WordPress is a great Content Management System with a rich ecosystem of plugins, themes and extensions that makes managing your website a breeze. But you need to be aware that you need to take steps to defend your website against hackers. Our experience shows that from the moment a new website is live on the internet, it takes less than a minute before hackers are trying to break in. They run hacking bots that never rest, constantly probing websites across the internet for a large and ever-increasing catalog of vulnerabilities. The good news is that you can take sensible steps to defend against this onslaught, and even if a hacker still gets in, you can recover from the breach.
The most common ways hackers & bots break into WordPress Websites are:
- Known vulnerabilities in WordPress itself.
These happen infrequently, but are always added to the hacker's arsenal of attacks.
- Insecure themes.
Third-party themes are a common point of attack if they are not written to security best-practice principles.
- Vulnerable plugins.
The most common method of attack. Some plugins become abandoned by their developers, others aren't patched quickly enough.
- Weak passwords.
We see this way too often - choosing an easy to remember password based on dictionary words will eventually lead to tears.
How to defend your website against attacks.
Stay up-to-date. This is the most important action you can take to avoid your site getting hacked. Log in regularly to your website and apply any updates to WordPress core, themes and plugins whenever they become available. Don't leave it to your imperfect memory, set yourself a calendar reminder to do this once every week or two.
Install a security plugin like Wordfence, Sucuri or iThemes Security. These plugins scan your WordPress core, known plugins and themes against a database of reference code, alerting you to any differences between the reference code and the code on your site. They also provide other features like malware scanning, automatic firewalling and preventing attacks from known malicious IP addresses.
Use a Password Manager like LastPass or 1Password. Using a Password Manager is not just for WordPress, it will change your life! You'll only ever need to remember one password, the password for your Password Vault. All your other passwords will be secure and virtually un-crackable. Like this: 8!9Gbqe3QC^jmnEm3RC4T##2eFwqN.
Take regular backups. It's always a good idea to keep backups. And even in spite of your best efforts, it's possible that a vulnerability could be discovered and used against your website before a security update is available. All of Serversaurus' shared hosting accounts are backed up every 4 hours using JetBackup and around 3 weeks of backups are retained. There is a simple and quick interface to restore your hosting account within minutes from a prior backup. We also recommend keeping your own backups, just to complete your peace-of-mind. WordPress can automatically email you a copy of your database periodically using the WordPress Database Backup plugin.
Other advice, and not just for security.
- Remove any plugins or themes you don't use. Even though you're not using it, it is still installed in your website, potentially consumes resources, and may contain vulnerabilities that can be exploited even though it's listed as Inactive in your Dashboard.
- Prefer well-known themes and plugins if they suit your needs completely; don't download plugins or themes from other sources than the WordPress plugin/theme directory.
- Ensure you follow all these suggestions - for example, a strong password does not protect you from vulnerabilities and a fully updated WordPress with a strong password but without backups still leaves you vulnerable.
If you need to restore your website from a compromised state, please following our guide on recovering a hacked WordPress installation.