One of the most asked questions in the WordPress community by business owners is What to do when your WordPress website get hacked?
- Introduction to WordPress and its Market Share
- Overall WordPress Hacking Statistics
- Why a WordPress security guide?
- Reasons for Hacks
- Sources of Hacks
- Types of Attacks
- Get a Reliable and Secure WordPress Hosting
- Use WordPress Security Plugins
- Back your WordPress site regularly
- Harden wp-config.php File
- Update PHP to the latest stable version
- Update to the latest versions of WordPress, Themes, and Plugins
- Invest in DDOS Protection
- Use a WordPress Firewall Plugin
- Customize Admin Page and URL
- Limit Login Attempts
- Uninstall Outdated and Unnecessary Files, Themes, and Plugins, etc.
- Set Correct User Permissions
- Automatic Logout Plugin
- Buying premium themes, plugins, only
- Ensure SSL data encryption
Introduction to WordPress and its Market Share
WordPress is a Content Management System (CMS) software used by millions for developing user-friendly websites and blogs. It is licensed under GPLv2, which allows anyone to use and modify it freely.
When it comes to market share, WordPress powers a whopping 40% of the internet, which comes to be at nearly 455 million!
With a nearly 60% share in CMS, unfortunately, WordPress is also a lucrative target for hackers. Given its nature of being free and open-source, WordPress websites are among the most attacked by cybercriminals.
The following graph indicates the market share for the website as well as the CMS of each platform. WordPress is undoubtedly the king of both
Overall WordPress Hacking Statistics
Regardless of an increasing number of cybersecurity professionals, WordPress has fallen prey to numerous hacking attempts since its inception back in 2003.
Survey reveals that around 70% of websites created using WordPress suffer from vulnerabilities to hacking attacks.
Also, the Common Vulnerabilities and Exposure (CVE) list has proven through properly conducted tests that most of such attacks are a result of cross-site scripting.
Why a WordPress security guide?
You have set up a WordPress website and spent an enormous amount of effort, time, and resources in getting it worked. All is good for several months until one day you wake up to find your site has crashed.
Upon further inspection, you found it was hacked due to the number of security loopholes that you didn’t pay attention to in the first place.
In our blog, we’ll be sharing with you hardening your WordPress website to reduce the chances of getting compromised.
Reasons for Hacks
WordPress is open-source and free to be used by anyone. But that also is giving cybercriminals an easy chance to hack your website. There is a myriad of reasons why WordPress websites are more prone to being hacked than those powered by other CMS.
- Poor system administration
- Lack of proper web and security-based knowledge among WordPress users
- Use of outdated versions of WordPress.
- Lack of knowledge to take effective steps for risk reduction
- Not using secured website hosting
And the list goes on.
Sources of Hacks
Here are some of the sources of these hacks:
- The use of older versions of plugins, themes, or CMS
- Websites using plain File Transfer Protocol (FTP) instead of SFTP/SSH
- Incorrect file permissions as a hurdle in the process of creating folders, running scripts, and for uploading images
- Weak passwords
Types of Attacks
With the passage of time, cybercriminals and hackers have been getting smarter, adjusting their techniques to bypass and circumvent security protocols.
This means you need to always stay one step ahead of hackers and think like them to secure your website. Here are some of the different types of WordPress security attacks:
- Denial of Service (DDoS): This technique exploits errors and bugs in the website’s codes to overwhelm the operating system’s memory of the WordPress website.
- Pharma Hacks: This attack is often termed a spam menace and its parts include backdoors in plugins and databases.
- Structured Query Language (SQL) Injections: Such injections allow hackers to create loopholes in the backend and execute SQL commands to create, retrieve, update and even delete the site’s data.
- Malicious Redirects: It creates backdoors while using FTP, SFTP, and other protocols to inject redirection codes into websites created using WordPress.
- Brute Force Login Attempts: This practice allows hackers to make use of automated scripts to continuously make login attempts in an effort of finding weak passwords.
- Cross-Site Scripting (XSS): The attack works through the injection of a malicious script to grab the website’s cookies and rewrite HyperText Markup Language (HTML) on a page.
You might be wondering then:
Hmmm. So, with all the horrifying WordPress security statistics of 2021, is WordPress really secure?
The short and quick answer is, YES! It is secure. It’s more to do with the user than the platform itself.
