WordPress is a fantastic resource for bloggers and small businesses, allowing them to create professional-looking websites with relative ease and lower cost. In fact, this makes it very popular with web designers as well, as it allows for faster turnaround than hard-coded sites and it means that they can keep their costs competitive. But, for all the good that WordPress does, it does attract a fair amount of hackers.
This is not the fault of WordPress. The problem is the fact that many WordPress designers leave the door wide open to hackers. But, fortunately, there are many ways to secure a WordPress site and keep it safe from hackers and malware.
We will discuss these methods in detail in this post. But, before we delve into those tips and tricks, let us first take a look at why hackers go after WordPress sites.
What Do Hackers Want With WordPress Websites?
Many small and medium sized businesses believe that they are safe from hackers not on account of their anonymity, but rather because they don’t have much to offer. Hackers tend to target sites that offer them some sort of financial benefit, so is it really in the interest to go after a small site that doesn’t hold any financial or personal information on its customers? The answer, in the eyes of a hacker, is undeniably ‘yes!’
Hackers are opportunists, and they can find opportunity in places that you might not expect. While a given site might not store its customers’ financial information, it does generate traffic (web users visiting the site), and that traffic can be gold to a hacker.
Here are a few possible motivations as to why a hacker would want to take control of a WordPress site:
• Changing Content
Some hackers have a definite agenda, political or otherwise, and they use their hacking skills to publicise this agenda, spread fake news or to achieve some other objective. After taking control of the site, they will typically remove the content and upload their own content which displays their central message. Though, even if they don’t have a particular agenda, some hackers will do this simply for the thrill of it, displaying a ‘calling card’ or simple message telling users who hacked the site. Other times, hackers may insert backlinks to other sites in hopes of increasing rankings.
• Use of the Server
Hackers also like to take control of sites so that they can effectively use the server. They will often send out spam from the website. This can happen without the site going down, so the site owner might not even be aware of it. However, when this happens, sites can be blacklisted, making it very difficult for the site’s owner to get that site off the list and regain the trust of its visitors. To check if your website may have hacked one of the simplest things you can do is to register your website with Google Search Console. To check if your website’s server IP address might have been negatively impacted you can first check and then do a IP reputation check via a site like MXToolbox.
Sometimes hackers create sites that, through affiliate campaigns, generate profits for them by way of traffic. In order to boost that traffic, they will take hold of other sites and redirect those sites’ traffic to their own sites in order to generate profits. This is a common reason for hacking WordPress sites.
• Installation of Malware
Some hackers use the sites they hack to distribute malware. After taking control of a site, they set it up to download malware onto the computers of visiting users. This malware could be anything from Trojans to ransomware, and could greatly inhibit the site’s users. If search engines discover a site distributing malware, they take action which significantly affects the site’s ability to be discovered in search, which means the hacked site receives a double dose of bad luck between the hack itself and the SEO punishment.
So, as you can see from the above, having your site hacked is something you certainly want to avoid. And, to be fair, these techniques can affect any website, not just a WordPress site. But, as we mentioned, many WordPress site owners tend to leave the door open to hackers, which is why they are targeted.
But, the good news is that being targeted by hackers is avoidable through certain safety measures. By using some of the following techniques, you can put yourself in the best position possible to defend your WordPress site against hacking attempts.
How to Protect Your WordPress Site from Hacking
1. Backup Regularly
It is important that, before you make any changes, you back up your site. This allows you to keep a version of your site that you know works, just in case something goes wrong while you are tweaking your security settings.
But, in addition to providing you with a safety net to fall back on, backing up can also help your site if it is hacked and brought down. Once you have dealt with the threat, you can revert back to the version of your site that you backed up. While this may apply to less severe instances of hacking, it is still comforting to know that you don’t have to build your site all over again. WPBeginner have put together a comprehensive list of WordPress backup tools that you can checkout.
2. Disallow Multiple Password Attempts
Many WordPress sites are targeted by hackers because they have the ability to access the site via brute force attacks. This method sees hackers generate countless username and password possibilities and then keep entering these into the login portal in the hope that they ‘guess’ correctly.
Now, if it is you trying to access your website and you get your password wrong, you will only need a few more attempts to enter it correctly (one attempt is most likely). So, you can tell WordPress to distrust anyone trying to enter a password multiple times and, importantly, stop them from doing it.
Some security plugins that allow you to limit the amount of login attempts are Jetpack, WP Cerber, and iThemes. These may have their own nuances, but they all allow you to protect against brute force attacks by limiting login attempts as well as ban hosts that repeatedly enter incorrect login details.
