Lock It Up and Nail It Down – Don’t Put Off WordPress Security Any Longer!

WordPress Logo on Padlock: Don't Put Off WordPress Security Any Longer

Updated 10/4/2019

This blog post will look at the following aspects of WordPress security and provide additional resources to help you secure your WordPress site.

1. Overview of Brute Force Attacks
2. How Your Site Gets Hacked
3. How to Backup Your Website
4. Resources for WordPress Security
5. Your WordPress .htaccess File
6. Installing SSL
7. Additional Resources

1. Overview of Brute Force Attacks

If you are a user of the Wordfence Security  plugin, you probably receive email alerts from Wordfence whenever there are large distributed brute force attacks on WordPress sites. A brute force attack is a hacker’s attempt to gain access to your website by using “password guessing attacks.”

On  December 16, 2016 Wordfence reported a huge increase in brute force attacks that began on November 24 and continued to nearly double on a daily basis. What’s more, they have seen an increase of unique IP’s involved in these attacks and those uniqe IP’s are continuing to increase.

Consider that these statistics were for sites running the popular Wordfence plugin. How many more sites were affected that aren’t included in these totals?

These brute force attacks occur on a regular basis. If you aren’t vigilant about your WordPress website security, it’s not a question of if but when your site will get hacked.

Big Brands Getting Hacked

Even if you are vigilant about your website security, the hackers still get in. Did you know that the U.S. Department of Justice, Snapchat, and even the IRS have fallen prey to breaches and hacking?

Data breaches are on the rise with some of the biggest brands falling victim in 2018 including T-Mobile, Quora, Google, and Orbitz. And what about the numerous breaches at Facebook? You can find out more about the 21 scariest data breaches of 2018.

So please don’t think that just because you’re a “little guy” the hackers aren’t interested. It doesn’t matter who you are, what your business does, or how big your firm is.

You are still a target.

Like death and taxes, cyber attacks are inevitable.

The rest of this post will look at how websites get hacked and will provide resources to help you with your own website security. Knowledge is power and a few precautions can help you lock down your WordPress website so you can rest easier.

2. How Your Site Gets Hacked

There are many ways your site can get hacked, but some of the most common include:

  1. Outdated themes and plugins
  2. Outdated WordPress framework
  3. Compromised .htaccess files
  4. WordPress installations no longer used
  5. Username of ADMIN and/or weak password
  6. Malware on your local computer or on another PC that accesses your site (i.e.: subcontractors or virtual assistants)
  7. Admin username in the author archives
  8. Allowable directory browsing which exposes sensitive files such as wp-config.php or php.ini

You may check your site every day and it may look okay to you. But hackers can send all of your search traffic to another website and you won’t even know it!

During a round of brute force attacks, I discovered (along with other website owners) that hackers were able to gain access to the author username through a website’s author archives. For this reason, you should also not use your administrative account when composing blog posts.

As an alternative, set up a user with editor or author permissions.  Login with this user role, not your administrative user role. But more important than that, make sure your password is strong!

 The Implications of a Hacked Website

  1. Wrecked SEO (Did you know that even someone else’s hacked website can wreck your SEO?)
  2. Lost sales
  3. Lost customer trust
  4. Visitors exposed to malware
  5. Your unintentional endorsement of  products or services if the hack redirects your visitor to another site
  6. Hours of time needed to assess damage and repair your site
  7. A backdoor the hacker installs in your theme, plugin or the uploads directory for future access.

And the list goes on. All that being said, you need to be vigilant about WordPress security.

The only way to be truly safe from getting hacked  is to delete your site altogether. Seriously. It’s important to understand that any content management system (WordPress, Drupal, Joomla) is ripe to be hacked. And despite your best efforts at locking down your site, the hackers get in.

Statistics generally cite that more than 27% of the top 10 million websites are using WordPress. So you can see why it’s a frequent target for hackers no matter how big or small a company is.

So how does your site get hacked?

Sending Passwords via Email

If you hire a web design firm to help with your WordPress site,  they will need to obtain your WordPress login credentials.  Many times clients send over the information in an email without a second thought. However, it really needs to be said that sending your username and password information via a single email is risky as that email could be intercepted and your site compromised.

Non-technical Ways to Share Your Password

Some non-technical ways that clients have shared sensitive username and password information with me include fax (seriously we still have one!), text messages, separate emails for username and password, phone calls, and Skype messaging. Separating user name from password using separate channels is the safest approach. For example, you could email a username and send the corresponding password via Skype chat or text message.

Skype messaging and separate emails are not 100% secure, but they are still better solutions than sending all access credentials in one email.

