WordPress is the most popular content management system that is both open-source and free. More than 39.5% of the web is powered by WordPress. WordPress is the top choice of bloggers and big publications. A huge community is behind the success of WordPress.
WordPress is powerful and flexible, the ease of using it makes it highly popular. And due to this popularity, WordPress is also a major target of hackers.
This is not because WordPress is not a good framework. In reality, it is one of the most tested and stable systems. But due to the vast community of contributors and so many plugins/themes out there, it’s very difficult to maintain security.
There are many reasons which add to WordPress site vulnerability.
I’m listing down some of them:
- Maximum WordPress owners don’t update WordPress regularly.
- Installation of nulled themes and plugins from third-party.
- Themes and plugins purchased from a third-party aren’t updated although it’s damn easy to update them.
- Using the default username ‘admin’ that is created during the WordPress installation.
- Use weak Login credentials that can be easily cracked by hackers after using a few combinations.
- Website URLs include HTTP despite HTTPS for secure data transfer.
- Use poor network connection for user interactions.
- The hosting company doesn’t provide customer support and reliable security solutions.
- User roles aren’t well-defined.
- Store owners don’t keep track of website activities.
- Not taking accurate security measures and using plugins for the same.
- Attackers use malicious software to harm websites.
So, does that indicate WordPress shouldn’t be used for creating blogging websites?
Know Reasons to Choose WordPress!
No. WordPress can be used by anyone for the time being they want! Hackers can read and write your data because your site isn’t updated with the latest functionalities of WordPress and you haven’t taken any security steps that eventually helped them to make your site full of vulnerabilities.
Therefore, in this article, you’ll get to know some of the best practices through which site security can be maintained. But before heading towards the section WordPress security solutions best practices, let’s first explore why WordPress security solutions are important.
Navigate To The Section You Wanna Explore!
Why Is WordPress Security Important?
Here are some stats that will let you know why WordPress security is important!
- 98% of attacks happen because of plugins.
- 81% of WordPress vulnerabilities happen because of weak or stolen passwords.
- 51% of WordPress websites undergo denial of service attacks.
- In 2021, Sucuri had removed harmful malware from 94% of WordPress Websites.
- 41% of vulnerabilities are caused by your hosting platform.
- 40% of websites are affected by cross-site scripting.
- 52% of attacks are experienced due to outdated WordPress versions.
- 59% of sites suffer from vulnerabilities because of malicious code, malware, and botnets.
WordPress contributors and the community are adding new features every day. Contributors are patching all security issues and ensuring new security parameters, so it’s important that you keep your WordPress upto date to keep it secure.
Types Of WordPress Attacks And Tips To Avoid Them
-
WordPress Core Vulnerability
WordPress helps your business in reducing cost, provides substantial innovation opportunities, and is open source. But with the source code being available it becomes easy for potential cyber criminals to identify the core vulnerabilities and exploit them. And hence one of the easiest ways of exposing your WordPress site to attacks is to continue making use of updated WordPress versions and also running older versions of WordPress’s scripting language PHP.
To the rescue, there are developers who identify such vulnerabilities and create ways to fix them in order to maintain the security of your WordPress website. Moreover, to save your WordPress site make sure you have installed the updates at all times. To do this simply Log in to your WordPress website admin account and then click Dashboard→Updates.
-
Brute Force Attacks
In a brute force attack, the cyber criminal tries a combination of passwords until he cracks the correct one. This type of attack is very common. It is very effective on weak passwords and usernames. In case you are receiving random log in requests, this is a clear indicator of a brute force attack. Therefore, you should take care of the WordPress password strength system. You can try following these tips:
- Make use of a good mixture of numeric and alphabet characters.
- Try to use long and strong passwords.
- Avoid words suiting your company or website.
- For more intense security add two factor authentication.
-
Plugin And Theme Vulnerability
Plugins and themes are the best way to add extra functionality to your WordPress website. But Plugins also prove to be very vulnerable to attacks. Since they are fully reliable on developers to be kept updated to avoid exploits. So In order to avoid attacks on your website make sure your plugins are compatible with the latest updates. The plugins which haven’t been updated in a long time are the ones most likely to be hacked and therefore should not be used.
-
Cross-site Vulnerability
Another very common attack is the cross-site or an XSS attack. In an XSS attack the cyber criminal uploads malicious JavaScript code. This is aimed at either redirecting to another site or collecting data without the user knowing about it. More common types of XSS attacks are phishing-style methods like newsletter subscriptions or forum posts.
In order to avoid this type of attack, it’s important to ensure proper data validation practices across your WordPress website. Moreover validation is a significant skill which is required for utmost security. This means all the data on your website caters to your expectations.
-
DDoS Attack
DDos attacks are the most popular type of attack. Big organizations like Netflix, Sony, Amazon, etc. have been a prey to it. A distributed denial of service (DDoS) attack takes place at the time when a web server is loaded with a plethora of requests that the server goes down and crashes. DDoS attacks are common amongst both small and big organizations and are very dangerous.
To avoid the DDoS attack you should disable exploited API’s during an attack in order to decrease the number of requests. You should also disable third party applications to interact with your WordPress website. Also, you should make use of plugins that automatically block IPs that perform suspicious activities.
Tips For Maintaining WordPress Security Solutions
Here are some of the tips which you can follow to secure your website from major issues.
1. Select A Secure Hosting Provider
In 2021, 41% of WordPress websites were hacked through a security vulnerability on their selected hosting platform (source- wpwhitesecurity.com). Thus, selecting a secure and managed hosting provider is so important for any store representative.
When you’re purchasing your WordPress hosting plan consider factors like uptime, speed, customer support, and security. If you don’t want to pay for these things or regret in the future, then don’t try to avoid these factors.
Free and cheaper hosting platforms can put your site security at risk and an easy target for hackers. Therefore, don’t purchase a hosting platform all because it’s free. Also, avoid using shared hosting as it can increase the risk of cross-contamination.
In shared hosting, the same server is being used by thousands of other online stores. Here, if someone else’s website is hacked intentionally, then your site is also affected as you’re using the same server. In this case, you become the victim and that too without doing anything!
You can maintain a safe distance from cross-contamination and other WordPress vulnerabilities that are caused by hosting platforms. If you choose a hosting platform whose priority is to protect your site from vulnerabilities and is always there to help in situations of need.
If you’re searching for a hosting provider on whom you can trust and rely, then I would recommend the hosting services of WP Engine.
WP Engine is the hosting platform that offers great support, functionalities, and has a highly secure network. If you choose WP Engine you don’t need to worry about your website security. Its basic plan starts from $25. Compare the pricing plan and choose the one that best fits your business. You can also consider platforms like InMotion, Bluehost, and HostGator. WordPress hosting services that they offer are highly affordable and secure.
2. Update Your WordPress Website
The sites that aren’t updated with the latest functionalities of WordPress and PHP are easy to target. WordPress’s core development team frequently brings new releases to maintain the security of websites.
Unfortunately, many sites use the old version of WordPress. Even though the update process that WordPress offers is undoubtedly comfortable and smooth.
All the minor updates are installed automatically. Store owners are only required to install the major updates by themselves. When installing the latest version, make sure that you have taken a backup of your site to save yourself from undesirable situations.
Many WordPress updates aren’t compatible with your existing plugins and themes. Therefore, you’re first required to check the compatibility of your plugins and themes with the latest version of WordPress. In case, your WordPress plugins and themes aren’t compatible, you can update them before installing the latest version of WordPress.
If you installed the latest version without reviewing its compatibility with your plugins and themes, then it can harm your site and you’ll be required to restore your previous version manually (in case you haven’t taken any backup). Thus, preparing site backup and checking compatibility is so important during a WordPress update.
You can also create a staging environment to check whether your site supports the new WordPress version or you need to take more steps to make it compatible with your store.
3. Update/Delete Your Plugins & Themes
Currently, there are 55,000+ plugins in the WordPress repository. To (58,000+) enhance your website performance and functionalities, you might leverage several WooCommerce plugins and themes. These plugins and themes do add additional features and personalize your customers’ entire journey.
But do you know – more than 52% of WordPress attacks occur because store owners don’t use secure plugins and themes! (Source- KeyCDN). Thus, WordPress security maintenance also depends on the plugins and themes you install for your business. If you want to shield your site from these attacks, then update or delete the plugins and themes that aren’t in use for a quite long time.
Use the following steps to update your plugins and themes.
Steps To Update WordPress Plugins
- Go to your WordPress Admin panel.
- Click on the update button from the sidebar.
- Click on the plugin you want to update at the current moment.
