Website security: Spot 8 hidden risks
Your website is your best sales and marketing asset — and a huge target. As technology advances, so do the tactics employed by hackers and bots. Relying solely on basic security measures like strong passwords and SSL certificates isn’t sufficient anymore. There are countless vulnerabilities behind the scenes that require thoughtful architecture, proactive investigation, and swift intervention when issues are discovered.
The degree to which your website is secured can vary greatly depending on who’s building, hosting, and maintaining it. Core security risks often start during the initial build, and without frequent technical reviews and security scans, the number of vulnerabilities can quickly multiply.
Some web agencies, not all, conduct regular security scans to identify and solve potential website vulnerabilities. In this age of ever-evolving security trends, vulnerabilities, and best practices, it’s never been more important for B2B marketing teams to understand how your website was built and how it’s being secured.
No, you don’t need to study coding languages or learn how to find malicious scripts. But you should have a basic understanding of website security best practices and common vulnerabilities so that you can ask your developers or web agency the right questions and gain peace of mind that your most valuable digital asset is secure.
In this article, we’ll review the basics of WordPress security and eight security vulnerabilities to watch out for on your website.
WordPress websites aren’t secure. Fact or fiction?
You’ve probably heard the common misconception that WordPress websites aren’t secure. Here’s the thing: WordPress is backed by more than 50 industry-leading WordPress security experts who are constantly improving the security of the platform. But as with any technology, there are certain limitations.
As an open-source platform, WordPress has to strike the balance between strict controls and a flexible developer experience. WordPress provides an excellent foundation for a secure website, but developers must actively participate in fortifying the layers of defense. The security of your WordPress website comes down to how it’s built and integrated with WordPress. For example, an experienced agency will only use tried and tested plugins. They will look at the number of downloads, frequency of updates, and more. An inexperienced agency may overly rely on plugins for basic functionality or use unsupported plugins that open the door to security issues down the road.
Whether they are building or maintaining your website, experienced developers focus on proactively identifying vulnerabilities that WordPress can’t address on its own. One of the most efficient ways to do this is with security scans.
What is a website security scan?
Website security scans are automated tests that look for known vulnerabilities in your WordPress instance and website. Unlike penetration tests, which find vulnerabilities and launch authorized attacks, security scans find issues and report back. Think of website security scans like someone walking up to a front door, checking if it’s unlocked, then turning around and reporting it. Penetration tests are like someone walking up to the front door, checking if it’s unlocked, and then walking right on in.
Our developers are regularly conducting website security scans of our client websites.
In our experience, we’ve noticed trends in overlooked vulnerabilities. Left unaddressed, these common security risks can leave your website and sensitive information vulnerable to attack.
8 website security risks to watch for
Missing website security headers
Security headers are like instructions (sent by the server to the browser) about how to handle and implement security policies. WordPress doesn’t automatically include all security headers so they have to be manually set up on the server side (typically by a developer). There are different types of security headers, but ultimately, they define how a web browser should handle certain aspects of security, such as content loading or communication with third-party sources (e.g. APIs, iFrames, images, and videos). Properly implemented website security headers will help protect your site against common security threats such as XSS attacks, data injection exploits, clickjacking, etc.
User enumeration is the process of attempting to discover valid usernames, accounts, or logins. In the web world, attackers try to find any information they can about the users that are a part of the WordPress install. Finding this user information is quite simple if the Rest API is still enabled (WordPress default).
The Rest API allows anyone to search for and find a specific URL that lists the nicknames, posts, profile images, and emails related to a person. This data dump makes it easier for hackers or bots to cobble together login information and try to force their way into your site.
To protect against this attempt at website lock-picking, the Rest API should be disabled for anyone not logged into your WordPress instance. This abstracts as much information as possible and helps prevent attackers from gaining access to user information if they aren’t already logged into WordPress.
Direct file access
By default, most non-managed servers permit users to browse the folder structure of your website. This can be dangerous as it makes it easy for hackers or bots to gain access to sensitive files like:
- wp-config — contains your database credentials
- .htaccess — contains the configuration of server settings
- wp-login — the login page, a common target for brute-force attacks
- /wp-admin & /wp-includes — contains core WordPress files
Some hosting providers (e.g. Cloudways) automatically disable direct file access, but it’s not a given for all providers. Regardless of where your website is hosted, it’s important to know if your website has blocked direct access or not.
There is one exception where file access is typically deemed okay: robots.txt. This is the file that tells all search engine bots which parts of your site should be crawled. If you block direct access to robots.txt, you limit the search engine’s ability to find and index your site. This item is frequently flagged by security scans to bring to your attention, but we don’t recommend you block access.
Default WordPress login path
The default login path for a WordPress install is yourwebsite.com/wp-login. With this standard URL, anybody can access the login page and try to brute force their way in. For an added layer of security, you can change the login page URL. Alternatively, you can set up a secret URL that sets a cookie and redirects the user back to the WordPress login. The cookie from the secret URL is required to authenticate the user and log in to the WordPress instance.
There are countless plugins (WordPress or other) you could add to your website to add or enhance functionality. Unfortunately, each plugin increases the attack surface of your website. If plugins are reputable and regularly updated, they may not weaken your defenses. But many plugins, especially older ones, don’t have regular bug fixes or code base updates. These can create larger security holes that are tricky to fix, especially over the long term.
Security scans will flag plugins of concern. Once identified, you may choose to hardcode the plugin’s functionality directly into your site or replace the plugin with a more secure and reliable option. We always recommend limiting the number of plugins from the start — not just for security reasons, but to keep your website performant (lots of plugins can bloat your website).
Any input on your website poses a security risk, and post comments are no exception. Instead of posting useful, relevant comments, malicious users can comment with a script that tells your website to perform a specific action that you don’t want it to do (e.g. make an unauthorized purchase or manipulate or leak data).
There are WP filters designed to catch script comments, but it’s always possible for them to slip through the cracks, especially when new coding languages are being developed all the time. Since most B2B software companies aren’t likely to get much engagement through post comments anyway, we recommend disabling the comments. It’s better for optics, and better for security.
Vulnerable third-party forms and tracking scripts
Third-party forms and tracking elements often process user input and collect sensitive data, which makes them a target. While third-party services like Gravity Forms and Google Tag Manager have their own validation measures, it’s still important to take certain proactive security measures. Here are a few best practices to keep your forms and scripts secure:
- Use HTTPS to ensure secure data transmission
- Validate user inputs and sanitize outputs to prevent malicious data injection
- Implement a Content Security Policy to restrict unauthorized script execution and ensure safe browsing experiences
- Verify that all script sources are trustworthy
- Minimize third-party script usage
- Implement a firewall to protect against unauthorized access
Build better. Fix less.
The common security issues outlined above barely scratch the surface. Websites are becoming more sophisticated and complex every day, and the number of potential vulnerabilities is growing. Regular security scans, completed by cybersecurity experts, are an important part of your website security process and can help you identify risks before damage is caused.
Beyond completing regular security scans, our advice is to build, not fix. A website riddled with security issues can be improved, but it’s far better to implement security best practices from the start. Your website is your most powerful and efficient sales and marketing asset. Don’t leave it at risk.