WordPress is one of the most popular platforms around for websites. It might be the most popular platform used for websites. For those of us building websites, this makes WordPress a great opportunity. We have access to a number of plug-ins, themes, and customizations that allow us to do almost anything web related with WordPress. Unfortunately, this also means that WordPress is a great target for hackers, digital grifters, and others trying to access our sites, steal our data, and hijack our digital homes. Thankfully, with some easy practices, we can keep our risk low and our security high. These WordPress security practices are generally easy and effective.
Understanding WordPress Security – Tactics Used by WordPress Hackers
It might help to understand how many WordPress security hacks occur. Most WordPress site hackers aren’t evil hackers from a foreign nation. In fact, many WordPress hacks start without a human being directly involved.
WordPress hackers know the weak points of most sites and they write scripts that essentially go around the internet trying different sites until they are able to get into one. They try common weaknesses until they can log into a site and then they start their mischief. If they can’t get in, they keep going until they find a site to get into.
Of course, these scripts, which are basically programs, aren’t the only ways that bad guys will hack your WordPress site. It’s a common way. Here are some other methods commonly used when a WordPress site gets hacked
- Plug-In Vulnerabilities – Plugins and themes are being updated all the time for new features and added benefits. Unfortunately, all this change also sometimes leads to accidental security flaws. Hackers test for these and exploit them. This was recently an issue with a popular builder.
- Bad Passwords– This is probably one of the biggest risks. We all do this. Using the same password for multiple sites and easy to remember passwords. Unfortunately, this also makes it easy for hackers to use software to guess our passwords, especially when many passwords have already been stolen from other sites and sold on the dark web. For example, in one breach alone, over 2.2 billion passwords were stolen.
- Easy to Remember Logins – Even developers are bad about this. Site owners and developers will use usernames that are common or easy to guess like “admin” or “administrator”, “developer” or the URL of the site.
These aren’t the only means, but they are a common ones. Hackers know this and their scripts wander around the internet trying random usernames and passwords until they get in. Then they wreak havoc, sometimes without your knowledge.
Why Hackers Hack Your WordPress Site
Now that we’ve talked about ways they can get into your site, the next question is why they do it. The answer is that it varies but it’s usually one of a few reasons. Some are obvious but others are a little more difficult to figure out until someone calls you and says “hey, Google thinks your site was hacked” and your search engine results tank. Let’s take a look at some common reasons so you can know why this happens and how to recognize it.
- Bragging Rights – This is one of the easiest to figure out. One day you go to look at your site and there’s a splash page up that looks like something out of a Netflix documentary telling you that you’ve been hacked by so and so. So and so is usually some eerie sounding hacker pseudonym using symbols instead of letters. There ya go, you’ve been hacked, easy to find. Not always easy to fix. They want to sit back in their mom’s basement and brag that they hacked some poor person’s site.
- Malice – Sadly some people are just mean. They like to run fast and break things. This is often when you try to visit your site and you may get a 500 error (which is a server error) or just a blank page because they’ve deleted files, corrupted your database, or otherwise just broken your website. This stinks.
- To Build a Marketing Machine – This is common. The good news is that it usually doesn’t break your site but it can cause some weird and embarrassing things to happen. Hackers want good SEO too. They need backlinks just like the rest of us. The difference is that they don’t mind stealing them. They have your site and may put invisible links on your site to pornography, drugs, child trafficking sites, BitCoin, or other questionable material. Sometimes they’re not hidden. One hacked site we fixed was a furniture store with random ads for drugs and pornography on it. That was embarrassing for them.
- Steal Computing Power – Compared to other computers, many website hosts aren’t all that powerful (they don’t need to be) but when you’re getting free computing power, they don’t need to be. In this case, they will hack a WordPress site to use the site for BitCoin mining, do more hacking, etc.
Just like with the ways they hack, these aren’t the only reasons. Hackers break into sites for any number of reasons. These are common ones. They give you an idea of what you might see.
Practices to Keep Your WordPress Site Secure
When it comes to hacking and your WordPress site, the best thing you can do is not get hacked. Fixing a hacked WordPress site can be done but it’s often and expensive and you can’t always recover everything. So, best to avoid it.
The goal in protecting your WordPress site from hacking is to be a harder target than the next site. We have not had any WordPress sites get hacked using these measures. The good news is that most of them are free!
Good Password Discipline
First and foremost, follow a good practice with password. That is probably one of the best things you can do to protect any online account. Of course in a day and age where you have 104 different passwords (sometimes more than one for the same account) that can be easier said than done. The good news is that there is an easy solution.
Before the solution, let’s look at best practices
- Use a unique password for each site
- Make the password difficult to guess with special characters (for example exclamation points, question marks, tildes, etc) Mix up capital and lowercase characters.
