WordPress security is a hot topic, as WordPress is the most popular content management system (CMS). Over 25 percent of the world’s websites are built on WordPress, making it a prime target for hackers. We’ve seen an uptick in WordPress hackings and infections in the last few years. You need to know how to keep your Wordpress site secure. Or risk being hacked and infected.
A Hacked WordPress Site
While it may only take a couple of hours to clean up an infected website, it’s a nuisance that is best to be avoided.
At its worst, a hacking is much more than an inconvenience, it can lose you customers. And in all transparency, it even happened to us, our site was hacked. We were one of two finalists bidding to design a website (a project we really wanted), and when the potential client Googled us, the search results indicated our site was infected!
If Google Search Console also known as Google Webmaster Tools finds your site to be infected, there will be text indicating it on your search engine results page (SERP) next to your site name. And even after you clean up your site, it can take several days after submitting your cleanup for search engines to mark your site as clean. If your site comes up in a prospective client’s search results saying your site is infected, your prospect will often find another alternative.
And even worse, if you collect secure customer data and improperly transfer and store it on your site, you could be liable for leaked info!
How WordPress Leaked the Panama Papers
Did you know that the Panama Papers leak was due to a popular WordPress plugin that hadn’t been updated? Hackers found a vulnerability in the plugin and wormed their way into another file that insecurely stored email addresses and passwords, which they then used to hack into another server to land on their pot of gold: tax evasion records of the world’s richest people. This HUGE leak was due to two WordPress vulnerabilities:
- an outdated plugin
- an insecurely written third-party plugin
Types of WordPress Hackings
We’ve cleaned up WordPress sites that have been infected with:
- overwritten navigations that bring users to another site
- brute force logins that create new content such as spammy pages and posts
- malware that can’t be seen but is collecting data
- spam ads added to core theme files
And we’re sure there are other types of infections out there yet to be discovered.
WordPress sites are vulnerable on multiple levels.
Hackers can hack your site through a multitude of entry points:
- FTP logins: This is the back end of your website where files are uploaded. If someone logs in to your site, they can change all kinds of files.
- Brute force logins: Hackers login into your WordPress site (especially as an Administrator role) and create content on your site.
- WordPress core files: This is the engine and core of your website. If a hacker can find an entry point, they can make all kinds of modifications to your site.
- Theme files: This is the skin that overlays the engine. It makes your site look the way it does. An outdated theme can have entry points that allow hackers to modify your theme, headers and footers.
- Plugin files: These are little applications, usually written by third-party developers, that give your site specific functionality. Some developers are less experienced than others, and so not all plugins are secure. They could have entry points that allow hackers in.
- With all these entry points, it’s difficult to know exactly how a site became infected. So it’s important to keep these vulnerabilities as secure as possible.
10 Tips How to Keep Your WordPress Site Secure
While there is no way to guard your WordPress site 100% and prevent all hackings (anyone who says they can do that is lying), there are safeguards how to keep your WordPress site secure:
- Change your FTP and website’s control panel passwords regularly, and consider using a password generator (for all passwords) that creates long ones using a combination of letters, numbers, capitals and special symbols.
- Don’t use “admin” as your user name. Using a different name makes it more difficult for brute force attacks to guess a login to your website.
- Keep your WordPress core files, theme files and plugins updated. As hackers discover more vulnerabilities, WordPress and good theme and plugin developers will release updates to fix these vulnerabilities.
- Perform frequent backups of your site so it will be easier to roll back to a date prior to a hack. The more new content you create, the more often you should back up.
- Delete unused plugins and theme files, and consider replacing ones that haven’t been updated recently. If they’re not being updated, it usually means the developer is no longer supporting them and they could contain a slew of vulnerabilities.
- If you collect sensitive information from your users, use SSL certificates to protect that information while it transfers from their device to yours.
- Consider installing a security plugin such as Wordfence and regularly scan your site for malware.
- Sign up for Google Search Console and regularly check for site navigation changes and infection notifications.
- Don’t email your passwords along with your usernames ever. If you must share passwords electronically, consider using a privately shared and secured text document such as in Dropbox or Google Docs. If you must must email, consider emailing passwords and usernames separately.
- If you work over a public Wifi connection like at a cafe, consider getting a VPN (Virtual Private Network) to protect your information.