Finally, if you have a Gmail account, Google Drive is an excellent way to securely share files and documents.

Technical Ways to Share Your Password

Services such as Privnote let you send a note that self-destructs once the recipient has read it.

Password Managers such as LastPass allow you to share access credentials with other users.

You can learn additional ways to safely share passwords but by way of disclaimer, LastPass is the only one on the list that I have used and can confidently recommend.

3. Backup Your Website

First things first.

Even if your web hosting company runs daily backups, it is critical that you backup your WordPress website and store your backup offline.

I speak from experience when I say that dealing with a hacked website is one of the most stressful things you can experience. Even if your website hosting company stores daily backups on the server, make sure you backup your own website and keep a copy of the backup locally or remotely, not on your server.

This is important because many times your hosting company will not have a clean backup to restore due to the amount of damage done by the hacker. Who knows what scripts and files they may have injected?

Even if you hire a malware removal service or are using a paid subscription, there are times when the hacked site is destroyed beyond repair and malware can’t be cleaned.  Sometimes all files need to be totally deleted off of the server and a fresh installation of WordPress followed by a restore of your website is the only way to get your site back up and running.

Best Backup Solution

I use UpdraftPlus (affilliate) on all of my client sites. it does an excellent job of backing up the largest of sites, and you can also save your backups to external services or drives. Check out our UpdraftPlus review to learn more about backing up your WordPress site with UpdraftPlus.

For a yearly fee, UpdraftPlus Premium is a great solution if you need WordPress multi-site backup compatibility or enhanced features.

Set Up Website Monitoring

And head over to Uptime Robot or Pingdom to set up a website monitoring account. These services will automatically send you email alerts when your website is down. This is often a first indication that your website has been compromised.

Your Site is Down ~ Now What?

If you do receive an alert that your site is down, don’t panic. Head over to Sucuri (affiliate) and run a free website scan. It will tell you immediately whether malware is detected. However, be advised that depending on the nature of the malware, Sucuri sometimes will return a false positive.

For example, you may check your website and the home page comes up just fine. But if you check other pages you may receive a 404 error, which means the page can’t be found. This can be an indication that your site has been hacked and Sucuri may not detect it.

Or it may simply mean that your permalinks are messed up. In that case, you can log into your site, go to Settings>Permalinks and re-save them.

If the scan comes back clean, contact your web hosting company and have them check the server. More often than not it’s a temporary outage with your hosting company.

If the scan detects malware, you have several choices:

  • Check to see if your hosting company can help you get to a good restore point and/or remove any malware
  • Hire an Upwork (previously oDesk) freelancer to remove the malware. However, I would advise you to spend time in due diligence to find a trustworthy freelancer with a proven track record of malware removal.
  • Contact Sucuri (affiliate), sign up for one of their plans, and request malware removal.

4. Securing Your WordPress Website

Make ongoing education a priority in your business. I searched high and low for top-notch training that would keep me current and provide me with the knowledge I needed to keep my clients’ sites secure and performing well.  As a web designer, I realized it was no longer enough to create beautiful websites. I also needed to invest in training that would keep my skills updated.

I also realized secure WordPress site setup was an essential skill that became a critical component of my web design business.

Securing a WordPress website includes:

  • setting up a site from scratch
  • locking down critical root files
  • preventing brute force attacks
  • prohibiting directory browsing of critical WordPress files
  • and more

So I made sure to invest in training that would provide me WordPress best practices for security and performance.

5. Your WordPress .htaccess File

Your .htaccess file is the single most critical file of your WordPress installation. It has no file extension; rather the name is the file extension. The .htaccess file is a simple text file that can be created and edited in notepad. It is a configuration file used in an Apache environment and provides commands for managing your WordPress installation in specific directories.

Your .htaccess file can be used for functions such as:

1. image compression
2. redirects
3. custom error pages
4. blocking an IP
5. blocking a range of IPs

And much more.

For this reason, it is also a popular entry point for hackers. Once they have compromised your .htaccess file, they can redirect your visitors wherever they want and more.

Locking down your .htaccess file is one of the most powerful ways to harden your WordPress security.

6. Installing SSL

Installing SSL on your website ensures that your sensitive visitor information is encrypted and protects you as well as users. In fact, as of 2018 Google has mandated that all websites need to run under an SSL certificate. (Learn why you must switch to HTTPS.)

Running under HTTPS means that any data submitted by your visitors via a website form will be protected from 3rd parties that may try to intercept the data. This includes when you submit your username and password to log into the WordPress dashboard.