- Now click on the Update Plugins button present at the top.
Steps To Update WordPress Theme
- Go to your WordPress Dashboard.
- Go to Appearance > themes from the left sidebar.
- Select the theme you want to update.
- Now click on the Update Now button.
Do You Want to Install WordPress Themes?
By using these four easy steps, you can secure your WordPress website from hackers. Now it’s time to check the plugins and themes that you hardly use for your business.
It might be possible that you have installed multiple extensions and themes that are just listed on your backend, and you hardly use any of these for your website activities. If this is the case, then it’s better to delete those extensions and themes for the time, you don’t want them for your business. You can easily install all these plugins and themes, whenever you feel their need in your business activities. But for the time you don’t want them, it’s better to delete them from your system.
Before heading towards other WordPress security solutions tips, I would recommend staying away from nulled plugins, as they have security flaws, and your website can easily get affected by malware.
Purchase plugins and themes from the websites or developers on whom you can trust for your WordPress issues. Always check the reviews, ratings, reputation, and the last update date of the plugin or theme you’re planning to purchase. Use this WordPress security solutions trick to keep hackers away from your website!
4. Use Strong Username & Password
The username that WordPress creates by default during the installation is admin, which is not a secure name for any website. If you want to avoid the vulnerabilities that might occur because of your login credentials, then do install a WordPress plugin that can help you change your username effortlessly. Here, the plugin you can consider for changing your username is Username Changer.
Not only the username, but your password should also be strong enough that no one can guess your login details even after creating several different combinations. Don’t use a single password for multiple websites, it can be dangerous. Use password-protecting tools like LastPass to generate secure and strong passwords.
Using this tool, you can easily generate a strong and unique password that can’t be predicted by hackers. Make sure that your users are also using strong and unique passwords. For more security, update your passwords as often as possible. You can also set a date range, after which your users have to create new login credentials. By compelling users to change their passwords, you can reduce the risk involved with your site security.
5. Use Two-Factor Authentication
2FA creates a second protection layer on your login pages. In case, if an attacker has succeeded in cracking your login details they wouldn’t be able to enter in your WordPress admin panel. If you enable 2FA for your users, then they have to enter a secret key or code generated on handheld devices. It generates a one-time password that needs to be entered within a specified time. This code also changes every time anyone attempts to enter your website. Thus, it keeps your site safe. Use Google Authenticator to enable the functionalities of 2FA.
After enabling Google Authenticator, users will be required to enter the secret key to enter your website. In case, they haven’t entered the right secret key they wouldn’t be able to enter your WordPress admin panel even if their username and password are correct!
6. Create Restriction On WordPress Log-in Attempts
Restrict the number of times a user can attempt to access your website. It can prevent the possibility of guessing your login credentials and makes your login page more secure and safe. You can check who is trying to enter in your admin panel and block their IPs if you find their login activity suspicious. In this way, you can protect your site on time, and hackers won’t get the chance to play in your admin panel.
7. Use An HTTPS Site
Having an HTTPS site ensures that your data is encrypted between your server and all browsers. If unauthorized users attempt to access the shared data, they would end up getting nothing. Moreover, Google prefers to rank those sites that have HTTPS in their URL. If you don’t have an SSL Certificate, then Google will show “it’s not secure” warning for your website URL. Thus, you must include HTTPS in your URL, as it makes it easy to gain customers’ trust and attention towards your site. Always remember visitors want fast and secure solutions, so you simply can’t ignore to include this extra ‘s’ in your URL.
There was a time when purchasing an SSL certificate required around $80. Purchasing an SSL Certificate was expensive, and thus, many store owners couldn’t take up the benefit of having an HTTPS site. After understanding the importance of an SSL Certificate for store owners, many hosting companies have started providing it for free. You can have your free SSL Certificate from Bluehost, Hostgator, Kinsta, InMotion, and WPEngine.
8. Schedule Regular WordPress Backups
In case you lose data, some bugs occur, or attackers attempt to affect your website security, then you can use your backups to restore your previous version. Backups create an exact copy of your existing WordPress site so that you can restore the bug-free version and protect your brand image.
Depending on your business, you can decide whether you need to take weekly or hourly backups.
If you frequently create and publish content on your site, then it’s advisable to take hourly backups. Especially if you’re running an eCommerce store, then you can take backups more frequently. But if your site rarely produces content or performs any change, then you can take backups on a weekly basis. It depends on your business model.