3. Ban Guessed Usernames
You can also catch brute force attacks as they begin by telling your security software to ban login attempts with particular usernames. Since the generic username for WordPress is ‘admin’, it is a good idea to change this anyway. This will already make it more difficult for hackers to guess your login details, as now they need to guess both your username and password. But, once you have done this, you can tell your security plugin to immediately ban anyone who tries to log in using ‘admin’ as the username. You will be surprised at how many brute force attacks you can stop in their tracks using this trick.
4. Change Your Password Regularly and keep it strong
Even if you have told your WordPress site to stop multiple login attempts, you don’t want a hacker to guess your password on the first try. So, stay away from simple passwords at all costs (password123, p@ssword, and the like are far too common). You increase your site’s security greatly by choosing a strong password, and changing it regularly.
You could come up with each new password yourself, but after a while your ideas might start running thin, in which case you might be better off using a password generator. These tools generate random passwords that contain random letters and numbers, and special characters in some cases.
5. Update WordPress and WP Plugins
Keeping your WordPress site updated is extremely important for security purposes This is because hackers get to know all of the areas of weakness in current versions of WordPress. But, these areas are often addressed in new versions; a fact that puts those hackers on the back foot. So, to ensure that you don’t make it easy for hackers who are familiar with your version of WordPress to access your site, make sure that you are always on the latest version.
The same goes for plugins. Some WP plugins have vulnerabilities that allow hackers to gain access to the servers, which gives them control over the site. So, to ensure that you don’t make it easy for hackers to gain access through your plugins, stay current with your plugin updates.
6. Conceal the Version of WordPress that You Are Using
If hackers know the particular weaknesses of a version, and can exploit those weaknesses to gain access to a site, you don’t want them to know the version you are working with, even if it is the latest version. So, in addition to keeping your WordPress site up to date at all times, it is a good idea to hide the information on the version that you are using.
A lot of security plugins offer this as part of their features, which is probably the easiest way to accomplish this task. However, if you are using a security plugin that doesn’t help you hide your version number, you can do it yourself with a bit of code. For this, you need to find the functions.php file in your theme and tell it to stop executing the wp_generator function.
This process is explained simply in this guide to hiding your WordPress version number.
7. Avoid Getting Plugins from Third-Party Sites
Since we are talking about WordPress plugin vulnerability, it is worth mentioning that it is not always the fault of the plugin itself. Many plugins are created with excellent security features, but they can end up being offered by third-party sites. The problem with this is the fact that they are not coming directly from the creator, and thus have the potential to be compromised. A perfectly sound plugin can be taken and laced with malware, then offered as a free download on another site, which would then compromise the WordPress site of anyone who installs it.
So, to avoid this situation, be sure to get plugins from WordPress itself and avoid all other channels, especially torrents.
It is possible to create a second layer of password protection on your WordPress account with a 2-Factor Authentication plugin (also called 2FA). With this method, your first password takes you through to another authentication screen, where you input more security details in order to verify your status as site admin.
It is also possible to have the second layer of security send a one-time pin code to your email address or mobile device, which you then input to gain access to the site. This plugin can be found here.
9. Change the URL You Use to Log In
The login page for your WordPress site is reachable by adding wp-login.php or wp-admin to the end of the site’s URL. But, while this makes it convenient for you to access the login page, it also makes it easy for hackers to access that page. However, it is possible to obscure this page by changing the login URL.
For this, you need a custom login URL plugin, which is easy enough to find on the WP plugins page. With this, you can change the permalinks and redirects to add a custom login URL to your WordPress site.
10. Password Protect the Admin Section
When it comes to password protection, it is also worth noting that you don’t have to just rely on the main login to keep hackers out. It is possible to password protect parts of your site, like your admin section. Being the central hub of your site, it is important to keep this section as secure as possible, so you might want to add secondary password here.
11. Stop the Admin Section from Being Indexed
Search engines use what they call ‘spiders’ to search websites on the internet and index them. This index helps them find relevant results quicker when a user inputs a search query. But, the problem with this is that they index all of the content on a site, which includes the sensitive information in your admin section. And, of course, if it’s indexed, it is easier for hackers to find and exploit.
But, you can stop this from happening with a little code. The x-robots-tag HTTP header is a directive that tells Google’s spiders not to index a page. By applying it to the code of your admin section, you can stop that page being indexed. This does involve some technical-know how, so be sure that you feel comfortable doing it yourself before attempting this technique. If not, consult the professionals.
12. Hide Your Configuration File
Your wp-config.php file is another important one. This holds vital information about your WordPress installation, making it very precious to you and very valuable to hackers. But, being in your root directory, it is quite easy for hackers to find. So, the best way of protecting it is to deny access to anyone who looks for it.
