As I write this post, the Wordfence website (see Firewall Plugins below) reports that their WordPress plugin has blocked almost 3.9 MILLION attacks on WordPress sites in the last 30 days. And Wordfence is only one of many plugins that do the same thing.
WordPress runs more than a third of all websites on the Internet and a good few behind closed doors. As such it is right in the cross-hairs of the hacking fraternity. I should say at this point, that WordPress isn’t the only target; whatever the platform, someone out there will try to break it.
When someone takes control of your site, they can use it for all manner of malicious purposes; this can be anything from changing your homepage to brag about how clever they are, to running hidden scripts which use your server as a spam email relay, or as part of a worldwide denial of service attack. And if you’re running an eCommerce site, the hacker may well gain access to all of your customer and order details, which could mean an investigation by the ICO and a huge fine.
You may be lucky and the results of a hack are easily fixable, but often these things can take days to sort out and secure properly. This can be expensive and embarassing and could lose the trust of your clients.
So what can be done?
Because WordPress is modular, there are lots of potential security holes to keep an eye on. And the more plugins you add, the more potential holes there are. Latest versions of the WordPress core will update automatically, but your themes and plugins need manually updating and can very quickly become outdated and insecure.
You should be checking and updating on a very regular basis, or opt for managed WordPress hosting, where this should be done for you. There are certain situations where updating a theme or plugin can ‘break’ the site, so it’s always best to take a backup first.
When selecting themes and plugins, check that they have been around for a while, have a good number of users, a good support structure and come from a reputable source – never download from a dodgy looking site, you can almost 100% guarantee that someone will have injected some malicious code. You get what you pay for in the WordPress world, it really is worth paying for a theme or plugin if needs be, the freebies are often unsupported and aren’t kept up-to-date for very long.
If you’re not on a Managed Hosting account, or you don’t pay your host extra for backups, you’ll need to take your own and keep them somewhere safe, away from the website server. There are a number of plugins available to do this, they are often tricky to set up and may/may not work with your host’s server. Ask us if you get stuck, we’re always happy to help.
Choose the right host. A good hosting company puts extra security measures in place; continuous monitoring, tools to prevent against large scale attacks, regular server software and hardware updates and disaster recovery plans should anything major occur.
It takes relatively few people to access a website at the same time to slow loading times down. If someone deliberately tries to overload a site to stop people accessing it, this is called a Denial of Service attack.
Cloudflare, which has a totally free tier, can negate this, acting as a middleman and stepping in to stop a direct attack on your server. But this is only a tiny part of their service. If your WordPress site needs an SSL certificate, you can enable a free certificate within your account there and use a simple plugin to move your site over to https:// traffic … your visitors will feel safer and, more importantly, your search ranking won’t take a hit; Google are hinting that non https:// sites may be ranked lower in future – See here for our article on applying an SSL certificate to your WordPress site. Cloudflare will even cache your pages to speed up your site if you like. And there are loads more free/paid services available, visit their site and take a look.
If you need help setting this all up, give us a shout.
The most basic hack attempts use dictionaries alongside stolen user names and passwords, trying every possible combination until one works. If you use admin and password123 to log in, you’ll be hacked within hours of your site going live, we’ve even seen hacking attempts on sites that we’ve only just started setting up. As soon as a domain name points to a live site, it is open to attack.
So, NEVER use something like admin as a username, choose something difficult to guess, it needn’t be complicated. Passwords should be at least 12 characters long, made up of combination of upper and lowercase letters, numbers and characters.
If you’re going to be publishing blog posts, make sure you go into your user settings and change your nickname to something other than your wordpress username, because your nickname is published alongside posts.
Finally, always log out of your session when you’re finished and encourage other users to do so too – you can do this automatically with a plugin, there a lots to choose from.
There are a number of very good security plugins available, each has a varying set of features. Some will work out-of-the-box with your server setup, some will need the default settings tweaked and some just won’t play nicely at all.
We recommend Wordfence or Sucuri, both have free versions. Wordfence is our favourite but we will opt for an alternative if needs be. The free version is packed with excellent features; it has a strong firewall, a security scanner and a connection to a database of known hacker addresses that will be automatically blocked by default. It will automatically block log-in attempts by unknown user names, block anyone that fails to log in more than a set number of times, keep an eye on core files being changed and so on. You can even set up two-factor authentication for an added layer of security.
Both Wordfence and Securi can be quite tricky to set up, if you prefer a simpler approach (with less security), try the security settings that come as part of the Jetpack Plugin, which also has some other excellent features and is developed by the same people that develop WordPress.
The login page is a first port of call for lazy hackers. As mentioned above, they’ll use the ‘brute force’ user/password combination method to try and log in. If you change the login url, then you make their job harder. You can this in a number of ways, the easiest is to use the WPS Hide Login plugin. Just remember to make a note of the new url!
All of the above can be achieved fairly simply. There are a few more things that can be locked-down by editing WordPress core files, we’ll deal with them in a later post, but by addressing everything I’ve covered so far you will have taken big steps to secure your site.
If you need help with anything mentioned, or would like to talk to us about Managed Hosting which would pass all these things over to us, please complete the form on the Contact Us page.