- Longer and more complex is better.
Sounds great right? “Make a password so complex even I can’t remember it.” You’ll have the safest site around. Even you can’t get into it! No, that’s not the right strategy.
We recommend using a password keeper like LastPass. LastPass will help you create, store and track your passwords and then share them on all your devices. They have apps and browser extensions for all the major devices and browsers. It will fill in user names and passwords automatically. The free account has a lot of functionality to help protect you. For the price (free) it’s a security lifesaver.
Limit Administrator Accounts
Your biggest risks are accounts that allow someone to make major changes to your site. These are the ones you really need to secure, or, better, not have. These include WordPress administrator accounts, C-Panel and hosting accounts, and File Transfer Protocol (FTP) accounts. With these, users can make changes to your site and its files.
The first step is to eliminate any accounts you don’t need. If you had to create that administrator account for a developer in 2010, delete it now. Same with new developer accounts, delete then when the developer has finished their work.
If you use outside writers or Virtual Assistants (VAs) don’t give them more access than they need. You can post content with an author or editor account. It’s not just about trust for those working for you. It’s about protecting their accounts from being hacked.
You need one administrator account but ask yourself if you need more than one.
Avoid Common Administrator Usernames
For the administrator accounts you do have, don’t use common or easy to guess user names. Avoid “admin”, “administrator”, any variant on your URL. Avoid using emails that are published on your site. Hackers scan for these and try them.
Simply don’t use these. In fact, if you are using WordFence, in the brute force settings, don’t allow someone trying these to login at all. Done.
Software to Protect Your WordPress Site
There are a number of good WordPress security plug-ins available. We recommend Wordfence. While its paid version has a lot of great options, we find that the free option does the job for most sites, and…it’s free.
Even if you decide to go with something other than Wordfence, use something. These are plug-ins worth having. Having your WordPress site hacked is a nightmare. Even if you don’t lose any data, which can happen, you will likely have to pay a developer to fix it and it may be down for a while. If Google figures it out, it can hurt your SEO. It’s better just to avoid it.
A few quick things to make sure are setup on your WordPress security plugin.
- File and Database Scanning – Most of them will scan your database and files for common signs of hacking. Set this up, let it run automatically, and check the periodical reports.
- Brute Force Protection- Turn on options that lockout users after too many login attempts and password reset attempts. These are common signs of attack.
A Good Backup Strategy
While not truly security for your WordPress site, having a good backup strategy will protect you both if you ever hacked and if you ever have some sort of plugin or theme issue. We recommend Updraft Plus.
A good backup strategy means that you can save copies of your site. If you do it regularly and with enough time in between copies, you can recover where your site was before the hacking without having to pay a developer. Of course, you’ll lose any data in the meantime. For most blogs and other content sites, this isn’t a big deal. However, for a reasonably busy store, you could lose a week or two worth of sales and you might want to make more frequent backups but keep more backups.
Updraft Plus has a very capable free version that will schedule backups and keep the copies on your server. You can download copies if you need them. If you’re on a tight budget, this is a great option. However, if you can swing a few dollars, it’s worth paying for the paid version.
The paid version of Updraft Plus has some great options. The biggest ones we care about here include
Store Backups Offsite
If you ever get hacked and have backups on your server, crafty hackers could corrupt or delete your backups. Once they get in, your files are their playground. Backup files are usually just zip files. Once the bad guys are in, corrupting your files is as easy as deleting, adding files or modifying files.
We have also seen cases where the hosting company is either not making copies they committed to or they are keeping the backups on the server. If the server crashes, your backup files will disappear along with your main files.
No one cares about your site more than you do. It’s easy enough. Control your own destiny. Make regular backups.
The paid version of Updraft Plus will let you store your backups off of your server in places like Amazon Web Services, Dropbox, OneDrive and Google Drive.
Scheduled Backups
The free version of Updraft Plus will let you make regular backups but with the paid version, you can schedule when you want the backup taken. For example, you could schedule it in the middle of the night so there is less load on your server and it’s less likely to slow your site down. Not required but a nice touch.
There are a lot of other features but these are the big ones for us here. We recommend taking conplete backups of your WordPress site files and database every week or two and keeping two to three copies offsite.
For sites that change a lot such as an e-commerce store, you might consider more frequent backups, or stick with that strategy but take differential backups in between. A differential backup saves just the changes so it’s faster and you can still go back to the main backup if you need it.
The big message here is to keep backups going back further in case it takes you a while to figure out any issues. These hackers can be crafty and you may not realize right away that you’ve been hacked. You don’t want to restore your backup only to realize that you’ve just copied hacked files back onto your site because the hacked files were backed up.