There are several advanced WordPress backup plugins. Go through the list to select the backup plugin that can help you revive your site whenever required.
These plugins can help you maintain your online presence among your customers, visitors, and leads. In case, any error occurs, you can revive your previous version using your backup plugin within seconds so that your customers’ experience on your website won’t get affected, and you don’t miss out on any potential sale.
9. Restrict WordPress Admin Access
In WordPress, there are six predefined user roles. Each role can perform a specific set of tasks called their capabilities. These user roles are defined as Super Admin, Administrator, Editor, Author, Contributor, and Subscriber.
If user roles aren’t defined accurately, then it can harm your website. As some users might perform activities that are not supposed to be performed by them.
Therefore, define user roles to restrict admin access and protect your WordPress website from hackers. You can decide whether you want to use the predefined user roles or create a new user role. Also, don’t forget to change your login credential and delete user roles when an employee leaves your workplace. It is another method through which you can protect your WordPress website.
10. Secure Your wp-config.php File
wp-config.php is the most important file that you have on your WordPress website. If you don’t secure your wp-config.php, hackers can easily access your WordPress database and cause damage to your information. Thus, for WordPress database security include the following code in your .htaccess file.
You should also disable your WordPress directory files for security purposes. By disabling your WordPress directory files, no one can access your sensitive information and provide security threats.
- Generate new secret keys by using the link (https://api.wordpress.org/secret-key/1.1/salt/)
- Copy the generated secret keys
- Replace in wp-config.php file
If you don’t feel comfortable while updating your .php or.html files, you can contact a developer or your hosting provider to perform the changes and secure your files.
11. Terminate Inactive Sessions
In WordPress, multiple user roles can be specified. In such situations, it becomes necessary to delete or terminate the sessions that are inactive from a quite long interval.
Suppose, while editing the post on WordPress another task arrives at your writer’s table or your designer is performing some changes on your landing page, and suddenly he is called to attend an urgent meeting. In such circumstances, the probability that your website can get hacked automatically increases.
Thus, terminating inactive sessions becomes important for your website security. Another WordPress security solutions hack that you can consider for your online store.
12. Leverage Secure Network Connection
Make sure that the file transfer protocol your web server is utilizing is safe and protected. Many hosting providers nowadays provide SFTP services that are more secure than the standard FTP.
All the interactions that are established under SFTP are well-encrypted and secure. If hackers try to access the data being transmitted from your server to any web browser they would get nothing in their hands. They have to shut down their system with full disappointment. So, always use a secure network connection to protect your and your customers’ data.
13. Check All Your WordPress Activities
You can secure your WordPress website by checking all the activities that are running on your site. And if you detect any suspicious activity happening on your website, you can take appropriate action as early as possible. In this way, you can reduce the risk involved in your WordPress security. You can use the plugin Activity Log to monitor and track user’s activity on your website. And if you find any suspicious activity on your site, you can easily block IPs to protect your data. You can also export and download the CSV file of your Activity Log data.
14. Protect Your Site From DDoS Attacks
In DDoS attacks, hackers use multiple systems to hack your website. The DDoS attack doesn’t provide harm to your website, but this attack can slow down your website performance for hours or even days. To protect your website from DDoS attacks, do leverage a WordPress security plugin like Sucuri. If you find some abnormal activities, you can contact the team of Sucuri and let them handle all your website issues. You can also contact us to get your site back on track.
15. Leverage WordPress Security Plugins
In the eCommerce market, there are several security plugins that you can consider to secure your WordPress site. Avoid using nulled plugins for your eCommerce store. It can increase site security risks. Purchase a plugin only after analyzing its performance, reputation, functionalities, support services, and reviews.
Explore The Best (Free+Premium) Plugins That Can Boost Your Online Sales?
Below I’m going to list out some of the best WordPress security solutions plugins that you can consider for your business. So, let’s start exploring all the advanced WordPress security solutions tools!
Recommended: WordPress Security Solutions Plugins
Here is the list of top WordPress plugins that you can consider for your business model.
1. Sucuri
It is the best website security solution available in the market till now. Using Sucuri, you can fix all your current issues and also prevent your site from future attacks as Sucuri provides full site monitoring. It monitors and scans your site on a regular basis to keep it protected and safe. It can protect your site from all WordPress vulnerabilities and DDoS attacks. Sucuri can also help you improve your site speed and performance. In short, investing in Sucuri is beneficial for websites that have security concerns and want to protect their site from all vulnerabilities.
