If you’re running a successful LearnDash LMS then you’ll have a system with lots of learners. This makes your system an appealing target for hackers who may want to steal data, serve up spam, or try to exploit your customers.
The world of cybercrime is and always will be a threat, but thankfully there are a few straightforward ways you can help to protect yourself and your customers. Here are a few Do’s and Don’ts to help you keep your LearnDash platform secure:
DO – Use strong passwords
If you set up a WordPress site that had an administrator account with the username ‘admin’ and the password ‘password’, I’d be willing to bet it would be hacked within a week.
The reason for this is that there are millions of automated “bots” on the internet, constantly searching for sites they can break into by guessing weak passwords. They systematically find websites and can try several username and password combinations per second until they either break in, or give up. This is called Brute Force hacking.
It’s therefore essential to make sure that you are using a password that isn’t guessable. As I’m sure you’ve seen before, a good mixture of uppercase, lowercase, numbers and symbols makes your password harder to guess.
DON’T – Share your password with anyone
Never share your WordPress password with anyone, no matter how reputable they may seem. If you have an administrator level account and your password gets out into the open your LearnDash site could be taken over in seconds.
DON’T – Use the same password for every site
Passwords get leaked onto the internet all the time. Check out https://haveibeenpwned.com/ to see if yours has.
If you use the same password for several websites/systems and one of them gets breached, then there’s a chance that your username and password combination could be tried on others, including your own LMS. For this reason, it’s important to have different passwords for different websites.
Not good at remembering passwords? Storing them in your web browser is one option, but you could also reset it each time you log in to be extra safe.
DO – Keep your WordPress and plugins up to date
From time to time, WordPress and any 3rd party plugins that you use on your LearnDash LMS will have vulnerabilities in them. These range in severity, but typically they will either open your system up to being spammed, or in the most extreme cases be completely taken over.
And what’s worse, those bots that I mentioned above that scan the internet for weak passwords also scan websites for vulnerable plugins that they can exploit.
Thankfully, most plugin authors are responsible and reliable and will promptly release patches for any vulnerabilities that are found. WordPress also makes it easy to apply these updates via its dashboard – so be sure to check and keep those plugins up to date. If possible enable automatic updates so that they are applied as quickly as possible after release.
DON’T – Install too many plugins
Some site owners have a habit of installing a huge number of plugins to add various bits of functionality. The problem with this is that it increases your ‘attack surface’. More plugins means more potential vulnerabilities and therefore ways into your system.
You should also check how reputable and well supported any plugin is before installing it.
DON’T – Use nulled plugins
A ‘nulled’ plugin is typically a premium plugin that you have downloaded from an unofficial source and can’t verify its integrity. Kind of like the pirate movies of the plugin world.
These ‘nulled’ plugins are often altered to include malicious code, so when you install them you are opening yourself up for a heap of trouble. They can also prevent any plugin updates from being applied, meaning that you won’t get any critical security updates. Best to avoid them at all costs.
DO – Install a WordPress security plugin
Despite what some people say, WordPress is natively a very secure platform. It wouldn’t power over 40% of the internet’s websites if it didn’t. However there are a number of great security plugins available that can help harden WordPress systems even further. Two that we use regularly are WordFence and Defender.
Both “play well” with LearnDash and have a range of tools to help protect your LMS. One example is that they can monitor access to your LMS and block bots (mentioned above) for too many incorrect guesses of passwords, or for trying to probe for vulnerabilities.
Another useful feature is that they can scan your LMS codebase and let you know if anything looks suspicious or has been altered.
It’s certainly worth installing one of these for the peace of mind it brings.
DO – Enable 2 factor authentication for admins
When you log into your bank you often enter your password, then have to enter a code after it. This is called two factor authentication, and it gives an extra layer of protection on top of your password, which we know can be weak.
This can also be enabled on WordPress using a number of plugins like the security plugins mentioned above.
It’s really easy to set up and once enabled, each time you log into your LMS you’ll need to check your smartphone for a code. This way if your password does get out into the open, a hacker still won’t be able to get access to your system because they wouldn’t be able to guess the secret code that follows it.
