Having your WordPress site hacked is one of the biggest nightmares for any website owner.
From one moment to the next, your site is shut down. Traffic plummets and all the energy, effort, time, and money you put into your site is on the brink of being lost entirely.
Finding and fixing the problem is hard work, however, not as hard as winning back your audience’s trust or getting your site off spam blacklists.
While getting hacked is never pleasant, it is much more common than you would think.
The ascent of WordPress has painted a large bullseye on the back of the CMS and turned it into a favorite target for hackers.
In 2012 alone, more than 170,000 WordPress websites were hacked — a number that is likely much higher by now.
To spare you this unpleasant experience, in this article we will look at the reasons hackers target WordPress websites, the most common ways they gain access and what measures you can take to protect yourself.
This is compulsory reading for any WordPress website owner, so take notice!
Why Would Anyone Want To Hack Your WordPress Site?
Especially owners of smaller websites often think themselves an unlikely target for hackers.
After all, why would anyone care about your tiny blog? What could hackers possibly have to gain from compromising it?
However, when it comes to being hacked, traffic size, or popularity are not the deciding factors.
Hacking Attempts Are A Matter Of Opportunity
The first thing you need to understand is that it’s not about your site in particular or you personally. Most sites get hacked merely because it’s possible.
Only in rare cases do hackers have a specific reason to go for a particular site. However, that’s mostly true for large corporations like Sony.
For mere mortals like us, most of the time hackers go for our sites because we give them an opening, unknowingly as it may be.
Therefore, it’s not about logic or whether it makes sense to hack your site. No matter how small or insignificant your traffic, you are always a viable target.
Most Hacking Attacks Are Automated
One of the main reasons hackers don’t differentiate between the sites of different sizes is that attacks are almost always done automatically.
If you think someone typed your site address into a browser bar and had a good snoop around til they found something, you’d be dead wrong. This type of approach would be completely uneconomic from a hacker’s point of view.
Instead, just like search engines, hackers use bots to crawl the net. However, instead of indexing content, their bots sniff out known vulnerabilities. Automating the process allows hackers to attack many sites at once and thus increase their odds of success dramatically. Economies of scale at its best.
Thus, if your site gets hacked, it’s probably because it popped up on the radar of an automated script, not because someone consciously decided to target you.
What’s In It for Them?
Still, the question remains: Why would anyone put in that effort? What do they get out of it?
Naturally, if you are running a web shop that processes a lot of financial information like credit card numbers, that would be a sensible target for hackers.
However, if your site does not contain any government secrets or other people’s banking info, why would they be interested in your site?
Well, even in those cases, hacking your site could benefit individuals with bad intentions in different ways:
- Drive-by-downloads — Hackers can use your site to infect your visitors’ computers with malware like back doors, key trackers, ransomware, viruses, or other malicious software in order to capture information they can use for their own gain.
- Redirections — Sometimes hackers will redirect visitors from your site to other websites that generate affiliate income for them.
- System resources — Another possibility is that they take over your server and use the hardware for sending out spam emails, performing denial of service or brute force attacks and more. Of course, this will easily get your server — and your site — put on a blacklist or jack up your hosting cost if it is based on usage.
As you can see, your site is interesting to hackers no matter of its size or popularity. Therefore, every website owner is a potential victim.
How Do WordPress Websites Get Hacked?
Now that we know why people try to hack WordPress websites, let’s look at the most common ways they succeed in doing so.
According to an infographic by WP Template, these are the most common points of entry into WordPress websites:
- 41% get hacked through vulnerabilities in their hosting platform
- 29% by means of an insecure theme
- 22% via a vulnerable plugin
- 8% because of weak passwords
As you can see, the first point of entry is most often the hosting provider.
That doesn’t necessarily mean your site has been targeted directly. It is also possible that another site in a shared hosting environment got hacked and took the others down in the process.
What’s alarming is that more than half of all successful hacks come through WordPress themes and plugins. This part, therefore, deserves special attention and we will talk about it in further detail below.
The rest of the sites suffer from insufficient password protection, making them vulnerable to brute force attacks.
While eight percent doesn’t seem like a lot, be aware that we are talking about hundreds of thousands of websites here. Even if only a small percentage of them has weak login information, that number still comes down to thousands of vulnerable sites.
Alright, now that we know what makes WordPress vulnerable, what can we do about it?
How To Keep Your Site Safe
WordPress security is all about proactivity. You know what they say, an ounce of prevention is worth a pound of cure, especially on the web.
Based on the information above, here are some of the most effective ways to keep your WordPress website from being hacked.
