Because of the popularity of WordPress, it has become one of the prime targets of hackers. This isn’t because of any particular weakness in WordPress itself, but rather because the sheer number of sites running WordPress make it an irresistible temptation for those who make money from exploiting honest site owners.
We’re going to look at a few of the reasons why hackers would want to gain access to your WordPress site and offer a few simple rules that will help you fight the hackers that would target your site and turn it against you.
Why Do Hackers Hack?
The first thing to understand is that the attack almost certainly has nothing to do with your business or what it does. Instead, hackers want access to your site’s visitors or resources for several reasons:
-
To redirect visitors to malware infested sites, thereby infecting their machines.
-
To inject malicious code into your site that targets visitors.
-
To use your hosting and site as part of a Distributed Denial of Service attack.
-
To steal your user’s login credentials or other private data.
That said, on occasion hackers may be directly targeting your site or business as part of an island-hopping attack or in an effort to deface the site and damage your business’s reputation.
In almost all of these cases, it’s in the attacker’s best interest to remain hidden, so it’s more than likely that if you were hacked, you wouldn’t know about it until your users complain or Google delists the site from its index and slaps a big malware warning in front of everyone who tries to visit it.
To be secure, WordPress site owners need to implement a two stage approach to security. First, make the site as secure as possible, and second, monitor it so that a breach doesn’t go unnoticed.
Securing A WordPress Site
Login Credentials
The first and most important thing a WordPress site owner should do is ensure that their users are implementing proper password protocols. Hackers have become very skilled at carrying out brute-force dictionary attacks against sites that will try to login with very many passwords from a list of frequently used passwords. Safe passwords are at least 12 characters long and should be randomly constituted from letters, numbers, and other characters. Passwords composed entirely of dictionary words should not be considered safe. The recent spate of WordPress exploitations that turned many large sites into nodes in a botnet was only possible because of poor password practices on the part of site users.
By default WordPress creates a user called “admin” that has full administrative privileges. Hackers know this, so when they are carrying out a dictionary attack they focus on that user account. If that account is coupled with a weak password, it is trivial for hackers to gain access. WordPress users should create an alternative administration account with a hard-to-guess name and a secure password and delete the “admin account”.
As a further measure to increase security, it is advisable to implement two-factor authentication.
Secure Your WordPress Files
In a shared hosting environment, when one WordPress site gets hacked, other sites are vulnerable unless they have adequate access permissions on their files. WordPress provides a comprehensive guide to securing the files that make up a WordPress site in the WordPress Codex.
Update
All software contains vulnerabilities, it’s just a case of how soon they are discovered and who discovers them. That’s true of WordPress and of all the applications that make WordPress possible, like the Apache web server, MySQL, and PHP. If you’re using shared hosting, your hosting provider will probably take care of maintaining the server stack, but it’s the responsibility of webmasters to make sure that WordPress is kept to the most recent release. You may be able to do without the extra features of new releases, but the patches that fix vulnerabilities are a crucial part of keeping WordPress secure. Most hacked WordPress sites are exploited because they don’t have the most recent security fixes installed.
Be Careful With Extensions And Themes
Free extensions and themes are perfect trojan horses for encouraging site owners to install malware into their own sites. While most extensions and themes are malware free, it’s inadvisable to hit Google to find free themes.
Get your extensions from the WordPress plugin repo or from reputable developers.
Monitoring For Intrusions
Once you’ve bolted the front door, you’ll need to make sure that hackers don’t sneak in through the back. Remember, if your site is hacked it’s very unlikely that you’ll notice; it’s in the hackers best interests to be stealthy.
The WordFence security plugin is an excellent plugin and service for monitoring the state of your site and even provides some help with repairing it (although once the hackers are in, your best bet might be a scorched earth approach or the hiring of a WordPress expert to fix things).
WordFence scans sites for malware, implements a complete firewall, and blocks brute force attacks. The free version is fairly feature complete, but for total peace of mind, the relatively inexpensive paid version adds remote scanning of user facing pages and premium support.
Keeping your WordPress site secure is essential for maintaining a good reputation with your visitors and, for the most part, involves following a few straightforward security procedures. The cost of doing nothing can be a ruined reputation and a damaged business.