WordPress powers roughly 25% of the websites seen on the internet. That’s a vast number of websites and that, unfortunately, means it’s a hot target for hackers with possible malicious intent. It’s likely you’ll see plenty of attempts to log into your admin panel if you have some form of logging available to you. This is often enough to cause the less tech-savvy of us to panic that you may lose control of your website. In the event you don’t have any security logging, don’t assume that just because you don’t see it happening, that must mean it’s not.
It’s easy to assume your website is too small or insignificant to be hacked but you’d be wrong in thinking that. Most WordPress hack attempts are mostly automated bots sent to scour the internet for WordPress websites. We call these types of hack attempts opportunistic attacks. Less common for the average WordPress user is targeted attacks which are unlikely unless you’re a big brand.
If an opportunistic bot does find a hole in your site, it will take advantage and that opportunistic attack could turn into a more targeted attack which is far more devastating to your website and could potentially cause harm to your brand by destroying user trust and all the hard work you put into search engine optimisation.
Prevent WordPress Getting Hacked
Prevention is much easier than a cure and so here are our top tips for keeping your WordPress website hack free.
- Keep WordPress and Plugins up to date
- Use a reputable security plugin
- Use strong login credentials
- Enable 2-factor authentication
- Use HTTPS
- Use Secure website hosting
1. Keep WordPress and Plugins up to date
Most hacked WordPress websites run outdated plugins or versions of WordPress. It’s important to keep them up to date to prevent known security holes from being exploited and it’s an easy thing to do. Getting into the habit is the hardest part though WordPress recently made it far easier for us by introducing automatic updates. You can allow a plugin to automatically update in the plugin overview screen. Security updates for the WordPress platform will usually automatically happen but major updates will require manual steps.
2. Use a Reputable Security Plugin
Most good security plugins will include the following but it’s always worth checking:
- A firewall
- Brute Force Protection
- Regular security updates and notifications
- File scanning and change detection
I recommend WordFence WordPress Plugin. It’s a powerful and highly-rated free security plugin that has everything you’d need out of the box.
3. Use Strong Login Credentials
Don’t use the words “admin” or “administrator” for your account username first and foremost. When we see hacking attempts being made with a brute force tool, they are the very first usernames to be tried. Of course, your password is another important factor even more so than your username. Do not use complete words found in a dictionary. Dictionary attacks are the first tried in a brute force attack. Tacking a number on the end won’t help either. Your password should ideally be 8+ characters long and a mixture of alphanumeric characters and symbols. Of course, it’s easy to then forget your password if it’s not entirely human-readable but there are services out there that can help you there. Lastpass is a free for personal use password manager with autofill, which makes needing to remember passwords a thing of the past.
4. Enable 2-factor authentication
Having 2-factor authentication means you will need 2 methods of authentication to gain access to your WordPress admin dashboard. The first is your usual username and password. The second can be a text message or a code to input via an authenticator application. This is where WordFence shines for us once again as it has login security built-in, enabling you to set up an authenticator application as your second authentication method. It can be a little fiddly to set up initially and having to get your phone out every time you log in is a little bit of a pain but it’s worth it over the pain you might feel should someone gain access to your website.
5. Use HTTPS
Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP. It enables secure, encrypted traffic between you and the server at which you access your WordPress website. All good hosting providers will provide SSL certificates for your website which will enable HTTPS. SSL certificates can be paid for or there are free options available depending on your hosting provider.
6. Use Secure Website Hosting
Most cheap website hosting companies provide shared website hosting. This means you’ll share web space and resources with other websites on the same server. As well as affecting your website performance negatively (in some cases), they can also be set up insecurely. If another WordPress website on the same server as yours is compromised, it can lead to other sites on the same cluster also becoming infected. Make sure the hosting company you choose has a good reputation and you’re not basing your decision to host with them on price alone. Our advice for hosting would be to use managed virtual private servers or dedicated servers depending on the amount of traffic or the kind of information you are storing, for example, if the information being stored is sensitive.
Enjoy a more secure WordPress website
It’s worth mentioning that you should always enable backups of your website. Good hosting providers will include this service though possibly at a small additional cost. We see plenty of site owners assuming that setting up a backup WordPress plugin and storing that backup on the same server is enough. Quite simply, it’s reasonable to assume that if your website is compromised, any backups you have that exist on the same server could also have been infected. You should instead do backups outside of your WordPress website environment.
Has your WordPress website been hacked? Get in touch today for immediate help