Having your WordPress site hacked is one of the biggest nightmares for any website owner.
From one moment to the next, your site is shut down. Traffic plummets and all the energy, effort, time, and money you put into your site is on the brink of being lost entirely.
Finding and fixing the problem is hard work, however, not as hard as winning back your audience’s trust or getting your site off spam blacklists.
While getting hacked is never pleasant, it is much more common than you would think.
The ascent of WordPress has painted a large bullseye on the back of the CMS and turned it into a favorite target for hackers.
In 2012 alone, more than 170,000 WordPress websites were hacked — a number that is likely much higher by now.
To spare you this unpleasant experience, in this article we will look at the reasons hackers target WordPress websites, the most common ways they gain access and what measures you can take to protect yourself.
This is compulsory reading for any WordPress website owner, so take notice!
Why Would Anyone Want To Hack Your WordPress Site?
Especially owners of smaller websites often think themselves an unlikely target for hackers.
After all, why would anyone care about your tiny blog? What could hackers possibly have to gain from compromising it?
However, when it comes to being hacked, traffic size, or popularity are not the deciding factors.
Hacking Attempts Are A Matter Of Opportunity
The first thing you need to understand is that it’s not about your site in particular or you personally. Most sites get hacked merely because it’s possible.
Only in rare cases do hackers have a specific reason to go for a particular site. However, that’s mostly true for large corporations like Sony.
For mere mortals like us, most of the time hackers go for our sites because we give them an opening, unknowingly as it may be.
Therefore, it’s not about logic or whether it makes sense to hack your site. No matter how small or insignificant your traffic, you are always a viable target.
Most Hacking Attacks Are Automated
One of the main reasons hackers don’t differentiate between the sites of different sizes is that attacks are almost always done automatically.
If you think someone typed your site address into a browser bar and had a good snoop around til they found something, you’d be dead wrong. This type of approach would be completely uneconomic from a hacker’s point of view.
Instead, just like search engines, hackers use bots to crawl the net. However, instead of indexing content, their bots sniff out known vulnerabilities. Automating the process allows hackers to attack many sites at once and thus increase their odds of success dramatically. Economies of scale at its best.
Thus, if your site gets hacked, it’s probably because it popped up on the radar of an automated script, not because someone consciously decided to target you.
What’s In It for Them?
Still, the question remains: Why would anyone put in that effort? What do they get out of it?
Naturally, if you are running a web shop that processes a lot of financial information like credit card numbers, that would be a sensible target for hackers.
However, if your site does not contain any government secrets or other people’s banking info, why would they be interested in your site?
Well, even in those cases, hacking your site could benefit individuals with bad intentions in different ways:
- Drive-by-downloads — Hackers can use your site to infect your visitors’ computers with malware like back doors, key trackers, ransomware, viruses, or other malicious software in order to capture information they can use for their own gain.
- Redirections — Sometimes hackers will redirect visitors from your site to other websites that generate affiliate income for them.
- System resources — Another possibility is that they take over your server and use the hardware for sending out spam emails, performing denial of service or brute force attacks and more. Of course, this will easily get your server — and your site — put on a blacklist or jack up your hosting cost if it is based on usage.
As you can see, your site is interesting to hackers no matter of its size or popularity. Therefore, every website owner is a potential victim.
How Do WordPress Websites Get Hacked?
According to an infographic by WP Template, these are the most common points of entry into WordPress websites:
- 41% get hacked through vulnerabilities in their hosting platform
- 29% by means of an insecure theme
- 22% via a vulnerable plugin
- 8% because of weak passwords
As you can see, the first point of entry is most often the hosting provider.
That doesn’t necessarily mean your site has been targeted directly. It is also possible that another site in a shared hosting environment got hacked and took the others down in the process.
What’s alarming is that more than half of all successful hacks come through WordPress themes and plugins. This part, therefore, deserves special attention and we will talk about it in further detail below.
The rest of the sites suffer from insufficient password protection, making them vulnerable to brute force attacks.
While eight percent doesn’t seem like a lot, be aware that we are talking about hundreds of thousands of websites here. Even if only a small percentage of them has weak login information, that number still comes down to thousands of vulnerable sites.
Alright, now that we know what makes WordPress vulnerable, what can we do about it?
How To Keep Your Site Safe
WordPress security is all about proactivity. You know what they say, an ounce of prevention is worth a pound of cure, especially on the web.
Based on the information above, here are some of the most effective ways to keep your WordPress website from being hacked.
Choose A High-Quality Hosting Provider
One thing that should be clear from the statistics is that the quality of your hosting provider has a large impact on the security of your site.
Therefore, choosing a reputable provider that puts a premium on security should be on the top of your list of measures to keep your site from being hacked.
Besides supporting the latest versions of PHP and MySQL, that means they should at least perform regular scans for malware and daily backups.
(The latter really saved my bacon once, I can only stress this point!)
For us as WordPress users, it’s also a good idea to go with a hosting provider that is specialized in running sites based on the platform and offers a WordPress-optimized environment as well as knowledgeable staff.
You can find a test of leading WordPress hosting companies here.
Also, if you can, stay away from pure shared hosting solutions to avoid “bad neighbor” problems such as the one mentioned above.
Perform Regular Backups
Even though the steps mentioned on this list will seriously harden your site’s security, there is no 100 percent guarantee it won’t get hacked anyway.
That’s not because WordPress is by default insecure (far from it) but because anything connected to the Internet is always somewhat at risk, no matter how small the level of threat might be.
Therefore, while it’s good to hope for the best, it’s also important to prepare for the worst and for website owners, that means backing up on a regular basis.
If you already have a quality host, they should take care of this part for you and also keep your site’s copy in a safe location.
For everyone else and those who want to be extra sure, implementing a reliable backup solution is a must and you have many to pick from:
- WordPress Backup to Dropbox
- BackupBuddy (paid)
- VaultPress (paid)
- CodeGuard (paid)
- BlogVault (paid)
Pick one and set it up now. I’ll wait. No seriously, go do it now.
Fortify Your Login
Besides the hosting environment, weak passwords and login information are also responsible for a good number of hacks.
This is especially true for brute force attacks in which hackers run a script that inputs random passwords and usernames until one fits.
As stupid as this sounds, it works! Look at last year’s worst passwords and you will understand why.
As a first line of defense, adhere to the following best practices for WordPress login information:
- Frequently change your passwords (seriously, put a reminder in your calendar now)
- Avoid using the admin username (which used to be the default in older WordPress versions and is therefore often targeted first)
- Create a strong password (either via an external service or the password strength meter included in WordPress)
- Oblige other users to do the same with Force Strong Passwords
- Store passwords in a secure place like LastPass
Apart from that, you can further up your login security with the following methods:
- Limit login attempts — Plugins like Login LockDown and Login Security Solution enable you to constrain the number of login attempts from a single IP address within a certain amount of time. Perfect for keeping brute force attacks at bay.
- Employ two-step authentication — Adds a second layer of security that can only be passed by means of your cell phone, social network account or else. Options include Duo Two-Factor Authentication, OpenID.
- Hide your login page — Moving wp-admin and wp-login to non-standard addresses makes it harder for hackers to attack them. You can do so via Rename wp-login.php, HideLogin+ or Lockdown WP Admin.
WordPress login protected? Then let’s move on to other things.
Add SALTs To wp-config.php
WordPress security keys were introduced in WordPress 2.6.
They are random lines of characters that are used to encrypt information stored in user cookies, making them harder to crack and use against your site.
The keys go into your wp-config.php file where it says this:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
Replace them with code from the WordPress SALT generator, it will end up looking something like that: