Simple Tips to Help Secure Your WordPress Website

Alert Icon

WordPress Hacking is on the Rise

Alert Icon

We’ve been hearing more and more about security issues on WordPress websites from people contacting us to help lock down their websites. Just this last week we’ve had 3 new clients come to us to help remove malware infections. Wordpress is by far the most popular content management platform on the web and unfortunately, when you’re at the top of the mountain, a lot of nefarious characters make you the target of their attacks. We see relentless attack attempts on websites from bots all over the world and they’re targeting the vulnerabilities and the known file structure of the out-of-the-box WordPress installation.

We stay tuned in on various security vulnerabilities on the WordPress platform. We are now seeing many sites exploited through some pretty intricate and impressive hacks. Many times these security holes can be patched with the proper setup. We’ve developed a few tricks over the years for deploying more secure WordPress websites than the average developer is capable or even aware of. Many of these tactics and methods won’t be revealed here but there are some simple steps you can take to help secure your site from the outset.

Some of the dangers of an insecure installation are:

  • Placement of Malware on your website which can infect and or redirect your links to malicious software which may harm visitors computers
  • Placement of hosted files on your system — This means you’re paying for the bandwidth to host someone else’s files
  • Placement of links on your site — Usually done to up the ranking of other sites by creating “backlinks” from your site to theirs
  • Infection of your system with MySQL injection attacks which will continue to open vulnerabilities on your website.

Not only will your customers be upset to see links to cheap pharmaceuticals on your website, but when the legitimate web crawlers index your site, they’ll likely identify this malicious software on your site and will blacklist your domain. Once you’re on the blacklist, any visitor to your site may see a message that warns them against proceeding to your website. Most visitors will turn tail immediately, as they should. It can take weeks to resolve a blacklisted status losing you valuable business opportunities.

How Do These Hacks Work?

The top two types of attacks on WordPress websites are:

  1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
  2. Attempting to gain access to your blog by using “brute-force” password guessing.

The most common brute-force attack is attempting to sign in as “admin” at www.yourdomain.com/wp-admin/. (See item 1 in the list below for more info)

How Can You Protect Your Website?

Here are a few simple steps that you can take to create a secure installation of your WordPress website:

  1. NEVER use the out-of-the-box “admin” user for your website. And we mean NEVER!!! Hackers know that many people building their own sites use this standard username. (See the screenshot of the email (right) to see a hackbot trying to sign-in with the username “admin”
  2. Only use strong passwords for all users on your WordPress website. Names, dictionary words, and obvious passwords should never be used.
  3. Be sure any computers accessing the site are free of malware — particularly key loggers that may be recording keystrokes and transmitting them to a hacker.
  4. Remove unused plugins from the site. Don’t just deactivate them. Get ridof them completely. Even deactivated plugins can create security vulnerabilities when they become outdated.
  5. Keep your website software and plugins updated. As security holes are identified by developers of the community, software publishers create updates to keep your site safe. Take advantage of their knowledge and update your software.
An email alert from Wordfence on a WordPress website
A typical email alert from Wordfence showing that a user or “hackbot” was blocked from accessing the site due to suspicious activity.

Some additional (not-so-easy) tips for the brave include:

  1. Turn off remote connections to your database. (For most installations, there’s no need for a database to accept incoming connections that aren’t from the web server on which the site is hosted.
  2. Purchase and install a Secure Socket Layer certificate to encrypt your connections to the WordPress dashboard.
  3. Use a secure user password for your WordPress database.
  4. Turn off comments from the outset. That is of course assuming that comments aren’t an integral part of your website. If you do want comments on your blog then navigate to Settings->Discussion in the WordPress dashboard and require all comments to be moderated. Then be smart about your moderation.
  5. Install and configure a firewall plugin. Right now we fancy Wordfence for its capabilities and ability to monitor your website while you’re out doing something better. Attacks will happen. Having a firewall in place will help prevent these attacks. And after all, burglars usually avoid the house with the security lights, deadbolts, and vicious attack dogs…they like the house that looks like no one’s guarding it.

We love receiving email alerts from our firewall packages that tell us that a specific IP address has just been blocked because it tried to login too many times unsuccessfully. Because it means that’s one less website that will succumb to the evils of some hacker or robot on the other side of the planet. And one more website that will be there tomorrow to earn revenue for its owners.

As Benjamin Franklin said, “An ounce of prevention is worth a pound of cure.” Contact us right away if you think your website has been hacked or if you would like an evaluation of your website’s security.

Find more information about securing WordPress on the WordPress Codex site and be sure to learn more about the Wordfence security plugin.