How To Protect Your WordPress Website From Being Hacked

May 3, 2016

WordPress is a great CMS option to be sure however there are a lot of vulnerabilities that come from using the most popular website publishing platform. And as more people use it, the more of a target it makes for hackers to exploit it. Since about 25% of sites now use WordPress, it’s become a real issue in recent months. So if you’re not going with a “Never Get Hacked” type of Managed WordPress Hosting solution then this is how you can do it yourself:

So Why are websites targets for hackers Anyhow?

For most people, the hacking of websites is a terrible thing that causes a lot of stress and inconvenience but that doesn’t mean people won’t do it. There are a few reasons why people would hack a website including:

  • Links back to their website (often spam sites)wordpress-security-02-300x227
  • Links to another website (paid for links)
  • Hijacking your website to send out attacks
  • Inject content onto your website
  • Gain access to paid for items
  • Gain all registered users email addresses
  • And sadly, for some folks it’s just considered fun

Steps To Secure Your WordPress Site

On average, 30,000 hacked sites are identified every day (Link). That’s a shocking number but how do you make sure that you won’t be included in that stat? For our clients we offer an amazing WordPress Toolkit that is built right into the Plesk Control panel that will all these things for you. For others, here are some very tangible things you can do to lower your risk:

Protect Your Login Page

One of the most common methods for hackers to gain access to your site is through brute force username & password guesses. There are a few options that can be used or combined to reduce the risk of having your password stolen.

Block Access to wp-login.php

By far the best way to protect your WordPress site from brute force attacks is to block unauthorized users from even getting to the Login page at all. To do this will require some editing of your .htaccess file if you’re using Apache and your config file if using Nginx (Most modern web hosts will allow this and if yours doesn’t, it may be worth considering a change). There are two common ways to do this that are described How To Block Access to wp-login.php in our Knowledge Base

Install These Great Security Plugins For WordPress

Wordfence – This plugin is kinda like your own little WordPress Firewall in a box. It includes a number of login security options available such as enforcing strong passwords and locking users out based on failed logins or the username they are attempting to use. For example, since you should never have “admin” as a username, you can add this to a list of usernames that will result in immediately blocking an IP address. This is frequently one of the first things hacking bots try and do in a brute force attempt and quickly shutting them out based on that simple rule is a great way to thwart 90% of the treat.

Login Lockdown – This is a plugin that can be added into WordPress which will block access to the site after a given number of failed login attempts. (If you are a Dynamic shared hosting customer, we run a number of security features on all our servers that does this for you automatically).

For the love of god, make your passwords more SECURE!

So what’s wrong with your password? over 90% of all passwords in use today are hackable within 6 hours! (Link). Typically when people make passwords, we either make something that’s really easy to type, a common pattern, or things that remind us of the word password or the account that we’ve created the password for. Or even worse, we think about things that make us happy, our dog, and we create our password based on that. Please consider using something like LastPass.com (We think it’s great) and if not, here are some more common sense steps to further secure your password.

  • Remove employee access to an application when an employee leaves.
  • DO NOT write passwords down on paper.
  • Don’t keep passwords in an unsecured spreadsheet or file folder.
  • Use a pronounceable password, combining vowels and consonants to make something that flows off your tongue like “vadasabi”.
  • Don’t use monkey, justin or love because they are among the most common words in the hacked password lists floating around the internet.

When it comes to WordPress Plugins, Less is more:

We know it’s really tempting to download as many plugins as you can find to do everything under the sun. Unfortunately, that mentality can quickly lead to trouble. Take for example the huge fiasco that happened because of “Rev Slider”. This plugin was included in a slew of very popular themes but had a security vulnerability that ended up causing over 100,000 sites to be hacked! (Link). So here’s what you should do to limit your plugin vulnerability:

  • Eliminate un-used plugins and themes. There is no reason to open up your site to problems when you’re not even using them.
• Don’t use a plugin when you can do it yourself.
• Update your plugins EVERY WEEK, Monthly is not enough, DAILY is best. The more stale your plugins, the more vulnerable you are to exploits targeted at older versions. (and if you are not up for that consider Managed Services for Security Patching for your CMS)

Some Other Steps You Can Take To Improve WordPress Security

  • Setup Google Alerts for your domain name and spammy keywords related to gambling and medicine
  • Research the potential vulnerabilities of plugins BEFORE you install them
  • Use Cloudflare for a CDN and consider using SSL
  • Have a backup plan and store that backup somewhere else. (If you are a Dynamic customer your site is backed up every night)