Keep Your Site Up to Date
WordPress themes and plug-ins are regularly updated. Even the core WordPress is updated a few times per year. The updates are often done to add features or address bugs. Sometimes, the theme and plugin authors are trying to address security holes that hackers can use to get into your site.
In general, it’s a good practice to keep WordPress updated along with its themes and plug-ins. Unfortunately, sometimes the updates cause their own problems. So while security dictates keeping them updated, ensuring your site is working is important too. There are a lot of strategies and philosophies for updating your site. Here is one we have found effective.
Once a month, do the following
- Backup your site
- Update your plug-ins, themes and core files
- Test your site thoroughly
- If there are any issues, restore from the backup
- Consider making a copy of your site and testing updates to figure out where the issue is
Most of the time, on most sites, updates will go fine. Periodically there is a change that causes an issue and you need to figure out what you can do about it. The more complex the site the more likely it is to be a problem.
Holding off on updates can have its own problems too, besides security issues. If you wait too long, you are more likely to have issues when you finally update and they will be harder to fix.
Pick a Good Host
Hosting is where the files and database for your site live. A good host is important for WordPress security, speed, and peace of mind. Unfortunately, there are a bunch of hosts out there and more are focused on marketing than on performance.
A good host will keep their servers up to date, will regularly scan for viruses and will even periodically warn you about real or potential issues with your site.
We generally recommend Siteground. They’re not the only great host out there but they have good prices, good performance, and good support. We would stay away from Bluetooth, Hostgator, and GoDaddy (for hosting, no issue with keeping your domain registered there). They do not generally have good performance or support. If you’re a bit more technical, another great host is WP Engine.
A good host is worth the investment, which doesn’t have to be much.
Fixing a Hacked WordPress Site
Unfortunately, there isn’t much of a tutorial to give on fixing a hacked site. It will usually take a developer or specific service. Each hacking is a bit different but the developer will likely need access to your files and maybe your database. To help make this a bit easier, we have assembled some things for you to check out and to tell a developer. We have also assembled a brief interview guide for talking to a potential developer.
Things to Know Before Contacting a Developer
Why Do You Think You Have Been Hacked?
Does it show up in your Google Search results? Are you seeing odd links or ads that you didn’t create? Do you have a giant splash page with a creepy looking avatar. These will all help pinpoint the problem and confirm that you were actually hacked and something else isn’t going on.
Can you access your login and your admin dashboard?
It’s often easier to find and fix the issue if you can log into your site. For this reason, hackers often block this option.
Can you access your C-Panel/hosting?
The developer will likely need to access your hosting or C-Panel. You may as well make sure you know how to access it.
Do you have any recent backups from before you were hacked?
If you have a recent backup from before you were hacked, especially if nothing has changed on your site since the backup, it might be cheaper just to restore the backup. If nothing else, you want to take inventory of what you have in case
Interviewing a Developer
When you are interviewing a developer it’s a good idea to get some information from them first. Fixing a hacked WordPress site isn’t always easy and you don’t want someone learning to do it on your site.
Here are some questions to ask:
- Have you ever done this before?
- How did you fix the last hacked WordPress site that you fixed?
- How long does it normally take you to fix a hacked site?
- Can you get my site back to exactly where it was before the hacking?
- How long will it take?
There isn’t necessarily a right answer to any of these questions. You want to judge the quality of their communication and their experience. You might also ask for some referrals.
Asking whether they can return your site to exactly how it was before the hacking is a bit of a trick question but you want to see how they respond. The truth is, it’s difficult to answer without seeing your site. Quite likely the answer is yes but it’s hard to know until they can see how big a problem you have. If they answer yes right away, be careful. They may not be able to answer that question.
An Added Bonus Suggestion for WordPress Security
One last suggestion before we close out. It’s not truly a WordPress security suggestion but it’s a good security suggestion in general.
As you get more accounts, services, sites, etc you will collect a lot of passwords. Don’t set them all the same. If it’s not your WordPress site (with these recommendations you can probably avoid that) it will probably be a site whose security you can’t control like a bank, credit reporting company, vendor, etc. It’s easiest to assume your information will be stolen at some point and that includes passwords.
It’s a nightmare keeping track of all those, especially when we all have multiple devices. The best solution we have found for that is LastPass which lets you store passwords, logins, account numbers, etc and it encrypts them and gives you access on most of your devices. The best news is that they have a very capable free account so you don’t necessarily have to pay for anything (though the paid account has some cool features). This lets you share passwords securely across all your devices and browsers without using your dog’s name and kids’ birthdays on all your passwords.
Security is important for every business and website. Your WordPress site is no different. The good news is that by using our recommendations you can significantly reduce the chances of someone hacking your WordPress site and keeping your site secure. They’re easy, largely free, and take very little setup. Then you can go back to working on your site.