Currently, over 455 million websites use WordPress. This means that 35% of all the websites in the world make use of the CMS platform. Unfortunately, this also means WordPress is popular among hackers as well. Once hackers gain access to a site, they can steal information, make changes to the site, redirect visitors to another URL, the list goes on! Recently security experts have seen a rise in ransomware as a popular tactic among hackers.
Phishing is a cybercrime where an individual is contacted via text message, email, or phone by a person who poses as a legitimate organisation asking for personal information such as passwords or credit card details.
Signs of A Hacked WordPress Site
If you’re not familiar with hacked websites, here are a few clues to let you know what’s up:
- You can’t log into your site. We know sometimes people tend to forget their username or password, but if you’re 100% sure yours is correct, something is going on. Some of the first things a hacker does is remove admin accounts.
- Your site is showing different content. Some hackers might replace your homepage with something new, or add a redirect to a new site with inappropriate content.
- Your website might be slow. When hackers take over your site, they usually start executing malicious activities like sending spam emails. With both your processes and the malicious activities, your server must handle a ton of activity making it slower than usual.
- There might be an unknown user among your usual list. Be sure to keep an eye on users that have access to your site.
- Warning ads letting you know your computer may be infected (Scareware).
- There are links to spammy websites. Some hackers will gain access to your WordPress site and add bad links in the footer or other areas of your site.
How to Secure Your WordPress Site [10 Tips]
Use a Strong Username and Password
To access the backend of your WordPress site, all someone needs is a username and password. To ensure your security, avoid using easy-to-guess passwords for your admins like your birthday, middle name, etc.
If your site has a blog that displays the author’s name, best practice would be to not have these users be admins. Instead, make them contributors, so that if their login details are compromised, the perpetrators cannot edit the base code, and will have no access to the plugins.
The most common way a hacker might try to guess your password is by going to the login page on your WordPress site and repeatedly trying to guess your password by entering your username and password and clicking the login button. This is called ‘brute-force hacking’.
To ensure the safety of your site, ensure that all passwords are strong. WordPress has a password generator that can create a strong password for you. Instead of trying to remember your password, store it in a password locker.
If you don’t want to use the password generated by your WordPress site, you can use free online password generator tools like passwordgenerator.net.
Strong password tips:
- Create a long password with 8 to 16 characters.
- Use numbers, uppercase letters, lowercase letters, and symbols.
- Avoid using personal info as a password like your name or birthday.
- Use a different password for each website.
Most WordPress sites do not use MFA. We strongly recommend that in addition to securing your site, you should install Wordfence and activate the MFA option within the security plugin.
In general a good firewall includes the following features:
- Malware scanning – The product should include detection for malware installed by a hacker on your website including the ability to see changes and fix them.
- Brute-force login protection
- Protection against hacker reconnaissance techniques. For example, protection against the WordPress author=N scan that hackers use to find out your usernames.
- A full-featured WAF or Web Application Firewall with a regularly updated rule-set.
- Rate based throttling and blocking to prevent aggressive crawlers while ensuring Google’s crawlers have unlimited access to your site
- Two-factor authentication – the ability to sign-in using your cellphone or another physical device to verify your identity.
- Password auditing. The product you choose should help you verify you and your site members are using strong passwords.
- Country blocking – if you are being targeted by a specific country you should be able to block access to various parts of your site or the whole site.
- Advanced blocking techniques including blocking IP ranges and blocking user-agents.
Install Security Plugins
Installing and configuring security plugins can help provide an extra layer of security for your WordPress site. These plugins usually help block users trying to gain access to your site, scan your site for vulnerabilities and potential malware, etc.
WordFence is one of the best security plugins available for WordPress and includes a free and premium version.
“Wordfence includes an endpoint firewall and malware scanner that was built from the ground up to protect WordPress.”
You can also use Wordfence to receive email alerts when a theme, plugin or WordPress core needs an upgrade.
Install WordFence. You can also install the plugin by searching for it within the WordPress plugin directory.
Ensure you Have a Valid SSL Certificate for HTTPS
HTTPS needs to be enabled on your web server. If you are using a WordPress hosting provider, your host will include detailed instructions on how to enable HTTPS on your website. They may require that you buy an SSL ‘certificate’ or they may sell you one themselves or provide them for free.
What is an SSL Certificate?
SSL is a protocol that establishes an encrypted link between a web server and a web browser. Aka, it authenticates, encrypts and decrypts data sent over the Internet.
Change Your WordPress Login Page URL
Once you create your WordPress site, the default login address is yoursite.co.za/wp-admin. Consider updating the URL to prevent brute force attacks or hackers trying to figure out your username and password.
Keep Your WordPress Version, Theme & Plugins Up to Date
Keeping your WordPress installation up-to-date is the most important thing you can do to keep your WordPress site secure. Developers always make changes with updates which can also include updates for security.
Only Install Trusted Plugins
Unfortunately, some malicious people take a perfectly safe and secure plugin or theme and turn it into something malicious. This is called a nulled script.
A nulled script is one where a hacker has taken a plugin and has modified the source code to do something malicious. Nulled scripts are usually distributed from a third party website rather than the original distributor of the plugin or theme.
The way to avoid nulled scripts is to only download add-ons for your site from reputable sources. The following is a list of sites that we trust for plugins and themes:
You should remove unused/deactivated themes and plugins as hackers can use them to access your site.
Only use SSH and SFTP, Avoid Plain FTP
When transferring files and administering your website, most admins use FTP or sFTP (also called secure-FTP). Plain old FTP is a very old protocol that dates back to the beginning of the Internet. It does not use any kind of encryption for your login credentials. It also does not encrypt files and so all files are sent over the Network as plain-text.
Moving your wp-config.php File above your Web Root
Protect Yourself from SQL Injection Attacks
The other major way that hackers can access your website database is by performing a SQL injection attack. This attack involves sending SQL commands to your database via a vulnerable application that is not properly cleaning and escaping the SQL commands it sends to the database.
That is why it is critically important to keep your plugins, themes and WordPress core up-to-date.
Prevent RPC or API calls
WordPress has inbuilt features that allow you to interact with your website remotely; the traditional solution was to use a file named xmlrpc.php.
This file enables a remote device like your smartphone to send data to your WordPress website. If you want to publish using the WordPress Smartphone application, the xmlrpc.php file enables you to do that.
An attacker will try to access your site using xmlrpc.php by using various username and password combinations. They can effectively use a single command to test hundreds of different passwords; allowing them to bypass security tools that typically detect and block brute force attacks.
Fortunately, you can block the xmlrpc.php on WordPress website using a plugin. Plugins are usually faster, simpler, and there is less risk of breaking your site. It also means you won’t need to hire a developer to do it for you.