Is your WordPress website safe from hacks and attacks? “Brute Force” attacks on WordPress websites have made recent headlines. Make sure your website is secure.
The most recent release of WordPress has been downloaded over 17 million times. It’s one of the most widely used, if not THE most widely used, content management system for websites. Add to that the fact that many of the sites are fairly dormant, running on outdated versions of the application and managed by not so tech savvy users. So it’s not surprising that the application is frequently targeted by hackers and other malicious souls.
Why people hack and attack other people’s websites
Because they can 🙂 You hear about really high profile sites being attacked to gain access to customers details, but why would these evil doers want from messing with your website? Some hackers just want to see what they can do or thrive on the notoriety. Sometimes they do it for a real ‘benefit’: adding code into your site that has links to other sites (“link injecting”) or to add phishing software to gain login or credit card detail. They may want to use your site to run some of their activities from.
How these attacks effect you and your website
An attack may bring your site down which may cost you business as well as whatever cost to get back online again. In most cases these attacks are just a huge annoyance. The effects may not be visible on your site, but you need to figure out how to clean up the mess. There may be a financial cost to you to hire someone to clean up an problems. If your site was used to host a link farm or other malicious content, it may effect your search engine rankings or you may get de-listed completely. If Google detects malware, it may flag your site in the search listings, warning people and you will probably lose visitors in that way.
How to Protect Your WordPress Website from being Hacked or Attacked
If you are uncomfortable doing most of the tasks listed below, I recommend that you hire an experienced web developer to manage your site to ensure that your WordPress installation, themes and plugins are up to date and secure. Most of these recommendations are do-able for a website owner with a minimum of technical ability, with a little bit of training and a routine in place.
Use a reliable web hosting company. Sometimes the most popular and well known web hosting companies (Go Daddy, HostGator, etc.) are the ones most likely to be attacked themselves, so many developers avoid using them. Very small companies may not have the knowledge or facilities to protect their servers from attack. Ask other website owners who they use and if they have had any problems with their hosting. Check the support forums on the hosting companies websites to see if there have been any issues in the past. Ask your friends on Twitter, Facebook and LinkedIn if they can tell you who they recommend or who they would avoid.
Keep your software up to date. Make sure that you update your WordPress, themes and plugins when available. Very often these updates are created because they have found a vulnerability and the update is a fix for it. In most cases, these updates only take the click of a button. Occasionally you may have a problem after an update so you have to make sure you have back ups of your database and any other files that you can download again easily (themes, plugins, images, etc.). A good back-up plugin can help by automating this. I’ve used a number of backup plugins and have not been 100% happy with either. Click here to read a review of popular backup plugins for WordPress.
Only use reliable themes and plugins. There are a lot of free themes and plugins out there that are perfectly safe and updated when required to stay that way, but there are a number out there that have been created by inexperienced developers and haven’t been maintained to keep up with new versions of WordPress or for maximum security. Only use themes and plugins from the official WordPress Repository.
Delete any themes and plugins that you are not using. If you keep your admin area tidy, it will make it easier for you to keep what you are using updated; and also reduce what you need to check when you do have a problem. As noted above, outdated or insecure themes and plugins can be a gateway for attacks.
Ensure your admin account is secure. In the past the WordPress installation created a user with username ‘admin’ by default, making it unbelievably easy for attacks on that account. Now you can enter any username you like when installing the application, so DON’T make it ‘admin’ or anything like that.
Use strong passwords. Many of these attacks are by bots that keep trying to login using combinations of usernames and passwords (“brute force attacks”). They run extremely quickly through combinations, so the more complex your password is, the less likely it will be worked out. A combination of lowercase and uppercase letters, numbers and special characters is highly advised. Do not include actual words.
Delete or downgrade any inactive users. If your ex-webmaster or staff member still has an account, remove the account or at least reduce the Role to ‘subscriber’. You may not be concerned about that person logging in and doing something, but any extra account like that could also be an opening for a hacker. When assigning roles to users, only assign the highest level role the person actually requires to limit the number of admin users, as a hacked admin account will cause the most damage to your site. Click here to read more about WordPress Roles & Capabilities.
A couple more techie tips:
Password Protect the WordPress login page. Everyone knows that the admin login for WordPress is “/wp-admin/” and that “/wp-admin/wp-login.php” is the login page; which makes both vulnerable to attacks. If you ‘password protect’ both (either via your hosting control panel or through your .htaccess) you add a second layer of security. Click here for a tutorial on adding password protection to your WordPress login. Some people also password protect other directories that hold scripts and other items that are often hacked.
Ensure that the ‘permissions’ for your directories and files is sufficient. Some of the files/directories of your WordPress application need to be ‘writeable’ and most do not, so make sure that you have the permissions as tight as possible. Click here to read more about WordPress and permissions. Some suggest moving your wp-config.php file as it contains important information about your installation and database.
Secure your database. Make sure that the username, logins and settings for your database are secure.
Secure your FTP application. If you use an FTP application to upload files to your site (you’d probably only do this if you were a web developer uploading installation files, etc.), add password protection to open the application. Some attacks are on devices themselves and target applications that hold login information for various uses. If they harvest your ftp logins, they can then access your site files.
For that matter, ensure that all of your devices (laptops, desktops, servers, mobiles, etc.) , network, WiFi, etc. are all completely secure.
Monitor your site via Google Webmaster Tools. This service now reports if it detects any malware on your site. It doesn’t stop it, but the sooner you find out you’ve been hacked the better. You will also get email notification, if you haven’t switched them off, if your WordPress application is very outdated. (Though you should know this from the alerts on your WordPress dashboard anyway!)
Click here for more advice from WordPress on securing your installation.
WordPress Plugins to Protect Your Site from Hacks and Attacks
I have not used any of these plugins, so cannot vouch for how well they work or how easy they are to install. These are those I have looked at and plan to try out.
- Limit Login Attempts helps you from ‘brute force attacks’ where an application just tries over and over to log into your site.
- Bulletproof Security
- Wordfence Security
- MVIS Security Center looks like a great monitoring tool that sends alerts.
- Better WP Security
- Login Security Solution logs IP address, automatically logs out suspicious logins, sends alerts.
Also see these helpful compilations of WordPress Security Plugins:
- Hongkiat’s Hardening WordPress Security: 25 Essential Plugins + Tips
- Problogger’s 10-essential-wordpress-security-plugins-for-2013
Click here for advice from WordPress on what to do if you’ve been hacked.
Have you used any of these methods to secure your WordPress website?
Do you have any other suggestions or recommendations for WordPress security?