A small proportion of my work is spent helping people recover from hacked WordPress Websites. Generally hacked Websites fall into one of two categories; targeted attacks or random/chance attacks. A client I assisted recently to recover from a hacked Site was the recipient of a targeted attack as he is a well known professor specializing in evolution (as opposed to creationism). Another client I am assisting in regards to WordPress security is a religious organization that that is also the recipient of targeted hack attacks.
Random attempts to compromise any vulnerabilities in any Website security are far more common. With random attacks the attacker tries to discover one or numerous vulnerabilities that may exist on any random Website.
A Note on WordPress Security
It’s worth mentioning here that WordPress is in fact very secure as far as Web software goes. Often, when people say that their WordPress Site has been hacked they fail to mention that it was because of surrounding circumstances (e.g. updates haven’t been applied to WordPress) or something other that WordPress itself was the security flaw (e.g. often the WordPress database is compromised and the attack had nothing to do with WordPress). It is actually very rare that WordPress software itself, if up to date, is the entry point of any hack.
Why and How WordPress Sites get Hacked
Targeted attacks generally occur because the hacker disagrees with the actions or opinions of a specific Website or Website owner. Often the attacker will use a Denial of Service attack in this case which isn’t a hack but rather a flood of fake visits to the Site which makes the Site inaccessible to genuine visitors.
Random attacks happen when a hacker tries to discover any of one or many potential security flaws. With random attacks, the attacker is often attempting to insert malicious code into the Site (this may occur by directly placing the code in the Site or by running code external to the Site that inserts code into the Site). The code inserted could potentially do anything from act as an attack base for further Website hacks to acting as a credit card number collector on Sites that accept Mastercard, Visa, Amex etc.
Top WordPress Security Activities
There are many activities which may be taken to secure WordPress even further. Here are a few of the simple but necessary security measures:
Use a reputable host
Most WordPress Site owners use shared hosting. Although many articles will say that for security reasons a Website should never use Shared Hosting this just isn’t financially feasible for most people. My recommendation is to use the very reputable shared hosting companies (ask me if you want my host recommendation)’
If you want to move your WordPress Site to a better host then contact me as I’ll be able to assist.
Always keep WordPress, Plugins and Software up to date
It is critical to always keep your WordPress version at the latest version. Keep your Plugins and Themes up to date too. Not updating is really ‘asking’ to be hacked.
Use secure passwords
This is obvious but please use secure passwords. Also change your passwords regularly. A password generator may be found here.
Remove old Users
Delete Users that no longer need access. This is especially important if you have had your Website built by someone and then no longer are in regular contact with them. I’ve never heard of a Website developer hacking a Website but it is always best practice to have as few login accounts as possible.
On this topic, if you have a username of ‘admin’ or ‘Admin’ change this immediately as this is very simple for random hack attempts to guess.
Have current Backups
O.k. not a security measure but rather a means of resurrecting your Site if hacked. Don’t presume that your Host is backing up your Website. Remember too that you need database and file backups to fully restore WordPress. I can install a Premium Backup solution for you for a low cost if you require.