Don’t Let Your WordPress Website Get Hacked!

tips wordpress website secure hackersQuick back story of my introduction to website hacks: A client’s old website wasn’t kept updated and got hacked. I created a new fresh website on a new host, with new passwords and it was hacked within 24 hours of being live. Needless to say I started researching tons on this and tried out several of the top plugins on the various sites I manage.

Is your site at risk?

Did you know: 30,000 websites are hacked daily? (Source: iThemes Security) Yikes!

Many small businesses don’t think their site would be valuable to hackers or don’t understand why hackers hack sites. This is a great article by Wordfence (I install their free plugin on all the sites I create) that explains the most common types of hacks and how hackers benefit.

WordPress is a popular website platform these days running 24% of all websites (Source: W3Techs) including a number of large brands such as The New Yorker and BBC America (Source: WPBeginner). Because of its popularity WordPress sites can be more appealing to hackers. I still think the benefits (see my article detailing why I use WordPress) far outweigh the risks. Especially because you can take precautions to greatly reduce your risk.

The biggest hacking risks come from using a weak login like admin/password as the actual username/password combo and not keeping everything updated.

website security hacker password tipNote: This article is a compilation of my “Lessons learned” and will be a work-in-progress. I’ll continue to update it as I learn more about the ever-changing world of WordPress website security.

Basic Tips to Avoid Getting Hacked on Your WordPress Site

Username (Get Creative)

Everyone talks about passwords and that’s next, but really your username can be a first line of defense. It can’t be changed from the WordPress interface, so it’s important to get it right from start. NEVER EVER use admin or administrator or similar words. I am seeing repeated attempts all day long from various locations blindly using these usernames. The next most common guess at your username is your name, your business name, and your url/domain name. So you should avoid all of these. Basically the best advice is to be creative and make it less common or easy to guess. (Which I now do for all new sites I create.)

Passwords (Make it Long and Complicated and Different Than Your Other Passwords)

Sadly easy to remember = likely to be hacked. You can use a formula where you use certain variables based on the website if you want to be able to remember it, but your best chance of keeping hackers from guessing your password is to make it long, complicated, and different. There are password generators out there too if you need help. “Robots” will keep trying different passwords based on algorithms of the most commonly used passwords. Did you know “password” and variations like “p@$$word” are the first ones they try? They usually try most words in the dictionary. “Monkey” is used in a lot of passwords too. The hackers are smart and know all of this. If you’re curious about the most popular passwords to avoid and techniques hackers might use, check out this wiki-how article. Most website hackers are setting up automated rules to work through common username/password combos, some do use more sophisticated techniques though.

Update Immediately (Get Notified)

Back up first, then update WordPress as soon as they release updates, especially security based ones. Out of date plugins and themes are equally vulnerable. Plugins like Wordfence will email you as soon as they notice anything is out of date. It’s best to delete any extra themes and plugins that you aren’t using too.

Keep Backups (Schedule it)

I use a plugin that can automatically do regular backups depending how often the site is updated. You can do this manually too, but if you have to restore your site due to being hacked (as no prevention plan is foolproof) you’ll need a clean backup of your database and files. (iThemes Security plugin offers a basic back up of the database only for the site, but they recommend their other paid service, BackupBuddy, for a complete backup including themes, image and media files, and plugins as well as your database. There are a number of other back up options and plugins that can be used.)

Login Protections

You can limit the number of login attempts, which helps but may not stop a brute force attempt. It will at least slow down the hacking attempt. Many people now favor 2-factor authentication. I’m not using it personally, but many experts do. Some people even hide the login page.

Security Plugins

There are quite a few plugins that offer various protections. Some of which help with items mentioned above as well as additional functionality. These plugins alone cannot prevent a hack, but they can help reduce the likelihood, reduce its impact with prompt notification, or help you problem-solve and close up the security breach. Popular functionality to consider includes:

  • Create a log
  • Scan for malware or other red flags
  • Notify when updates are needed
  • Identify security risks
  • Protect via .htaccess
  • Add a firewall

Choose Themes and Plugins with Good Coding

You get what you pay for and sometimes free themes and plugins aren’t well designed. This could affect a number of factors, but most importantly they could have security holes. Also you want a company or individual who will be responsive and work promptly to create updates if security risks are identified.

Choose a Quality Hosting Company

Everyone has an opinion on the best hosting companies for WordPress websites. For every host that I’ve heard a rave review about, I’ve also heard awful complaints. Most of the more budget friendly ones aren’t perfect, but there are some that have better security measures on their end than others. There’s always a chance when you are on a shared server (aka more budget-friendly) that your site could be at risk if another site being hosted on that server gets hacked, but I don’t think that’s overly common.

Review WordPress Hardening Documentation

It’s not light reading, but straight from the source:


Got Hacked?

Here’s the advice I’ve been given/directed to that seems the most helpful regarding the base64 hack. (Things may be different for other hacks too, FYI.)

=> From a FB Group posts (comments from various group members):

  • “Replace all top-level php files, the wp-admin directory & wp-includes directory with versions from a clean install. If possible look at the time stamps of files that were hacked and make note of that. Now you can focus on what’s in wp-content. There shouldn’t be any php in the uploads folder. If possible re-download your theme and replace it. Look for other files with that time stamp. Better yet restore pre-hack and lock it down.”
  • “Before doing anything else I would recommend you to take a copy of the log files and analyze them.”
  • If you use that command it will check every WordPress native file and make sure it hasn’t been modified.”
  • “Unless you find how it happened there are chances that it will happen again. How do you check? 1. Check if it was an infected plugin or theme 2. Check the logs to see who accessed your site via FTP or some other entry point. Ideally you should have some sort of auditing plugin such as WP Security Audit Log so you can trace back any malicious activity.”
  • “Check permissions and ownership on all files and folders as well as whatever you are doing. Do not overlook .htaccess file either.”

=> Other pages that seem helpful