Choose A High-Quality Hosting Provider
One thing that should be clear from the statistics is that the quality of your hosting provider has a large impact on the security of your site.
Therefore, choosing a reputable provider that puts a premium on security should be on the top of your list of measures to keep your site from being hacked.
Besides supporting the latest versions of PHP and MySQL, that means they should at least perform regular scans for malware and daily backups.
(The latter really saved my bacon once, I can only stress this point!)
For us as WordPress users, it’s also a good idea to go with a hosting provider that is specialized in running sites based on the platform and offers a WordPress-optimized environment as well as knowledgeable staff.
You can find a test of leading WordPress hosting companies here.
Also, if you can, stay away from pure shared hosting solutions to avoid “bad neighbor” problems such as the one mentioned above.
Perform Regular Backups
Even though the steps mentioned on this list will seriously harden your site’s security, there is no 100 percent guarantee it won’t get hacked anyway.
That’s not because WordPress is by default insecure (far from it) but because anything connected to the Internet is always somewhat at risk, no matter how small the level of threat might be.
Therefore, while it’s good to hope for the best, it’s also important to prepare for the worst and for website owners, that means backing up on a regular basis.
If you already have a quality host, they should take care of this part for you and also keep your site’s copy in a safe location.
For everyone else and those who want to be extra sure, implementing a reliable backup solution is a must and you have many to pick from:
- WordPress Backup to Dropbox
- BackupBuddy (paid)
- VaultPress (paid)
- CodeGuard (paid)
- BlogVault (paid)
Pick one and set it up now. I’ll wait. No seriously, go do it now.
Fortify Your Login
Besides the hosting environment, weak passwords and login information are also responsible for a good number of hacks.
This is especially true for brute force attacks in which hackers run a script that inputs random passwords and usernames until one fits.
As stupid as this sounds, it works! Look at last year’s worst passwords and you will understand why.
As a first line of defense, adhere to the following best practices for WordPress login information:
- Frequently change your passwords (seriously, put a reminder in your calendar now)
- Avoid using the admin username (which used to be the default in older WordPress versions and is therefore often targeted first)
- Create a strong password (either via an external service or the password strength meter included in WordPress)
- Oblige other users to do the same with Force Strong Passwords
- Store passwords in a secure place like LastPass
Apart from that, you can further up your login security with the following methods:
- Limit login attempts — Plugins like Login LockDown and Login Security Solution enable you to constrain the number of login attempts from a single IP address within a certain amount of time. Perfect for keeping brute force attacks at bay.
- Employ two-step authentication — Adds a second layer of security that can only be passed by means of your cell phone, social network account or else. Options include Duo Two-Factor Authentication, OpenID, and Clef.
- Hide your login page — Moving wp-admin and wp-login to non-standard addresses makes it harder for hackers to attack them. You can do so via Rename wp-login.php, HideLogin+ or Lockdown WP Admin.
WordPress login protected? Then let’s move on to other things.
Add SALTs To wp-config.php
WordPress security keys were introduced in WordPress 2.6.
They are random lines of characters that are used to encrypt information stored in user cookies, making them harder to crack and use against your site.
The keys go into your wp-config.php file where it says this:[crayon-599d1f2926a79643547496/]
Replace them with code from the WordPress SALT generator, it will end up looking something like that:[crayon-599d1f2926a86498681233/]
(Of course, don’t use these, generate your own!)
Set A Unique Table Prefix
You will know the WordPress table prefix from the 5-minute install.
By default, it is set to wp_, which is common knowledge also in hacker circles. For that reason, leaving it as is will make your site more vulnerable to SQL injections.
To further increase your security, it’s a good idea to change it to something random and impossible to guess like k5ns7ue03ia933_.
When you set up a new site, you can do this from the get-go. However, even with an existing site, it isn’t all that hard to change.
The easiest way to do so is using iThemes Security. The plugin can perform all necessary operations at the touch of button.
An alternative, yet more time consuming, way is to do it manually. In case you are unable to change the table prefix via plugin, use this guide to make the necessary changes.
Keep WordPress Up To Date
Updates do not only bring new WordPress features and code improvements but also address security issues of older versions.
That’s especially true for security updates whose only purpose is to fix this kind of thing.
According to WP WhiteSecurity, more than 70% of the top WordPress websites on the web showed some sort of vulnerability that was due to running an outdated version of WordPress.
For that and other reasons, it’s important that you keep up with the WordPress update cycle. It’s also why since WordPress 3.7, maintenance and security updates are being applied automatically.
It’s possible to enable automatic application for major releases as well, all it takes is to add the following line of code to wp-config.php:[crayon-599d1f2926a8d664283368/]
However, with major updates, the chance is higher that they will break your site. For that reason, you might want to stay with the standard setting but make a commitment to apply updates as soon as they come out.
Hide the WordPress Version Number
Talking about staying up to date: By default, WordPress adds a meta tag to your site’s head section that shows off which version of the CMS you are running.
Especially if your site is not up to date (though you should know better by now), this will help hackers uncover known vulnerabilities.
Below is a useful piece of code that stops WordPress from doing so:[crayon-599d1f2926a91902251764/]
Just add it to your functions.php file and you are done with it.
Maintain WordPress Themes and Plugins
As we have seen above, more than half of successful hacking attempts happen through vulnerable WordPress plugins and themes.
While that sounds dramatic, it’s no reason to doubt the WordPress ecosystem as a whole.
Even the best, most well-maintained plugins out there can have a security problem. Mistakes happen and are in most cases fixed before they become a huge problem.
Yet, to minimize the risk to your site, here are a few guidelines how to deal with plugins and themes:
- Eliminate what you can — To reduce the possibility of a vulnerability, get rid of every plugin and theme on your site that is not absolutely necessary. Oftentimes, you will be surprised at how many are just lingering around without actually fulfilling any function. It can also seriously speed up your site.
- Update regularly — Just like WordPress core, the components that make the cut should be kept up to date. That also means if a plugin hasn’t been updated by its author for longer than a year, you are probably better off looking for an alternative that is being actively maintained.
- Check before installing — Avoid installing plugins and themes from untrustworthy sources, especially free ones. When you do add components to your site, run them through Theme Check, Plugin Check, and the database for plugin vulnerabilities first.
There are also ways to update themes and plugins automatically, however, just like with core updates, I recommend performing them manually in order to avoid breaking your site without you knowing it.
Other Tactics To Keep Your WordPress Site From Being Hacked
Lastly, here are a number of smaller steps you can take to increase your website’s security level.
1. Set Correct File Permissions
If the file permissions on your server aren’t set up right, third parties might have an easier time corrupting them. The permissions should be set as follows:
- 755 or 750 for all directories
- 644 or 640 for files
- 600 for wp-config.php
2. Disable The Plugin and Theme Editor
The internal WordPress editor enables users to make changes to files right from the backend.
While this can come in handy, it also means that if someone gets access to your site, they can use this feature to take it down in no time.
For that reason, it might be a good idea to turn the editor off and exclusively work on files via FTP.
This, again, is a matter of adding code to wp-config.php:[crayon-599d1f2926a97509224447/]
3. Turn Off PHP Reporting
If a plugin or theme causes an error, the message that gets displayed can contain information about your directories and file system that hackers might use to compromise your system.
So, while you are at it, add the following to your crafty wp-config.php file to disable them:[crayon-599d1f2926a9b842052003/]
Think Your Site Has Been Compromised?
While there can be obvious signs that your site has been hacked, oftentimes you won’t notice at all.
If you have a suspicion that your website may be compromised or just want to make sure everything is in order, here are a few tools to check your site for malicious code and other issues:
- General — Unmask Parasites and Web Inspector can alarm you to various security issues.
- Viruses — Use the AntiVirus or WP Antivirus Site Protection plugin or VirusTotal web service.
- Spam — MX Toolbox can tell you whether your site has been included in more than a hundred email blacklists.
- Malware — The free Sucuri Website Malware Scanner checks for malicious code and other security problems.
If you find that your site has indeed been compromised, this detailed guide will help your recover it.
In Short: Be Proactive
Having your WordPress website hacked or compromised is a horror that few site owners want to experience or won’t soon forget if they already have.
Recovering from a full-blown successful hack takes a lot of energy, nerves and often money.
However, security issues are part of the reality of running a website and precaution is better than dealing with the aftermath.
Thankfully, WordPress itself is generally very safe. Most of the time the point of entry for hackers are the hosting environment, vulnerable plugins and themes as well as weak login information.
Following the advice the list above will help you address the most common issues and make your site a lot less vulnerable.
Many of the measures mentioned here are also part of all-in-one security solutions that you might want to check out:
If you do get hacked, it’s best to stay calm and work towards a solution than freaking out and doing something rash.
With a backup plan in place, you are well prepared to get back to normal and bounce back quickly.
Have you had an experience with a compromised site? How did you solve it? Let us know in the comments section below!
The post How WordPress Sites Get Hacked (And What to Do About It) appeared first on Torque.