WordPress sites get hacked for lots of reasons. Thankfully, most of these are entirely preventable with a few simple habits.
Way #1: Keep all your software up to date.
The majority of attacks are based on vulnerabilities that have already been discovered, published, and patches released. You need to make sure you’re applying updates to WordPress core, your plugins, your themes, and the server you’re running WordPress on. If you’re already on Burlington Bytes’ WordPress Hosting, rest easy – your updates are being applied and tested for you. If you’re self-hosting, it’s important to remember to check for updates often. Better yet, you can use a plugin like WordFence to email you when there are new versions to install. It’s possible to set up your site to update automatically, but we discourage this if you are running a business site. Updates applied automatically can break functionality on your site, and you might not discover it until a customer tells you. We stress applying updates in a separate environment, checking to make sure everything looks and functions properly, before applying them on your live site. If you don’t install these patches, you’re a sitting duck – the exact details of the vulnerability are quite public by the time patches are available. One of the most widespread WordPress exploits was from a small script back in the day called TimThumb. This script permitted you to dynamically resize images before sending them to the visitor’s browser. Now, this functionality has been in WordPress core for quite a few years by now, but that wasn’t always the case. TimThumb was a great solution to a common problem until 2011 when someone discovered a way to abuse the script to download a backdoor onto the site. There are still sites that run TimThumb. A large number are patched, but a surprising number still contain this incredibly powerful exploit that’s been public for 5 years.
Way #2: Use Strong Authentication
Another incredibly common way sites are compromised is due to weak passwords. It doesn’t matter how good the rest of your security is if your password is “123456”, “password”, or “letmein”. If I just said your password, please – change it now. Those are literally the first three passwords many attackers will try – they’re some of the most common. A strong password consists of a mixture of lowercase and uppercase letters, numbers, and special characters. All users on the Burlington Bytes’ hosting platform are already required to have strong passwords. You should always avoid using your username, the site name, or any publicly available information about you or your company in your username. For extra security, you can use a plugin like Duo or WordFence Premium to enable multifactor authentication. MFA, or 2FA for short, requires you to enter a code from another device when logging in. This dramatically increases security in conjunction with strong passwords, because an attacker would need both your password and some way to generate your multifactor code, which requires a secret key stored on your device.
Way #3: Regularly Audit Who Has Access
Many data breaches today occurred through the credentials of someone who already had access. Sometimes the bearer of those credentials is complicit, but often their credentials have been stolen by someone else. This complicates investigating a hack because it may appear a trusted employee authenticated to your site and did damage when they may have had no knowledge of this attack at all. To protect against this, only grant site access to people you know and trust, and give users the least privileges needed. For example, if you’d like to have your entire company create content for your website, and that’s all they should be doing, there’s no reason to create them Administrator accounts. WordPress comes with a variety of default user roles – for example, the Editor role would be a much better fit for such a situation. By enforcing a policy of “least privilege,” the potential for damage from rogue users and stolen credentials can be minimized.
Way #4: Check Your Automated Backups
Okay, you got me – this isn’t actually a way to prevent an attack, but a way to save yourself if you are hacked. If you don’t currently have automated backups on your site, you’re at risk of losing days, weeks, months, or all of the time and money you’ve put into it. Manual backups are not enough – it’s too easy to forget to run a site backup on time, every time. We recommend daily, automated backups during your lowest daily traffic period – typically from the hours of 2am-4am. This works well for most people. However, if you do a lot of content editing or depend on your site’s eCommerce, you may need more frequent backups. If you need to restore from a daily backup, you may lose up to a day’s work, but on average less than that. All customers signed up for Burlington Bytes hosting have automated, daily backups included in their subscription. It’s also important you periodically test your backups to make sure they are functioning properly.
Way #5: Never Install “Nulled” Plugins or Themes
A “nulled” plugin has been “cracked” – pirated, with the code modified to disable license checks. Although some “nulled” plugins may appear to function just like the paid version of the plugin, many of them have backdoors installed. When it comes to your business site – it just doesn’t pay to take the chance. Legally purchased plugins or themes provide assurance you are installing genuine software. In addition, you are supporting the developers, and that helps to bring you newer, improved versions. Software piracy is a serious matter, and you can be held criminally responsible for copyright infringement.
Stay safe and happy blogging!
This post’s image is a derivative work by Burlington Bytes of the WordPress Dashicons, and as such is licensed as GPLv2.