Using outdated assets and not paying attention to WordPress security, your site is bound to be hacked.
Do note that WordPress is free and open-source and since it is the most widely used CMS, it naturally has higher chances of getting attacked.
Gladly though, there are some basic prerequisites you can take to secure your WordPress website in 2021.
Get a Reliable and Secure WordPress Hosting
Selecting a secure and trustworthy WordPress hosting is the key to keeping hacking attempts at bay. It is also the first step in ensuring the safety of your website.
One way to ensure that your WordPress website remains safe is through server hardening.
This method involves creating multiple layers of hardware and software-level security. These layers tend to safeguard against both virtual and physical threats to the website’s system and keep it secure.
A reliable and secure WordPress VPS hosting costs anywhere between $15 to $30 a month, which is nothing compared to the extraordinary amount of time and effort you’d be investing in keeping your site secure.
A number of website hosting service providers will charge a nominal amount to secure your WordPress website by updating to the latest version of the operating system and running system checks. Here are some factors you need to look at when choosing a reliable WordPress hosting service:
- Reviews from trusted sites such as HostAdvice and TrustPilot
- Website Uptime
- Loading speed (should be less than 4 seconds)
- SSL hosting
- SSD Servers
- Customer support if your site goes down
- Server-level firewalls in place before WordPress installation
Use WordPress Security Plugins
Making use of WordPress security plugins is another effective security measure that can play a major role in protecting your WordPress website. Some of these plugins are SecuPress, WP fail2ban, WordFence Security and Sucuri Security, etc.
These plugins can serve abundant uses, some of which include:
- Malware scanning website’s system and database
- IP whitelisting and IP blacklisting.
- Generating strong passwords
- Expiring old passwords
- Two-factor authentication
- Generating user log of actions
- Monitoring DNS changes
Back your WordPress site regularly
No matter how reliable your hosting is, anything can go wrong at any time, and you will have no one but yourself to blame. This is why you always need to create regular backups of your website. Ideally speaking, you should create one backup every week.
If you are running an online store or a blog, make it a practice to create backups every other day.
Backing up your website regularly can act as a safety net in case your site gets hacked. VaultPress, CodeGuard, BlogVault are some of the automated WordPress backing up services, having reasonable service charges.
Backup plugins, including Duplicator, BackWPup, and BackupBuddy, etc., can also prove to be useful for storing site data. These plugins have the ability to grab your backups through FTP or can integrate with external storage sources including Amazon S3, Google Cloud Storage or Dropbox, etc.
Some of the most popular managed WordPress hosting companies offer automated daily or weekly backups. This ensures you won’t have to create manual backups every time and again.
Harden wp-config.php File
When it comes to WordPress security, your wp-config.php is the most significant file on your website. This single file encloses your database login information along with security keys, critical for encrypting information in cookies. It can either make or break your website. Here are some steps you can take to safeguard this file:
- Move wp-config from the root folder to another folder of your website
- Block internal access
- Block code modifications
- Setup 400 user permissions, allowing only read access to all users
Update PHP to the latest stable version
PHP is the building block of your WordPress website and its core programming language. If you end up messing up this aspect, your website will crash.
Keeping this essential part of your website updated can help in fixing bugs and security issues. All websites currently running on a PHP 8.0 or lower are exposed to potentially harmful vulnerabilities.
The latest stable release of PHP is 8.0.1, released on 29th July 2021.
Update to the latest versions of WordPress, Themes, and Plugins
This correlates directly with point #5. You also need to update your WordPress version, themes, and plugins to close security loopholes and fix bugs.
Developers issue updates with security patches so that vulnerabilities can be fixed and chances of getting attacked can be minimized.
The latest WordPress version is 5.8 and your site should have been updated to it already.
Several security risks can automatically be fixed by just updating your WordPress to the latest version.
The same is true for plugins and themes, which are a part of every WordPress website. We strongly urge you not to use free themes and plugins as they have several bugs and vulnerability issues, giving cybercriminals easy access to your website.
Always go for premium plugins and themes and keep updating them when their developers release security patches.
Invest in DDOS Protection
A Distributed Denial of Service (DDoS) attack has the ability to make your site inactive for a few hours or days, which is enough to damage your business.
Using third-party security services like Cloudflare or Sucuri is the best alternative for making your site safe from a DDoS attack. These services can protect a website against invasions that might target the UDP and ICMP protocols.
