WordPress is a massively popular publishing platform, 27.5% of all websites worldwide use WordPress. Its popularity is mainly due to its ease of use, as well as the fact that it is free and open source - so there are loads of free plugins and themes. However, the fact that WordPress is so widely used, makes it a target for hackers.
Having your site hacked isn't just annoying and frustrating. If your site is compromised, there is a very high chance that it will be used for malicious activity. This can have devastating consequences - such as dramatically tarnishing your website's reputation.
In this post, we're going to take a brief look at some of the threats to your site as well as best practices for maintaining the security of your site.
Who, Why and How?
Most attacks are carried out by bots (or botnets) - which are programmed to crawl sites and look for vulnerabilities or security holes; then exploit them. The bots won't carry out overly sophisticated attacks (they are usually easy to detect), but they are used primarily because they can quickly exploit a large number of sites. Being targetted by an individual (human) is fairly rare. These attacks are far more sophisticated and harder to detect. But due to the fact that a human attack is time-consuming - they will only be used when there is a higher reward (so for sites that have a lot of visitors or contain sensitive data).
As mentioned earlier, the purpose of gaining control of your site is generally to facilitate malicious activities. Some examples of these activities are:
- Running a script to send bulk spam mail from your site.
- Hosting bad content - using your previously good reputation to bypass online filters.
- Using your site (or links to your site) to redirect people to a spam site.
- To steal your data (such as customer details).
So as you can see just one attack could ruin your reputation and credibility - and have dire consequences.
There are a number of ways that an attacker may try to gain access to your account; the most common method is to determine what version of WordPress you are running - and then exploit well know vulnerabilities. Older installs will have well-known security holes, which an attacker can easily use. WordPress are good at releasing updates to patch security holes, but if you haven't installed the updates, then you are easy pickings for an attack. Alternatively, if you have an old version of a theme or plugin that has a security flaw, this is also a way for them to sneak in.
So What Can I Do? (Best Practices)
- Only download themes and plugins from reputable sources. It's best to stick with the ones available on WordPress.org. There are thousands of themes and plugins to meet all needs. All of these will have been checked and vetted. There are even reviews, so you can see how other users got on with them. If you can't find what you are looking for on the site; then you should probably be questioning if you really should be adding it to your site.
- If you do decide that you would like to buy a premium theme or plugin; look for reviews and advice so that you can check that they are from reputable sources.
- Back up regularly. There are even plugins that will back up the database and site files. If your site is compromised it is handy to have a clean backup, so that you don't have to start all over again. This will also reduce any downtime.
- Use complex & obscure passwords and usernames. Hackers tend to use common passwords and usernames to attempt to gain access, the harder the combination the harder it is to break in. Also if you have a security plugin, it is likely to pick up if multiple attempts to login are made. Avoid common usernames (such as admin, your name, your site name), for advice on creating secure passwords, check out our Password Security blog post.
- Make sure that you are aware of every bit of software you are running on your site. Good website maintenance and keeping everything up to date is a key factor in keeping your site secure.
- Update. Always update themes, plugins and WordPress. Updates will often include security patches. Once a large security hole is discovered in any version; it's easy to find information on the flaw and how to exploit it online. So if an attacker can determine that you are using a version with a known flaw, your site becomes very vulnerable.
- Mask or hide which version you are running. There are security plugins that will allow you to do this. This is not a replacement for actually updating the version, but it can help to slow down an attack.
- Remove old and unmaintained applications.
- Use a form of security. This is the best form of defence. WordFence is a great security plugin, and comes in both free and paid for versions. If your site is frequently receiving a high number of visitors - it is worth investing in the paid version (for features such as the real-time updates). If you don't have a huge amount of traffic, then the free security would suffice.
Unfortunately hacking and spamming are big business and are an everyday threat. Hackers will spend hours upon hours to find ways to infiltrate the online presence of others. The best thing to do is be vigilant and to take extra steps to secure yourself. By following best practice, you will significantly decrease your chances of becoming a victim. Using a good security plugin like WordFence is essential; they will detect brute force attacks on your login, you can set auto-updates to ensure that your software doesn't leave your site vulnerable and even the free version will inform you of any major security breaches within a day or so of discovery. So they can really assist in safely maintaining your site.
Want to get started with WordPress? Subscribe to VIP Hosting with MySQL and you can take advantage of our WordPress One-Click Installs and find out more.
Here at Freeola, we offer a wide range of affordable web design packages. Whether it's just a little assistance that you need or a whole site design - we have packages to suit all needs. For full details, take a look at our web design packages.