How to protect your WordPress site from hacking

Anyone who knows the Preface Studios team knows we love WordPress. And we’re not alone. Around 63.6% of websites across the world are built using WordPress, with 50,000 new WordPress sites launched daily. It’s used by companies of all sizes – from SMEs in Surrey, to massive global enterprises – because it’s easy to use, open source, flexible and mobile friendly. Yet we often talk to people who say they’re hesitant about WordPress because it’s ‘not secure’ or is ‘vulnerable to hacking’. These stories tend to make the news because WordPress is the most widely used CMS, and therefore attracts the attention of hackers wanting to steal data, take down sites or insert malicious code. However, the fact is, all Content Management Systems can get hacked and all websites are vulnerable – whether you’re Garmin or Carnival Cruises. There is no 100% fail-safe solution to protect your site, but here we look at what hacking is and how you can protect your website against it.

What is hacking?

Hacking is related to malicious programming attacks on the internet and other networks. Hackers are experts at gaining access to password-protected systems, extracting valuable data, or compromising a website.

Companies of any size are susceptible and the attacks are often automated, as opposed to specifically targeted. Any type of website is at risk; and if you’re running a popular CMS, such as WordPress, Joomla or Umbraco, then your site can be identified as a potential for a targeted attack. There are more than 100,000 known viruses and CMS sites continue to be injected with malware. Google blacklists over 10,000 websites every day for malware and around 50,000 for phishing every week.

With these sites, hackers get clever and figure out back-door ways to attack websites through recent updates. Every time WordPress releases an update, they close the door to hackers. But, if you don’t update WordPress regularly, hackers can make changes to HTML and gain access to your website database, which can then compromise your site.

WordPress is a fantastic, free, open source CMS. But, as with any CMS, you still need to take care of it and keep it secure.

Why does it happen and how will you know if it’s happened?

A site may get hacked for a number of reasons, including making money, to access your system resources, ‘hacktivism’ or plain old boredom!

Hackers may add deep links, make your pages go white, put adverts on the site, slow down a server, mess up your SEO, insert links and images, or add diverts that take visitors elsewhere. If you notice any of these things, then it’s likely your site has been hacked.

What’s the risk to your business?

Most people don’t know what it takes to host a website or the basic security that it needs. Ultimately, hacking will end up costing you money. Any downtime at all on your website can mean you lose business, particularly if your site is an e-commerce site. It can also erode brand equity, especially on social media. Keeping your website protected and up-to-date will take care, time and investment, but in the long run, it could save your company.

Our team works closely with clients to educate them about the essential steps needed to protect a website. It’s rare that any of our clients walk out of the house without shutting their door, or give their mobile to a stranger, or leave a pile of cash at a bar. They already have great solutions for protecting their home, phone and money. So it’s an important part of our service to work with clients and develop great solutions to protect their websites!

Top tips for preventing a WordPress hack

Speaking to The Times, Ilya Sachkov, the chief executive officer of the cybercrime investigator Group-IB said: ‘Companies should arm themselves with solutions that would shield them against relevant attacks, making the conduct of any malicious activities against them extremely resource-intensive, expensive and economically disadvantageous.’

Good website management won’t eliminate the risks and your site will never be 100% secure, but with careful maintenance and by following best-practice, you can reduce the possibility of your website being hacked, whilst ensuring usability.

1. Update, update, update! – Keep your CMS, themes and plugins (especially the free ones) current. If you don’t, the probability of hacks increases. This blog gives a great overview about why you should have the latest version of WordPress. There are benefits of using a WordPress expert to do this, rather than trying to do it yourself. This is mainly because they will continually be making sure your site is updated, enhancing security, improving site performance, eliminating bugs, ensuring compatibility with plugins, boosting stability and also enabling you to benefit from new features.
2. Invest in a website maintenance support plan – To make sure our clients keep their WordPress website in tip-top shape, we recommend that anyone with a CMS website invests in a support and maintenance plan. To protect from hacking and other malicious activity, we run security checks through our software. Depending on requirements, we’re able to switch this to monthly, weekly or daily monitoring. If a problem occurs, we fix it. We get alerts if a plugin is out of date and run back-ups locally on our test server to see if anything breaks.
3. Keep strong passwords – Never use a default username like ‘admin’ to login and have strong passwords for your website and blog. Some security plugins even force people to have strong passwords. You can also limit password retry to between three and five times. Don’t give anyone access to your WordPress admin account unless you have to. If a hacker gets into your database due to a weak password, they can cause havoc. In this case, you’ll definitely need an expert to fix your website!
4. Use security plugins or scanners – There are several that you can use to ‘harden wordpress and protect your content’. Some plugins obscure the WordPress version number from the source code. You can also use scanners to identify vulnerabilities. Our Digital experts will be able to suggest the right one for you. It’s important to remember that ‘out of the box’ WordPress is not secure.
5. Frequent back-ups – It’s probably enough to say we understand the risks of hacking and we back-up our client’s websites to a remote server on a daily basis!
6. Choose a reliable host – It’s important to host your website with a company that has strong firewalls to prevent malicious attacks from known hackers. Without a good firewall, hackers can scan your website, as well as confidential information, such as passwords, emails or sensitive documents.
7. Database injections – if a hacker gets into your database they can create all types of chaos. If user input is not validated, attackers can replace that user input and send commands direct to the database. To protect yourself, you can change your database prefix to improve security or use a security plugin to protect your WordPress files.
8. Recognise that security is a continuous process – your website needs to be constantly monitored and its security checked continuously. Hackers will always be looking for multiple ways to infiltrate your website – from all angles – so you have to keep on your toes!

When was the last time you updated your WordPress CMS? How much do you know about your website back-ups and how quickly could you access them if you were hacked?

If you’re shrugging your shoulders, and would like to know more about our Website Support and Maintenance Plan, please fill in the form below and we will send you details: