This blog post will look at the following aspects of WordPress security and provide additional resources to help you secure your WordPress site.
1. Overview of Brute Force Attacks
2. How Your Site Gets Hacked
3. How to Backup Your Website
4. Resources for WordPress Security
5. Your WordPress .htaccess File
6. Installing SSL
7. Additional Resources
1. Overview of Brute Force Attacks
If you are a user of the Wordfence Security plugin, you probably receive email alerts from Wordfence whenever there are large distributed brute force attacks on WordPress sites. A brute force attack is a hacker’s attempt to gain access to your website by using “password guessing attacks.”
On December 16, 2016 Wordfence reported a huge increase in brute force attacks that began on November 24 and continued to nearly double on a daily basis. What’s more, they have seen an increase of unique IP’s involved in these attacks and those uniqe IP’s are continuing to increase.
Consider that these statistics were for sites running the popular Wordfence plugin. How many more sites were affected that aren’t included in these totals?
These brute force attacks occur on a regular basis. If you aren’t vigilant about your WordPress website security, it’s not a question of if but when your site will get hacked.
Big Brands Getting Hacked
Even if you are vigilant about your website security, the hackers still get in. Did you know that the U.S. Department of Justice, Snapchat, and even the IRS have fallen prey to breaches and hacking?
Data breaches are on the rise with at least 16 retailers hacked since January 2017.
So please don’t think that just because you’re a “little guy” the hackers aren’t interested. It doesn’t matter who you are, what your business does, or how big your firm is.
You are still a target.
Like death and taxes, cyber attacks are inevitable.
The rest of this post will look at how websites get hacked and will provide resources to help you with your own website security. Knowledge is power and a few precautions can help you lock down your WordPress website so you can rest easier.
2. How Your Site Gets Hacked
There are many ways your site can get hacked, but some of the most common include:
- Outdated themes and plugins
- Outdated WordPress framework
- Compromised .htaccess files
- WordPress installations no longer used
- Username of ADMIN and/or weak password
- Malware on your local computer or on another PC that accesses your site (i.e.: subcontractors or virtual assistants)
- Admin username in the author archives
- Allowable directory browsing which exposes sensitive files such as wp-config.php or php.ini
You may check your site every day and it may look okay to you. But hackers can send all of your search traffic to another website and you won’t even know it!
During a round of brute force attacks, I discovered (along with other website owners) that hackers were able to gain access to the author username through a website’s author archives. For this reason, you should also not use your administrative account when composing blog posts.
As an alternative, set up a user with editor or author permissions. Login with this user role, not your administrative user role. But more important than that, make sure your password is strong!
The Implications of a Hacked Website
- Wrecked SEO (Did you know that even someone else’s hacked website can wreck your SEO?)
- Lost sales
- Lost customer trust
- Visitors exposed to malware
- Your unintentional endorsement of products or services if the hack redirects your visitor to another site
- Hours of time needed to assess damage and repair your site
- A backdoor the hacker installs in your theme, plugin or the uploads directory for future access.
And the list goes on. All that being said, you need to be vigilant about WordPress security.
The only way to be truly safe from getting hacked is to delete your site altogether. Seriously. It’s important to understand that any content management system (WordPress, Drupal, Joomla) is ripe to be hacked. And despite your best efforts at locking down your site, the hackers get in.
Statistics generally cite that more than 27% of the top 10 million websites are using WordPress. So you can see why it’s a frequent target for hackers no matter how big or small a company is.
Sending Passwords via Email
If you hire a web design firm to help with your WordPress site, they will need to obtain your WordPress login credentials. Many times clients send over the information in an email without a second thought. However, it really needs to be said that sending your username and password information via a single email is risky as that email could be intercepted and your site compromised.
Non-technical Ways to Share Your Password
Some non-technical ways that clients have shared sensitive username and password information with me include fax (seriously we still have one!), text messages, separate emails for username and password, phone calls, and Skype messaging. Separating user name from password using separate channels is the safest approach. For example, you could email a username and send the corresponding password via Skype chat or text message.
Skype messaging and separate emails are not 100% secure, but they are still better solutions than sending all access credentials in one email.
Finally, if you have a Gmail account, Google Drive is an excellent way to securely share files and documents.
Technical Ways to Share Your Password
Services such as Privnote let you send a note that self-destructs once the recipient has read it.
Password Managers such as LastPass Premium allow you to share access credentials with other users.
3. Backup Your Website
First things first.
Even if your web hosting company runs daily backups, it is critical that you backup your WordPress website and store your backup offline.
I speak from experience when I say that dealing with a hacked website is one of the most stressful things you can experience. Even if your website hosting company stores daily backups on the server, make sure you backup your own website and keep a copy of the backup locally or remotely, not on your server.