DON’T – Give administrator access to anyone who doesn’t need it
Always use a concept called “Principle of least privilege” when operating a LearnDash LMS or any system for that matter. To skip the jargon, this means that any user on the system should only have the minimum amount of privileges that they need to carry out their duties.
If you have an employee that doesn’t need to install plugins, or edit system settings then perhaps an “Editor” role might suffice.
The fewer admin level roles you have on your system, the less chance there is of one of these accounts getting exploited and causing unauthorised access.
DON’T – Use cheap website hosting
The WordPress site that contains your LearnDash LMS will need to be hosted somewhere. There are literally thousands of web hosting providers out there, and some are more reputable than others. Typically you want to avoid the cheap ones.
The cheaper ones often take security less seriously. They’ll also usually host a large number of other sites on the same “box” as yours. You won’t know who these other sites are, but there’s a chance that if they get hacked, or carry out malicious activity of their own, then your LMS could be inadvertently affected. So be careful with your choice of web host!
DO – Keep up to date with WordPress and LearnDash security news
When you operate a LearnDash site, it makes sense to keep your finger on the pulse of any security updates.
To date I’m only aware of 2 vulnerabilities in LearnDash that made it into the open and in both cases I recall they promptly patched the issue and emailed their licence holders (including us) to inform us. They’ll also update their changelog here https://www.learndash.com/changelog/ and potentially post an update on their blog.
Similarly WordPress will post updates to their news site here https://wordpress.org/news/
There are also a number of great security sites that will announce vulnerabilities in popular plugins:
- WPScan Blog – https://blog.wpscan.com/
- WordFence Blog – https://www.wordfence.com/blog/
- Sucuri Blog – https://blog.sucuri.net/
DO – Scan your system regularly
If your LMS gets hacked and spam/malware is added to it (a.k.a being “spamvertised”) then you might not know straight away.
The following sites will scan your LMS for anything that looks suspicious, so it’s worth checking them every now and again:
- Virus Total – https://www.virustotal.com/gui/home/url
- Sucuri Sitescan – https://sitecheck.sucuri.net/
- Unmask Parasites – https://unmask.sucuri.net/
DO – Keep an eye out for anything suspicious
It might not be obvious straight away if your system has been hacked. Your system could be subtly being used for spam/botnet activity or a hacker may have inserted a “backdoor” into your system for them to come back and use later.
Here are a few things to look out for:
- Any suspicious redirects that you or your LMS visitors see
- Any installed plugins or themes that you don’t remember adding
- Any users in your system that you don’t recognise – particularly admin ones
DON’T – Click on suspicious links
As an administrator of a LearnDash LMS, you are also a potential weak link in gaining access to your system.
Be very careful clicking on suspicious links, particularly from emails. Always question whether they are coming from a trusted source and air on the side of caution.
Clicking on a dangerous link can lead to you being infected with malware, which could inadvertently lead to you leaking access to your website.
Suspicious links can also lead to what’s known as “Phishing”, where the intention is to trick you into entering details, such as your username and password by pretending to be something else. A common example is where you see emails that pretend to be from companies like PayPal asking you to log in and verify something, but in reality you’ll be taken to a site that looks like PayPal and end up passing your details to someone with malicious intent.
Always be vigilant and if something doesn’t look right it probably isn’t!
DON’T – Assume you won’t get hacked
You might think that only big businesses get hacked, but this couldn’t be further from the truth. It is reported that over 90,000 websites get hacked every single day (source: HostingFacts)!
You’ll never be able to make your LMS impenetrable (noone can), but you can make it less of an appealing target by using some of the tips in this blog. Just don’t get complacent when it comes to security.
DO – Take regular backups
The truth is, websites and systems do get hacked. If you do, it’s actually quite difficult to clean a hacked site and know with 100% certainty that there are no vulnerabilities or backdoors left over. Often it’s easier to revert back to a backup of your LMS prior to when it was hacked.
For this reason, you should constantly back up your LearnDash LMS. How regularly depends on how active your LMS is and how much user progress gets made each day, but typically you’d want to be backing up daily as a minimum. Thankfully most web hosting providers will have the option to back up your whole system automatically.
The purpose of this article isn’t to scare you, but to make you aware of the threats out there and give you some simple ways to stay one step ahead. If you find it useful, or have any tips of your own, we’d love to hear from you in the comments.