2. Google Authenticator
Google Authenticator ensures that not a single unauthorized user enters your personal zone. It provides 2FA and MFA functionality that prevents brute force attacks. In case, the same user performs several attempts to log in to your site, it can block its IP – as it can monitor user login activities to maintain site security. It offers multiple authentication methods like QR Code, Push Notification, Soft Token, and many. You can select any of the methods to secure your login page.
3. Jetpack Security
Jetpack provides secure and fast security solutions to WordPress users. It provides real-time backups that can be restored in one click. If you select Jetpack, you’ll get the following functionalities –
- Brute force attack prevention
- Site scanning
- Spam prevention
- WordPress security monitoring
- One-click restore option
- Regular backups
You can also consider these WordPress security solutions to prevent suspicious activities and keep hackers miles away from your site.
4. LastPass
Hackers love to play with your login page. They try several combinations to crack your login details. And it’s damn easy for hackers to crack passwords like 12345, abcdef, password, admin, administrator, root, or store name. Lastpass helps website owners to generate strong and reliable passwords every time they need to sign-up. Whether it’s personal or professional, you can use this tool to generate a strong password. Using LastPass, you don’t need to remember any password. Whenever you want your login credentials, you can easily find it in your LastPass account. It also provides sharing options and multi-factor authentication.
5. Duplichecker
It is a backup plugin through which you can take backups and restore your WordPress versions. It also allows website owners to migrate and prepare a clone of their site.
6. WP Limit Login Attempts
Using this plugin, you can protect your login page from a brute force attack. [In brute force attack (hit and try method) hackers try to access your site using your login page. They create several combinations to crack your username and password until they succeed in their objective.] WP Limit Login Attempts plugin restricts the number of times a user can try to login to your page. It can also block IP addresses and detect bots using captcha verification.
7. Hide Login Page, Hide wp-admin – Stop Attack On Login Page
Hackers use bots to break your username and password. Even if you’re using strong login credentials, there is always a probability that your credentials can be hacked. You can prevent login page hacks if you take security steps like- using strong passwords, limiting login attempts, use two-factor authentication, and hide your login page. Using this plugin, you can easily create a custom URL for your login page to protect it from intruders. This plugin does not modify your database files. After changing your login page address, you’ll receive an email including the recovery link, in case you forget your new URL.
8. Wordfence Security – Firewall & Malware Scan
It is a secure solution for your WordPress site. It scans your entire site and keeps it away from malware. The Wordfence plugin also prevents brute force attacks by limiting login attempts. Using this plugin, you can reduce the risk involved with all known and unknown WordPress vulnerabilities like backdoors, SEO spams, and malicious redirects. You can protect your WordPress database such that no one can attempt to mess with your and your customers’ information. 2FA, IP blocking, and captcha for bot detection are also available. You can use this plugin for any number of sites. If you choose their premium plan, you can also perform country blocking for more authentication.
WordPress security can be maintained if you take security measures and use plugins for the same. Now, if you want to create your blogging or eCommerce site through WordPress, then you first need to know the difference between wordpress.org and hosted wordpress.com! If you know the difference, you can easily decide which WordPress version you need to use for your business!
Ready To Use WordPress Security Checklist
Here is the WordPress security checklist and guidelines you can use while creating your online store.
1. WordPress Security Solutions Hosting
- Select A Secure Hosting Provider
- Check Customer Support
- Review Security Services
- Check Rating & Reviews
- Avoid Using Shared Hosting
- Consider Factors Like Uptime, Security Speed, Customer Support While Selecting A Hosting Provider
2. WordPress Security Solutions Login Page
- Use Strong & Unique Passwords
- Enable 2FA Functionality
- Don’t Use The Same Password For Multiple Sites
- Change The Default Username ‘Admin’
- Use WordPress Security Solutions Plugins Like LastPass And Username Changer
- Restrict Login Attempts
- Change Your Login Credentials On A Regular Basis
- Always Delete Your Previous Username And Password
3. WordPress Control Panel
- Define User Roles
- Terminate Inactive Sessions (auto-logout when there is no activity from the user end)
- Protect Your wp-config.php file
- Leverage Secure Network Connections
- Download The Zip File Of Your Backup
- Schedule WordPress And PHP Updates
- Include HTTPS In Your Website URL
- Prepare Hourly/Weekly WordPress Backups
- Use Email Address Instead Of Username
- Scan And Monitor All WordPress Activities
- Delete User Accounts That No Longer Belongs To Your Organization
- Create New User Roles To Restrict Access
- Check Google Blacklisting Sites
4. WordPress Themes & Plugins
- Install All The Major Updates Regarding Themes And Plugins
- Always Check Compatibility And Take A Backup Before You Update Any Theme Or Plugin
- Create A Staging Environment To Check New Updates
- Never Purchase Nulled Themes Or Plugins
- Always Check Review, Rating, Brand Reputation, And Last Updated Date Before Purchasing Any Theme Or Plugin From A Third Party.