This is important because many times your hosting company will not have a clean backup to restore due to the amount of damage done by the hacker. Who knows what scripts and files they may have injected?
Even if you hire a malware removal service or are using a paid subscription, there are times when the hacked site is destroyed beyond repair and malware can’t be cleaned. Sometimes all files need to be totally deleted off of the server and a fresh installation of WordPress followed by a restore of your website is the only way to get your site back up and running.
Best Backup Solution
I use UpdraftPlus (affilliate) on all of my client sites. it does an excellent job of backing up the largest of sites, and you can also save your backups to external services or drives. Check out our UpdraftPlus review to learn more about backing up your WordPress site with UpdraftPlus.
For a yearly fee, UpdraftPlus Premium is a great solution if you need WordPress multisite backup compatibility or enhanced features.
Set Up Your Pingdom Account
And head over to Pingdom to set up a free website monitoring account. Pingdom will automatically send you email alerts when your website is down. This is often a first indication that your website has been compromised.
Your Site is Down ~ Now What?
If you do receive an alert that your site is down, don’t panic. Head over to Sucuri (affiliate) and run a free website scan. It will tell you immediately whether malware is detected. However, be advised that depending on the nature of the malware, Sucuri sometimes will return a false positive.
For example, you may check your website and the home page comes up just fine. But if you check other pages you may receive a 404 error, which means the page can’t be found. This can be an indication that your site has been hacked and Sucuri may not detect it.
Or it may simply mean that your permalinks are messed up. Log into your site, go to Settings>Permalinks and re-save them.
If the scan comes back clean, contact your web hosting company and have them check the server. More often than not it’s a temporary outage with your hosting company.
If the scan detects malware, you have several choices:
- Check to see if your hosting company can help you get to a good restore point and/or remove any malware
- Hire an Upwork (previously oDesk) freelancer to remove the malware. However, I would advise you to spend time in due diligence to find a trustworthy freelancer with a proven track record of malware removal.
- Contact Sucuri (affiliate), sign up for one of their plans, and request malware removal.
4. Securing Your WordPress Website
Make ongoing education a priority in your business. I searched high and low for top-notch training that would keep me current and provide me with the knowledge I needed to keep my clients’ sites secure and performing well. As a web designer, I realized it was no longer enough to create beautiful websites. I also needed to invest in training that would keep my skills updated.
I also realized secure WordPress site setup was an essential skill that became a critical component of my web design business.
Securing a WordPress website includes:
- setting up a site from scratch
- locking down critical root files
- preventing brute force attacks
- prohibiting directory browsing of critical WordPress files
- and more
So I made sure to invest in training that would provide me WordPress best practices for security and performance.
5. Your WordPress .htaccess File
Your .htaccess file is the single most critical file of your WordPress installation. It has no file extension; rather the name is the file extension. The .htaccess file is a simple text file that can be created and edited in notepad. It is a configuration file used in an Apache environment and provides commands for managing your WordPress installation in specific directories.
Your .htaccess file can be used for functions such as:
1. image compression
3. custom error pages
4. blocking an IP
5. blocking a range of IPs
And much more.
For this reason, it is also a popular entry point for hackers. Once they have compromised your .htaccess file, they can redirect your visitors wherever they want and more.
Locking down your .htaccess file is one of the most powerful ways to harden your WordPress security.
6. Installing SSL
Installing SSL on your website ensures that your sensitive visitor information is encrypted and protects you as well as users. In fact, as of 2018 Google has mandated that all websites need to run under an SSL certificate. (Learn why you must switch to HTTPS.)
Running under HTTPS means that any data submitted by your visitors via a website form will be protected from 3rd parties that may try to intercept the data. This includes when you submit your username and password to log into the WordPress dashboard.
SSL also readies your site for e-commerce should you want to sell products or services on your website.
SSL is covered in great depth in our 3-part blog series as listed below:
To summarize, you should make the following efforts to help improve WordPress security:
- Keep current backups.
- Use strong username and passwords. Never send these credentials through an email.
- Don’t expose your username through the author archives. Consider setting up an editor role when creating posts.
- Consider a paid security subscription service such as Sucuri that monitors your website and does malware clean-up should your site become compromised. It’s a worthwhile investment and a small price to pay for peace of mind.
- Install an SSL certificate on your website.
Over to You
I hope this post has been helpful to you. Whatever your WordPress skill level is, there are steps you can take to protect your website and improve your WordPress security.
What other tools are you using for WordPress security? Please share in the comments below. We’re all in this together and it’s helpful for all when we share our experiences!