You can also mask your original IP address by using these services, which further enhance your website’s security.
Use a WordPress Firewall Plugin
It is not practically possible to regularly monitor your WordPress website. For this reason, you need to rely on a WordPress firewall plugin.
A website firewall has the ability to detect and instantly block all harmful traffic coming to your website. Here are some of the benefits of WordPress firewall plugin:
- It enhances the website’s speed and performance.
- It is a great way to block/whitelist IP addresses.
- It is an intelligent software that can detect patterns of attacks and can configure itself for future hacking attempts.
Customize Admin Page and URL
yoursite.com/wp-admin is the most common WordPress admin page URL link.
It is also the easiest to access by hackers as everyone knows about it!
But what can you do here?
Making your site’s backdoors difficult to locate can protect it from malicious hackers.
Locking down your WordPress Admin area and login is a great start to increase your security details. This can be done by changing your WordPress login URL through any free or premium plugin.
By making your admin page URL difficult to locate, you can significantly decrease brute force hacking attempts on your website.
Limit Login Attempts
This point directly correlates with the previous one. One particular plugin whose effects have been tested and proven against login attempts is the Loginizer. This plugin has the ability to block the login for an IP that has reached its limit for maximum retries allowed.
Once you utilize a login limiter, it will automatically limit login attempts on your website. This means any hacker relying on the brute force method, will have to wait for a certain period of time before trying another attempt.
You can change the settings for the free Cerber plugin through WordPress Dashboard. Specify the attempts and allowed retries in minutes, and you’re all set to go.
Uninstall Outdated and Unnecessary Files, Themes, and Plugins, etc
You deactivated a number of plugins and it has been quite a long time you aren’t using them. What are they laying around for? Delete them for two reasons. One, they are occupying useless space on your web disk. And two, you never know what type of vulnerabilities are still in them. Uninstalling them can prove to be a counteractive measure against hacking attempts. Here is how to do it.
- Log into your WordPress dashboard.
- Click on the section that contains plugins.
- Identify and delete deactivated plugins.
Needless to say, the game goes for your themes. At any given time, there is only 1 active theme on your WordPress website. Follow the practice and delete all of the remaining themes.
Set Correct User Permissions
Making sure users are given permissions based on the responsibilities they are assigned can protect your website in the face of potential threats. By default, WordPress has identified six roles including Super Administrator, Administrator, Editor, Author, Contributor, and Subscriber.
These predefined roles can be assigned from the dashboard whereas custom-made roles can be assigned using a plugin like User Roles Editor. For defining user roles while using this plugin, you can follow these steps:
- Install the plugin
- Go to the “Users“ tab by clicking on the “Other Roles” button
- Define or add custom roles for particular users.
Automatic Logout Plugin
Not all users might remember to log out after each session. Plus, we all have a habit of remembering our passwords and remaining logged on until manually logged out.
Setting up an automatic logout plugin can increase WordPress security by making sure that a user is logged out after completing a session.
WordPress provides its users with the Inactive Logout plugin by terminating idle user sessions to keep out snoopers and hackers.
Buying premium themes, plugins, only
Many time the reason your website get hacked is because of using a nulled WordPress theme. Buying and downloading plugins and themes can have a major influence on how your website operates. Premium themes and plugins are almost always better in terms of quality, functionality, security, variety, and access to premium support.
Due to the many benefits they offer, we recommend that you buy premium stuff!
Premium plugins are paid versions offered by independent developers that provide additional features, priority support, documentation, and regular updates. And only buy from trusted sources such as elegant themes and ThemeForest, etc.
Ensure SSL data encryption
Having an SSL (Secure Socket Layer) certificate is compulsory by Google. Now that Google determines SSL as a part of their ranking factors, it is time you do the same. SSL certificates on a domain level add authority, reliability, and trust to your website.
Free SSL certificates such as the one issued by OpenSSL are great for blogs starting out. But if you are planning on establishing an online brand, go for a paid one.
You also need to avoid having mixed content on the website and ensure that all redirects on your pages are set from HTTP to HTTPS.
As you discussed in this guide, there are a number of ways that you can use to harden your WordPress security. For the vast majority of users, their WordPress websites are a representation of online identity and a solid source of income. Hence, you need to take out time to ensure your online business is safe from intruders. It is never too late to implement the security measures mentioned in this guide.