WordPress Security in The Age of Gutenberg
WordPress dropped a massive update back in December with WordPress 5, codenamed Gutenberg. Gutenberg brought a radically different text editor for the masses. But did it necessarily improve the overall WordPress Security?
Every day around 70000 websites gets hacked, reports internetlivestats.
Although the new editor faced some criticism when it was released, slowly people are getting used to the new editing experience. WordPress 5 Gutenberg was release on December 6, 2018, named for jazz musician Bebo.
This major release added more than 20 new features including the all new shiny block editor, table of contents block, new blockquote block, table block, cover image block, cover text and more.
However, every new feature means new opportunities for vulnerabilities, security loopholes and more. WordPress 5.0 had five significant security vulnerabilities including sensitive data exposure, PHP object injection, Privilege escalation /XSS, and unauthorized file deletion.
Hence, WordPress 5.0.1 was released immediately within a week and was labeled as an “immediate Update” from the security specialist guys over at WordFence.
Sucuri’s 2017 Hacked Website Report finds out more than 39.3% WordPress websites were running out-of-date WordPress software at the time of the hacking.
The WPScan Vulnerability Database discovered that more than 70% of attacks happen due to out-of-date software. The most vulnerable versions of WordPress are WordPress version 3.x
WordPress 5.0.2 was released as a maintenance release in the following week as people were having issues with the new block systems. There were bug fixes and new feature improvements in WordPress 5.0.2 release.
Security Issues with WordPress
WordPress is always adding new features to improve the user experience. New features mean there will be risks of new vulnerabilities. WordPress 5 added many new features as we discussed before, but did it do anything really groundbreaking in terms of security?
The answer is- NO!
Because it's human nature, we do not worry about managing potential security risks until it's too late. How about one day you find that all the stuff in your house is gone because you didn't lock your front door? Or how about leaving your car unlocked for just a few minutes and finding out it's gone forever.
Once someone robs your house, steals your car, or hacks into your WordPress website, you would find yourself stupid not do something beforehand.
The problem is, humans react to all these scenarios when it’s too late. By the time you should have done something, you will find out that you are trying to minimize your damage. Hence, pre-planning, prevention, being proactive, taking appropriate security measure beforehand – ensure that your chance of data breach gets reduced significantly.
However, this article isn’t about your car or your house; it’s about securing your WordPress website in the age of Gutenberg. If you follow this article to the end, you will have a well-organized security checklist to minimize the security risk of your site.
Security Begins when You Are Ready to ACT
If you are too lazy about doing something to secure your WordPress website, you will not be able to minimize the security risks.
You have to be proactive because it’s not every day you notice your website is hacked, right? But when this happens and if you are unprepared at that time, then only God might save you!
It's crucial to secure your website before havoc wrecks upon. It's entirely possible that any private or sensitive information gets breached. You remember the infamous iCloud hack right?
A security breach could potentially be destructive to your customers and you. Once you lose your customer's trust, you cannot regain their trust soon. Hence, we will be offering some of the best and industry proved WordPress security tips to secure your website.
WordPress Security Checklist 
We already mentioned some of the best WordPress security tips in our article WordPress Security Guide. Chances are, you already came across to the article. How can you improve your WordPress Security in the age of Gutenberg? We will list some of the best security measures that you should take to secure your WordPress website in the age of Gutenberg.
Before jumping to the checklist, check out the following infographic on top 5 WordPress security issues.
Double Check Your Username and Password
You have heard it before, but we are emphasizing it anyway. More than 80% of security vulnerabilities are related to weak and obvious passwords.
This is the single WordPress security tips that you will find it across the web in every security related article.
It’s okay to use a memorable password. However, you should always choose a strong password that combines special characters, lower case, upper case combination.
You should NEVER use a password like “123456”. 123456 is the most common password, declared by Fortune. You can check the list of the most common passwords here, and you should avoid them at any cost.
You can use services like KeypassX, Bitwarden (an open source password manager), LastPass, 1Password to generate strong passwords.
It is wise not to use the default WordPress username “admin” too.
Double Check Your Database User Permission
This WordPress security tips will help you to secure your WordPress website from the backend. If you alter the permission of your database user, then even if your site gets hacked, a hacker will not be able to delete (or in this case drop) your data (in this case the database table).
While creating your database user, you should not allow your database user to drop database tables. (Read more on database user security)
On a side note, you should know that WPERP utilizes all WordPress security standard.
Prevent Bruteforce Attacks Using A Captcha Plugin
Bruteforce attacks are one of the most common forms of attack. Brute force attack tries all possible combinations of password unless it matches to one. Hackers use scripts to automate the whole process.
You can install the plugin No CAPTCHA reCAPTCHA from WordPress Repository.
This plugin integrates Google's spam blocking service reCAPTCHA to your WordPress website.
This plugin will lower the extra CPU usage you might have due to continuous brute-force attacks.
Make Use of the Best WordPress Security Plugins
There are many WordPress security plugins out there including the most famous ones such as Sucuri, WordFence, Ninjafirewall and more. Each one has its own functionalities.
Wordfence is the most popular one among these security plugins. Various websites have also featured Wordfence as the most useful security plugin in their best WordPress plugins list. Wordfence has more than 2 million active installs along with a rating of 4.8 stars of average rating. For a plugin, the stats are certainly impressive.
Wordfence includes all the essential security features including login security, IP blacklist, security scanning, and firewall for your WordPress site.
[Companion reading: Best WordPress Security Plugins Overview]
Perform a WordPress Security Check
Professional security checking websites often require payments to perform a comprehensive security check. Security scans are helpful for finding security vulnerabilities. Here's a list of websites where you can schedule a free security scan.
- Hackertarget WordPress Security Scan
- ScanWP’s WordPress Security Scan
- WPScans WordPress Security Scan
- WP Neuron
- WP Loop
- WP Recon WordPress Security Scan
- Sucuri’s Site Check
Use SSL With Cloudflare
There's no reason not to use Cloudflare. Cloudflare provides free CDN and SSL. You can take advantage of both if you use Cloudflare. Cloudflare also provides security features including DDoS protection, IP blacklisting, load balancing and more.
We recommend using a security and site acceleration service like Cloudflare or Incapsula.
Wrap Up on WordPress Security
Security is one of the most important aspects of a website. You should always take your website's security seriously. WordPress is evolving daily, so you have to keep yourself updated against the latest security vulnerabilities, malware, and threats. We listed some of the best WordPress security tips here, but no system can be 100% secured.
If you have some more WordPress security tips to share, feel free to let us know via comments. However, if emergencies occur and you find your website is already hacked, showing symptoms like redirection, popups – you can try replacing your WordPress core files.