WordPress Security: Preventing Website Hacks
As you may already be aware, WordPress has received a lot of attention because of past security concerns. And if you’re building a new website, or wondering about the WordPress security of your own website, I sincerely wouldn’t allow scare tactics to sway your opinion of WordPress. It’s the #1 platform in the world with over 30% of the internet’s websites running on it. It’s the preferred choice for developers and easily the most user friendly with unlimited resources for troubleshooting, plugins, support and security. With so many users, it’s mathematically going to have more security attacks, but fortunately there are just as many (if not more) security preventatives and blocks available.
WordPress resources are abundant because it is run by a volunteer group of consultants interested in expanding the software. It’s a community where experts are invited to create a theme, write a plugin, answer tech support issues, and generally contribute. The professional developers that created WordPress are quick to jump on any attack against their platform & offer the fix to their users. That’s part of why we love it, use it and recommend it. Other website platforms will leave you to fend for yourself if you get hacked.
Any website is going to have security risks no matter what platform or coding is used, but you must consider the resources available to prevent these attacks and counter them. When it comes to the benefits, WordPress is unparalleled. Click here to read more about the many benefits WordPress can bring to your company’s website.
You may be thinking, “I sell cupcakes in Beatty, Nevada, why would anyone care to hack into my website?” But it’s actually every day websites like these that are targeted.
Here are some common reasons your WordPress website might be targeted:
Spam. Unfortunately for the purpose of pharmaceuticals or porn. Spammers search for vulnerabilities and openings on your website like outdated plugins. With this technique, there can be anywhere between 10-60,000 email messages queued, ready to send from your server at any time. It’s also typical for spammers to use your domain name as the “from,” sending email address which can cause your legitimate email to be delivered to a spam box. Websites can be black listed and you run the risk of your host taking down your website.
Another common reason your WordPress site might be targeted is for advertising or SEO links. Hackers splice in 2-200 links into already published WordPress posts & pages. Typically they search for posts that haven’t been updated in a long time (because people rarely check those). The purpose is to get the links they spliced in to show on search engine results. Pharmaceuticals are the most common, but often women’s products like shoes or apparel that lead to affiliate sales or viruses are also typical. Most people who find out they have been hacked this way have been hacked for months previous. Google gives an alert on their search results marking a site as a suspected hack. Outdated WordPress and WordPress themes are usual targets. So if you still have your default theme installed even though you’re not using it, your website is vulnerable if those themes are not updated. This includes Twenty Twenty-one, Twenty Twenty & Twenty Nineteen WordPress themes which are automatically installed when you install WordPress. XML-RPC is the connection method exploited in these attacks, so it’s best to disable it. To do so, simply add the following line of code to your theme’s functions.php file:
Another common hacking technique is Distributed Denial of Service (DDOS) attacks (aka using zombie websites.) This technique is used to knock another site offline by overloading the target website’s bandwidth. By sending false web requests in a way that makes them appear to come from the target site, the hacker can bog down that website with more traffic than it can take. This kind of attack also exploits the XML-RPC connection method, so you can see how important it is to disable that in WordPress.
Here are 8 preventative WordPress security steps you can take to protect your website against hacks:
- Keep WordPress and all your plugins up to date.
- Ensure all your user accounts have strong passwords and update those passwords every few months. Do not use the same password for your website that you also use for public sites such as Facebook and Twitter.
- Do not use default usernames like admin or create a user with the same username as your domain name. Do not make all users an administrator and only give users as much access as they need.
- Only install plugins that have been developed by reputable companies and that have been updated recently.
- Install WordPress security plugins faithfully.
- Change the default WordPress admin URL using a plugin such as WPS Hide Login
- Check with your web host to be sure that server-wide malware scans and nightly off-site backups are included in your hosting package. If they’re not, we recommend BackupBuddy.
- Install an SSL certificate to provide https security support for specific pages or your entire website to encrypt all transfer of data. This is especially important for eCommerce websites and any site that uses contact forms.
There are two plugins that we install across our network to maintain a high level of WordPress security:
- WordFence – WordFence regularly scans websites for modified files, which could be an alarm for a hacked website. This plugin prevents brute force attacks where a machine might try thousands of user login combinations in a few minutes to hack your site. It also makes you aware of plugin, theme, and WordPress security updates.
- Anti-Malware and Brute-Force Security by ELI – This Anti-Malware scanner searches for malware, viruses, and other security threats and vulnerabilities on your server and it helps to fix them.
What should I do if my website was hacked?
If your website does get hacked, contact your web host immediately and let them know. This will lessen the chance your host will take down your website. If you’re using a quality host, they should help you either clean up the files or help you restore a backup of your website. Once a backup version of your website has been restored, your first priority should be to update WordPress, all plugins, themes and user account credentials.
But the responsibility of security doesn’t solely rest on your host’s shoulders. Your web developer should be assessing your site to ensure proper security measures are in place. Contact us to perform a WordPress security audit on your website. As an agency using WordPress, we make sure our clients are well protected (our own website is built into WordPress). Your agency should be alerting you to recent threats, a list of plugins that are vulnerable, as well as how you can update your WordPress site to ensure you are protected. If you’re not confident in making these updates, we will be glad to help.