identified critical flaw in the Really Simple Security WordPress plugin. Admins must monitor security advisories vigilantly and apply the latest WordPress software and plugin patches as soon as they are released.
Be Wary of the Software Packages You Install
WordPress users should be vigilant about the software packages they install, preferably sticking to direct downloads from verified sources. A recent sophisticated yearlong supply-chain attack reported by security firms Checkmarx and Datadog demonstrates the importance of this WordPress security best practice.
The attack involves malicious actors distributing Trojanized versions of open-source software, specifically through the NPM repository and GitHub, to infect devices. One such package, @0xengine/xmlrpc, masquerades as a legitimate JavaScript implementation but contains a backdoor that activates malicious code, resulting in attackers stealing credentials and other sensitive information, including SSH private keys and AWS access keys. A second package, yawpp, indirectly installs this malware by requiring @0xengine/xmlrpc as a dependency. This malware campaign has resulted in approximately 390,000 stolen WordPress credentials and has persisted due to its subtlety and strategic updates.
Install & Configure a Firewall
Installing a firewall is another excellent way to keep a WordPress website secure. WordPress-specific firewall software can monitor incoming and outgoing data for signs of malicious activity. Plus, many can halt DDoS attacks in progress and block vulnerability scans that alert hackers to exploitable site vulnerabilities.
We recommend focusing on WordPress plugins to keep the process of adding a firewall as simple as possible. Using add-ons will be the most straightforward option.
WordPress Firewall Rules to adhere to when configuring your firewall can be found here.
Scan for Malware & Security Threats
It's also good to perform periodic scans of your WordPress website to detect any malware or security threats that may have slipped by your site's defenses. Various tools can scan WordPress sites for such things, and many of the best ones are totally free, too.
WPScan is an invaluable tool for Linux administrators looking to protect their WordPress sites from malware and other persistent threats. By scanning for malware and security risks, WPScan allows admins to identify issues such as outdated plugins, vulnerable themes, and weak passwords that need fixing. Installation is quick and painless, and its vulnerability database updates regularly to protect against new threats, making life simpler for administrators who want to maintain secure, healthy websites.
Secure WordPress Usernames & Passwords
Defining and enforcing a secure password policy is another best practice for securing a WordPress website. At a minimum, the policy should insist on passwords of at least 20 characters, which include letters, numbers, symbols, and a mix of capital and lowercase letters. Installing a two-factor security plugin that adds a time-limited one-time password to every login into the WordPress front-end or back-end is also advisable.
Set Up Off-Site Backups
Maintaining complete and current offsite backups of a WordPress website is a critical bulwark against malware intrusions and ransomware attacks. Having multiple backup versions of a WordPress website spanning a reasonable amount of time is important. This allows you to restore a version of your WordPress website before malware or ransomware infiltration. Plus, having the backup copies offsite eliminates any chance that a successful server-side attack will compromise them, too.
Limit Login Attempts
Limiting login attempts is another best practice for guarding a WordPress website against brute-force password attacks. To do it, you can configure your website to lock a user account after a reasonable number of login attempts. You can also set it to ban connections from the IP address associated with the failed login attempts. While these measures alone won't stop a hacker in their tracks, they will significantly slow their efforts to harm your site.
Use HTTPS for Encrypting Data
Switching your WordPress site over to HTTPS is vital for security and trust. HTTPS protects information by encrypting data sent between visitors, making it hard for hackers to intercept and read personal details like passwords or sensitive financial data. In addition, it ensures users communicate directly with your authentic website, protecting against man-in-the-middle attacks. Plus, search engines prefer sites using HTTPS, as they won't appear as "Not Secure" in browsers - improving both search rankings and trust among visitors.
To enable HTTPS on your site, purchase and install an SSL certificate from your hosting provider. Afterward, modify WordPress settings so your URL includes https:// rather than http://. Additionally, force all traffic through HTTPS while simultaneously addressing mixed content issues with plugins like Really Simple SSL for enhanced peace of mind for both visitors and you alike.
Secure File Permissions & Ownership
As previously mentioned, it's important to set the proper file permissions and ownership for the files associated with a WordPress website. Most WordPress folders should be 755, and most individual files should be 644. Of course, there are always exceptions to those generalities, so it's important to follow all relevant WordPress and plugin documentation and to check trustworthy guides on the subject.
Use an Uptime Monitor
Uptime monitors can be a useful security tool because they can alert you to a problem with your WordPress site as soon as it happens. When there's any possibility of a malicious intrusion, every second counts. An uptime monitor could warn to block an attack in progress or at least blunt its damage.
Add ReCAPTCHA in WordPress Login
In addition to the aforementioned two-factor authentication, it's also advisable to add ReCAPTCHA functionality to your WordPress site's login pages and user forms. Various plugins make this easy, and installing one can safeguard your site against botnets, spam, and attacks from sketchy shared IP addresses.
Conduct Security Audits & Penetration Testing
Since no WordPress security scheme will ever be perfect, conducting regular security audits is an excellent way to ensure your site complies with the previously covered security best practices. It is also good to perform penetration testing to ensure your security measures work as intended.
Implement Robust Monitoring & Logging Practices
Finally, every WordPress website should include robust monitoring and logging. The logs generated by the WordPress installation and any plugins can be treasure troves of useful data. For example, your site logs may reveal intrusion attempts by hackers and even clue you into specific vulnerabilities they may be looking to exploit. Various plugins will aggregate your logs into a single interface and even send you alerts based on predefined preferences.
Our Final Thoughts on Improving WordPress Security on Linux Webservers
At the end of the day, WordPress, running on one Linux variant or another, is and will continue to be the backbone of the Internet. However, it's incumbent upon every WordPress website owner to do their part to keep their sites safe from exploitation. With knowledge of the most common vulnerabilities and the best practices to mitigate them, securing your WordPress site is easier than you think! With a bit of effort and vigilance, running a secure WordPress website is well within reach of even a beginner web admin.
Have additional questions? Reach out to us @lnxsec - we’re here to help!