- Delete Plugins And Themes That Are No Longer Required In Your Business.
- Don’t Purchase Too Many Extensions As It Can Slow Down Your Website Performance And It Becomes Easy For Hackers To Spread Malware.
- Purchase Themes And Plugins From Reputable Sites.
5. WordPress Security Solutions Services
- Purchase Advanced WordPress Security Plugins.
- Check Thoroughly Before Selecting Any Plugin Or Service Provider.
- Don’t Use Too Many Security Extensions
6. WordPress Security Solutions Features Required From Your Provider
- Brute Force Attack Prevention
- Two-Factor Authentication
- Regular Backups And One-Click Restore
- Scan And Monitor Site
- Detect Suspicious Activities And Block IP Addresses
- Creates A Staging Environment
- Automatic Daily Backups
- Backup Retention Plan
- 24/7 Customer Support
- Hack And Malware Removal
- SSL Certificate
- White-Labeled Cache Plugin
- Email Notifications
- WordPress Security Auditing
Using this checklist, you can protect your site against WordPress security issues. You can also use our handy WordPress launch checklist to complete your store development activities. Now, let’s go through some of the most common questions about WordPress security.
FAQs About WordPress Security Solutions
1. Is WordPress Secure?
WordPress is a secure solution only if store owners take accurate security measures like updating WordPress versions on a regular basis, purchasing themes or plugins from trusted websites, using security plugins, and taking other important security steps.
2. How To Protect A WordPress Site From Malware?
WordPress security practices that can protect websites from vulnerabilities are-
- Schedule regular backups
- Install WordPress major updates
- Use 2FA
- Check WordPress activities
- Define user roles
- Limit failed login attempts
- Use advanced security plugins
- Update themes and plugins
- Delete unused themes and plugins
- Use SSL Certificate
- Prevent DDoS Attack
- Secure your Database files
- Leverage secure and protected network
- Use strong login details
- Select a secure hosting provider
3. How Your WordPress Website Can Be Hacked And What Can Happen To It?
Your WordPress website can be infected if you don’t pay attention to its security. Hackers use different software to spread malicious malware on your website. They attempt to enter your site using your login page, through your hosting provider, or plugins you use for your business.
Hackers can read and write your files. They can damage your brand image and threaten you in the worst situations. Situations can occur in which even professionals can’t provide help. It can take weeks to restore your website.
4. Why Do You Need A WordPress Security Plan?
Hackers can affect your website reputation among your users. They can steal your and your customers’ sensitive information. If desired, they can even threaten you and your customers. The damage could be so bad that you need to re-establish your online store. Thus, website owners need to purchase a security plan to keep their website secure and protected.
We provide WordPress security services to all online stores. If you want help or secure your WordPress website, you can contact our developers. The moment we receive your query, a developer will be assigned to handle your WordPress problems. Click to know what our customers say about us on Trustpilot!
Final Words WordPress Security: How To Secure And Protect Your Website?
WordPress is powerful and flexible. If you want to use WordPress, then you can’t avoid implementing WordPress security steps. Practice the security tips listed in this post to keep your website safe and secure. Each tip and trick will add a layer to keep intruders away from your site. If you’ve questions in your mind regarding WordPress vulnerabilities, then use our contact us page to send your queries.
View Comments (1)
Excellent post and a shame that more website owners don't realise the growing risk of hacks from poor WordPress security. Also interesting that you mention 44% of attacks are from outdated versions when as of today 49% of all self hosted Wordpress sites are at least 2 core versions behind.