SSL also readies your site for e-commerce should you want to sell products or services on your website.

SSL is covered in great depth in our 3-part blog series as listed below:

Part 1: Adding SSL to a WordPress Site, What and Why
Part 2: Adding SSL to a WordPress Site, 4 Steps to ConfigureHTTPS
Part 3: Moving from HTTP to HTTPS: SSL Migration Case Study

Final Thoughts

To summarize, you should make the following efforts to help improve WordPress security:

  1. Keep current backups.
  2. Use strong username and passwords. Never send these credentials through an email.
  3. Don’t expose your username through the author archives. Consider setting up an editor role when creating posts.
  4. Consider a paid security subscription service such as Sucuri that monitors your website and does malware clean-up should your site become compromised. It’s a worthwhile investment and a small price to pay for peace of mind.
  5. Install an SSL certificate on your website.

Over to You

I hope this post has been helpful to you. Whatever your WordPress skill level is, there are steps you can take to protect your website and improve your WordPress security.

What other tools are you using for WordPress security? Please share in the comments below. We’re all in this together and it’s helpful for all when we share our experiences!

Image credit: Fotolia

8
Leave a Reply

avatar
4 Comment threads
4 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
5 Comment authors
JoiElitenusJorgeWrathyimpMichelle PhillipsZena Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
JoiElitenus
Guest
JoiElitenus

Love how refreshing this post is above a sea of useless content on google.

Michelle Phillips
Guest
Michelle Phillips

Thank you very much.

Jorge
Guest
Jorge

Hi Michelle: We are trying to decide if we drop SiteLock. We are currently paying for maintenance, enterprise firewall and scanner, This is costing around $110/month. We believe this is too expensive. Our main goal is to reduce cost. The firewall only is costing us $59/month and the maintenance is costing $49/month. We are thinking on different options like: Dropping the maintenance and just leaving the firewall with SiteLock and if we get hacked then call SiteLock for cleanup which it could cost around $100/cleanup Eliminate SiteLock completely and use plugins like BulletProof Security Pro and WordFence. Eliminate SiteLock completely… Read more »

Michelle Phillips
Guest
Michelle Phillips

Hi Jorge, thanks for your comment. I think it’s always a good idea to compare your options for WordPress security. As the website owner, only you can answer the question as to whether the benefits of SiteLock’s service justify its cost of $110/month. Only you know how SiteLock has protected you and/or saved you from a malware attack. That being said, there are some less expensive alternatives should you decide to eliminate SiteLock completely. Per Sucuri, if you opt for Sucuri Firewall and Malware Cleanup services, they will protect your website and it’s not necessary to use additional security plugins.… Read more »

Wrathyimp
Guest
Wrathyimp

Just read the article, very informative. As I am facing secruty issue with my WP, so looking for solution on it. I need to check if I can have the free Wordfence plugin with a paid Sucuri Firewall which is 9.99$/month, will help me from malicious virus hacks, and get my site secured. Or do I have to have the Sucuri combined plan for 220$/year for full support.

Michelle Phillips
Guest
Michelle Phillips

Thanks for letting me know the article was helpful to you. As you know, there is no 100% assurance that you’ll never be hacked. Sucuri Firewall is a great way to protect against brute force attacks plus it offers a slight speed boost. However, it does not offer the malware cleanup should your site get hacked. The WordFence plugin does a pretty good job of protecting against brute force attacks and will let you blacklist IPs that keep trying. But please be aware that can become very time-consuming especially during periods of high attacks. Many website owners use the free… Read more »

Zena
Guest
Zena

Thank you for this impressively detailed post. I am using Wordfence & BPS Security free plugins with the Sucuri paid subscription. My webserver provides the CloudFlare.
I am currently refining my options and further hardening the installation because of the recent volume of invalid “admin” login attempts.
There is a Wordfence Assistant for dealing with bloated db issues. And I’ve found some helpful sites describing various configuration options for all.
A few years ago, Sucuri’s paid subscription service cleaned up my hacked files saving my content. Their tech support is superb! I highly recommend this pro version.
Thanks again for you excellent post.
Zena

Michelle Phillips
Guest
Michelle Phillips

Hi Zena, you’re very welcome; I’m so glad you found the post helpful. Thanks for letting me know! Sounds like you are doing all the right things to harden your WordPress site. I agree with you about Sucuri and their tech support being top-notch. Glad Sucuri was able to clean up your hacked files! Trying to do it yourself is time-consuming, takes you away from your business and doesn’t always get rid of the malware. Thank you for your valuable feedback!

Scroll to Top

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close