Security of your website is always important. Would you leave your car unlocked at night when you go to sleep? If you keep it in a garage, you still need to lock the garage to prevent the car from being stolen.
If you are not concerned about your WordPress site getting hacked, just ask Britain’s National Health Service.
When WannaCry paralyzed their computer systems it was revealed that the hack was a result of several people ignoring the warnings to update computer software. Thus, the ransomware was able to exploit a Windows vulnerability called EternalBlue – found in legacy versions of the OS (namely Windows XP and Windows Vista).
You might say that your WordPress website is not very large and hence it cannot be the target of hackers. However, having a high level of security for your website gives you a shield of confidence that you are safe from the big bad world of the internet. Securing a WordPress site also features in essential steps to be taken before launching a WordPress site.
Why do WordPress sites get hacked?
There are three primary reasons why hackers target WordPress websites:
- They have an axe to grind against you i.e. you have been interacting with them online and they don’t like you. An irate customer or a disgruntled employee, or simply a friend turned foe – you can never predict human behavior. They may hold a grudge against you and see hacking your website as the only way to take revenge.
- They want to target your visitors. An eCommerce shop can be targeted to steal credit card details of its customers. Hackers can infect your website to make your visitors download malicious software. They can also insert 301 redirects to send your traffic to their own affiliate site. Another target is your server’s resources where they turn your website into a vehicle to carry out Denial of Service (DoS) attacks or simply send out spam emails.
- They do it just because they can. They don’t have a motive, rather they use automated software to carry out such attacks. If your website has vulnerabilities and their automated hacking tool finds you, they hack your website.
Common WordPress Vulnerabilities
Most of the attacks exploit a known vulnerability in the software. Therefore, it is important to understand some common WordPress vulnerabilities.
- WordPress doesn’t put any limit on the number of wrong password attempts. So, a simple automated brute force attack can crack your password and gain control of your whole WordPress website.
- WordPress doesn’t automatically install new updates to its core software (WordPress itself), themes, and plugins. Not updating these on time could deprive your website of important security patches released through the upgrades.
- WordPress does not have a very strong approval policy on its themes and plugins store. Unlike the Apple App Store, WordPress has no strict guidelines on what kind of themes and plugins can be distributed through its platform. This opens the door for developers who write unstable, insecure and poorly maintained code. Once these plugins/themes find their way on your website, it does not take very long for hackers to exploit them to inject malicious code into your website and into your visitors’ computers through your site.
Even if your website has no apparent vulnerability on the WordPress installation, hackers could target your site via an “infected neighbor” i.e. a website residing on your shared hosting server.
Types of WordPress Attacks & Their Solutions
Sure enough, getting your WordPress website hacked unleashes all sorts of crazy in people. But a hacked website also gives you a reason to detect and fix your WordPress website vulnerabilities so that it doesn’t happen a second time. You can choose to wallow in pity or you can take steps to improve your website’s security level.
With that in mind, we will now see what WordPress vulnerabilities are primarily targeted by hackers and how to fix them.
1. Vulnerabilities in WordPress Core, Themes, and Plugins
It is very easy for attackers is to check the version of your WordPress installation, themes, and plugins and get a list of their vulnerabilities. These 3 elements are the most vulnerable software components of your website.
A thumb rule for keeping these protected is to never ignore the update warnings. It doesn’t take more than 30 seconds to install most updates. If you have multiple admins on your site, it’s easy to schedule a check for updates every other day.
Below are some solutions to the automatic update problem:
For auto-updates to WordPress core, add this line directly to your wp-config.php file:
This line will enable the WP_AUTO_UPDATE_CORE constant, which is responsible for turning automatic updates on or off.
You can also use these tips given by WordPress codex to configure automatic updates for all themes and plugins.
2. Weak Passwords
Again, simple brute force attacks can quickly reveal passwords on all your users’ accounts, including all admin accounts.
Solution to this is to set a maximum password age for all your users so that they update their passwords once every month or once every quarter. The Expire Passwords Plugin makes it very easy to do that.
Of course, when users choose to update their passwords, it’s up to them to select secure passwords.
The Force Strong Passwords Plugin will seamlessly integrate with the login functionality of your site and whenever any user (except a “Contributor” or “Subscriber” role) inserts a weak string, the plugin won’t allow the weak password to be saved.
The User Meta Pro Plugin will allow you to use customized regular expressions to force strong password security on the update password page.
There are so many plugin options available for 2-factor authentication. Using this method, all users will require a new code after entering their password – this code can be delivered to them via email or on their phone. This will help in massively increasing the security level of your website.
Users will obviously trust a website with “https” to perform online monetary transactions. So consider adding SSL to your website.
3. Malicious plugin and theme versions
Many times you may be tempted to install a publicly available version of a paid plugin (a.k.a “cracked” version, usually found in torrents). Stop doing that – the person giving you the cracked version may have tampered with it by adding some malicious code.
Some other ways to check trustworthiness of your plugin are:
- Star rating should be above at least 4.0.
- The number of such reviewers should be more than 50.
- The total number of installs should not be less than 1000.
- Reviews should project a primarily positive sentiment.
4. Cheap or Shared Hosting
While creating a website for the first time, most new bloggers will choose shared hosting because it’s a cheap, viable option. It also comes with a risk of “the bad neighbor” effect. If a hacker attacks a website sharing your server resources, it could take down your website with it.
Additionally, the web hosting providers are also responsible to add security features. Keep in mind – they may charge extra to enable such features.
When you see super cheap web hosting deals, chances are they’re not adding any such security and your website will remain exposed to attacks. The general rule while purchasing a web hosting service is “If it’s too good to be true, it probably is!” There are various sources available where you can have a look at top web hosts in 2018 and compare each web host and then finalize the one which satisfies your needs.
As we just saw, securing your website is as simple as making sure your users update their passwords regularly and that they use strong passwords. Also, you can consider enabling automatic updates for all themes, plugins, and WordPress itself. If you have a slightly higher budget, consider moving your site from a shared hosting service to virtual private server (VPS).