This also means getting involved with the back end of WordPress. But, if you feel comfortable working in this area, here is some code to help you protect your wp-config.php file.
13. Get an SSL Certificate
A Secure Socket Layer (SSL) certificate provides security on data transfer via encryption, which means hackers can’t access your site’s data while it is travelling across the internet. Plus, as an added bonus, sites that feature SSL certificates tend to rank higher in search engine results than those without, so you get extra traffic as well as added security.
You can buy SSL certificates from many hosting companies. And, installing an SSL certificate is not very difficult, so this is definitely an avenue you should explore in order to secure your site.
14. Enforce Security Among Other Users
You have control over the password you use to access your WordPress account, but, if there are other people with access to your site, you don’t have control over the passwords they use. No matter how secure you make your own password and how often you change it, they could make it easy for a hacker to gain access by choosing weak passwords.
The best way of ensuring that you have strong passwords across all users with admin access is through a plugin called Force Strong Passwords. As the name suggests, this plugin does not allow users to set weak passwords for entry to the site. If the plugin detects an admin trying to change their password, it will trigger and ensure that the user can only select a strong password based on predefined parameters.
15. Prevent Changes to Your Site
As we mentioned, some hackers want to gain access to sites in order to change those sites’ content. But, if you have a way of stopping them from editing your files, plugins, and themes, this becomes much more difficult. And, fortunately, there is a way to do this that is quite simple.
Even if you aren’t comfortable with the back end, this solution shouldn’t create too much anxiety. It is simply a case of going into your wp-config file and adding two lines of code right at the end of the file. You can find the code to disable WordPress file editing here.
16. Monitor Changes to Your Site
Even though can disable the ability of hackers to edit your files in WordPress, you still might want to keep an eye on any changes that occur on your site. Fortunately, this is easy to do through plugins, and you will be spoiled for choice in this regard. Some choices in this area are:
• Activity Log
With the Activity Log plugin, you get exactly what the name suggests – a user-friendly means of monitoring any activity on your site. It also offers email notifications for activity, which you can customise to only trigger at certain events, thereby ensuring that you don’t clog your email inbox with messages.
• WP Security Audit Log
The WP Security Audit Log plugin monitors changes in real time, ensuring that you can jump on any suspicious activity as it arises. It also offers monitoring for any changes that might occur on live product pages, which makes this plugin ideal for ecommerce sites.
Stream keeps tabs on all activity on a site and then allows you to filter your search for specific types of activity. It also integrates with other popular plugins and allows for MultiSite use, making it a dream plugin for web design agencies.
You have an anti-virus program for your computer (or, if you don’t, you really should), so why not install security software for WordPress as well? It is possible to get plugins that are specifically designed to prevent against hacking and other malicious activity.
Of these, Acunetix WP Security is a fantastic one. This plugin checks your entire WordPress site for security risks and is able to help tighten your security through better passwords, version hiding, database and admin security, file permissions, and the removal of meta tags from core code. Another good one to try out is Wordfence.
18. Protect Against SQL Injection and XSS Attacks
SQL injections are attacks in which malicious code is input into an application’s code, which is then passed to the back end of a site. XSS attacks, or cross-site scripting attacks, are also injection attacks, but with these the malicious code is sent to a different user via an application.
Some security plugins will help prevent these types of attacks, but otherwise it has to be done manually, and the process is best left to advanced back end users. If you feel comfortable doing this yourself, you’ll find decent step-by-step tutorials on preventing SQL injection and guarding against XSS attacks online. But, if you’re not experienced in working on the back end, it is advisable to enlist the services of a professional developer.
If you want to check for vulnerabilities when it comes to SQL injection and XSS attacks, you can download pen testing software. This is software that checks for weaknesses in the same way that a hacker might. Netsparker is great for this purpose. But, when running tests, be prepared for the software to offer a fair amount of advisories. If this happens, don’t panic. That’s what testing is for! Just isolate the areas that need immediate attention and then work through the rest as you go.
With these tips and tricks your WordPress site will be just as secure as a hard-coded site (if not more so), and you can enjoy all of the benefits that come with using WordPress without having to worry about security vulnerabilities.
Using WordPress for your next website or blog is a great idea as not only is it more cost-effective to build on compared to other Content Management Systems such as Joomla or Magento plus the myriad of plugins available also means there’s very little you cant do with it.
However, its popularity has also led to it being a regular target for hackers worldwide so you do have to spend some time keeping it up-to-date and secure.
Shirish Agarwal is the founder of Flow20 and looks after the PPC and SEO side of things. Shirish also regularly contributes to leading digital marketing publications such as Hubspot, SEMRush, Wordstream and Outbrain. Connect with him on LinkedIn.