As I write this post, the Wordfence website (see Firewall Plugins below) reports that their WordPress plugin has blocked almost 3.9 MILLION attacks on WordPress sites in the last 30 days. And Wordfence is only one of many plugins that do the same thing.
WordPress runs more than a third of all websites on the Internet and a good few behind closed doors. As such it is right in the cross-hairs of the hacking fraternity. I should say at this point, that WordPress isn’t the only target; whatever the platform, someone out there will try to break it.
When someone takes control of your site, they can use it for all manner of malicious purposes; this can be anything from changing your homepage to brag about how clever they are, to running hidden scripts which use your server as a spam email relay, or as part of a worldwide denial of service attack. And if you’re running an eCommerce site, the hacker may well gain access to all of your customer and order details, which could mean an investigation by the ICO and a huge fine.
You may be lucky and the results of a hack are easily fixable, but often these things can take days to sort out and secure properly. This can be expensive and embarassing and could lose the trust of your clients.
So what can be done?
Because WordPress is modular, there are lots of potential security holes to keep an eye on. And the more plugins you add, the more potential holes there are. Latest versions of the WordPress core will update automatically, but your themes and plugins need manually updating and can very quickly become outdated and insecure.
You should be checking and updating on a very regular basis, or opt for managed WordPress hosting, where this should be done for you. There are certain situations where updating a theme or plugin can ‘break’ the site, so it’s always best to take a backup first.
When selecting themes and plugins, check that they have been around for a while, have a good number of users, a good support structure and come from a reputable source – never download from a dodgy looking site, you can almost 100% guarantee that someone will have injected some malicious code. You get what you pay for in the WordPress world, it really is worth paying for a theme or plugin if needs be, the freebies are often unsupported and aren’t kept up-to-date for very long.
If you’re not on a Managed Hosting account, or you don’t pay your host extra for backups, you’ll need to take your own and keep them somewhere safe, away from the website server. There are a number of plugins available to do this, they are often tricky to set up and may/may not work with your host’s server. Ask us if you get stuck, we’re always happy to help.
Choose the right host. A good hosting company puts extra security measures in place; continuous monitoring, tools to prevent against large scale attacks, regular server software and hardware updates and disaster recovery plans should anything major occur.
It takes relatively few people to access a website at the same time to slow loading times down. If someone deliberately tries to overload a site to stop people accessing it, this is called a Denial of Service attack.
Cloudflare, which has a totally free tier, can negate this, acting as a middleman and stepping in to stop a direct attack on your server. But this is only a tiny part of their service. If your WordPress site needs an SSL certificate, you can enable a free certificate within your account there and use a simple plugin to move your site over to https:// traffic … your visitors will feel safer and, more importantly, your search ranking won’t take a hit; Google are hinting that non https:// sites may be ranked lower in future – See here for our article on applying an SSL certificate to your WordPress site. Cloudflare will even cache your pages to speed up your site if you like. And there are loads more free/paid services available, visit their site and take a look.
If you need help setting this all up, give us a shout.
The most basic hack attempts use dictionaries alongside stolen user names and passwords, trying every possible combination until one works. If you use admin and password123 to log in, you’ll be hacked within hours of your site going live, we’ve even seen hacking attempts on sites that we’ve only just started setting up. As soon as a domain name points to a live site, it is open to attack.
So, NEVER use something like admin as a username, choose something difficult to guess, it needn’t be complicated. Passwords should be at least 12 characters long, made up of combination of upper and lowercase letters, numbers and characters.
If you’re going to be publishing blog posts, make sure you go into your user settings and change your nickname to something other than your wordpress username, because your nickname is published alongside posts.
Finally, always log out of your session when you’re finished and encourage other users to do so too – you can do this automatically with a plugin, there a lots to choose from.
There are a number of very good security plugins available, each has a varying set of features. Some will work out-of-the-box with your server setup, some will need the default settings tweaked and some just won’t play nicely at all.
We recommend Wordfence or Sucuri, both have free versions. Wordfence is our favourite but we will opt for an alternative if needs be. The free version is packed with excellent features; it has a strong firewall, a security scanner and a connection to a database of known hacker addresses that will be automatically blocked by default. It will automatically block log-in attempts by unknown user names, block anyone that fails to log in more than a set number of times, keep an eye on core files being changed and so on. You can even set up two-factor authentication for an added layer of security.
Both Wordfence and Securi can be quite tricky to set up, if you prefer a simpler approach (with less security), try the security settings that come as part of the Jetpack Plugin, which also has some other excellent features and is developed by the same people that develop WordPress.
The login page is a first port of call for lazy hackers. As mentioned above, they’ll use the ‘brute force’ user/password combination method to try and log in. If you change the login url, then you make their job harder. You can this in a number of ways, the easiest is to use the WPS Hide Login plugin. Just remember to make a note of the new url!
All of the above can be achieved fairly simply. There are a few more things that can be locked-down by editing WordPress core files, we’ll deal with them in a later post, but by addressing everything I’ve covered so far you will have taken big steps to secure your site.
If you need help with anything mentioned, or would like to talk to us about Managed Hosting which would pass all these things over to us, please complete the form on the Contact Us page.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie | Duration | Description |
---|---|---|
cookielawinfo-checbox-analytics | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics". |
cookielawinfo-checbox-functional | 11 months | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional". |
cookielawinfo-checbox-others | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other. |
cookielawinfo-checkbox-advertisement | 1 year | The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement". |
cookielawinfo-checkbox-necessary | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary". |
cookielawinfo-checkbox-performance | 11 months | This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance". |
laravel_session | laravel uses laravel_session to identify a session instance for a user, this can be changed | |
viewed_cookie_policy | 11 months | The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. |
XSRF-TOKEN | 2 hours | The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes. |
__cfduid | 1 month | The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information. |
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Cookie | Duration | Description |
---|---|---|
YSC | session | This cookies is set by Youtube and is used to track the views of embedded videos. |
_gat | 1 minute | This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites. |
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie | Duration | Description |
---|---|---|
_ga | 2 years | This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors. |
_gid | 1 day | This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form. |
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie | Duration | Description |
---|---|---|
IDE | 1 year 24 days | Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile. |
test_cookie | 15 minutes | This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies. |
VISITOR_INFO1_LIVE | 5 months 27 days | This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website. |
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Cookie | Duration | Description |
---|---|---|
CONSENT | 16 years 9 months 6 days 9 hours 9 minutes | No description |