Why preventing WordPress hacks is easier than recovering from them
An ounce of prevention is worth a pound of cure. This can’t be truer in regards to website hacks. WordPress sites are compromised not by sophisticated hackers but by bots written to exploit known vulnerabilities. These vulnerabilities include weak passwords, outdated plugins and themes, and poor-quality web hosting.
When a site is hacked, the following things can be effected:
- Files can be uploaded to the server containing malicious code or PHP backdoors
- Files already on the server, such as your theme files, can be modified
- Code can be injected into your WordPress database
- Users with administrative privileges can be added to your WordPress database
- Numerous post and pages can be published containing spam code
- Your site can be redirected to malware sites
In other words, having your site hacked can be a BIG mess to fix. It can truly take hours to recover, and your SEO can take a big hit if Google decides to blacklist your site. See: Sites Hosting Malware Get 30 Day Ban from Google.
Luckily, preventing hacks is quite easy, though it does require diligence.
10 Tips for Preventing WordPress Hacks
1 – Use strong passwords
You should get a password tracking tool like 1Password to track all your passwords. You can no longer use the same password on every internet account and get away with it. You can’t use your dog’s name or favorite soft drink or band name. You need unmemorable, long, difficult passwords.
In the past couple weeks, I’ve had two clients call me because their Gmail, Instagram, or AppleID was hacked due to using a weak password. It is very easy to use a password hacking program to discover what your password is. In both cases, my clients used passwords that could be guessed by a password detection tool in under 1 second!
Test the strength of your existing passwords here. and then give some serious thoughts to using 1Password and creating passwords that are long, complex, and obscure and change them frequently. With 1Password, you only have to remember one complex password.
2 – Keep WordPress themes, plugins, and core up to date
It’s not enough to login once a month or less to do updates. Exploits will occur within days on massive numbers of sites as soon as they are published. My forgotten site that I didn’t update was exploited within a couple weeks of the Gravity Forms vulnerability being announced. You must update immediately when there is an update. Read my post on how to update your WordPress themes and plugins safely to avoid breaking your site.
For plugins that don’t have front-facing functionality, you can use the Shield WordPress Security plugin to perform auto updates for you. If you manage more than one site, check out my post on site management plugins.
3 – Keep your server clean
Delete unused versions of WordPress on the server. It’s easy to forget these exist. Unused WordPress files, plugins, themes, etc., even if they are not being used, not active, not even associated with your current install can be exploited. Delete delete delete. Run a tight ship
4 – Check your plugins and themes for continued support
Don’t use plugins and themes that are no longer maintained. If your plugin or theme hasn’t been updated in a year or more, replace it. This can be a huge problem with themes. Many developers are fly by night and don’t stick around more than a couple years to support their theme.
When you shop for a theme or plugin, look for a theme or plugins with current support requests that have been answered in a timely manner, good star ratings, and recent and frequent updates. Not all top-selling themes are the best themes, however, they are more likely to have ongoing support and updates. Read the comments for quality of response and tone. Look for helpfulness, enthusiasm, thoroughness, quick response, good articulation, and positive attitude.
WordPress premium themes often come bundled with third-party plugins. The theme developer may or may not provide timely updates for these bundled plugins. For example, the Revolution Slider, a popular animated slider, comes bundled with hundreds of themes on ThemeForest. The Revolution Slider had a major security vulnerability in 2014. However, theme developers who bundled it with their themes did not necessarily update the plugin when they updated their themes. As a result, many themes on ThemeForest distributed a highly insecure plugin for months after the vulnerability was discovered. This vulnerability lead to tens of thousands of websites being hacked and directing traffic to malicious sites.
The upshot of all this is that if you purchase a premium theme that comes bundled with premium plugins, like Visual Composer, Layer Slider, Revolution Slider, or others, purchase these plugins SEPARATELY, so you can be notified of updates to those plugins specifically and not rely on a theme developer to keep you safe.
5 – Protect your computer and home network
Run virus scans all the time especially if you run Windows. Be careful of the sites you visit. You can inadvertently give your WordPress login away through a keystroke tracking Trojan which will steal your passwords as you type them on your keyboard. Protecting your computer is often about not visiting websites that are distributing malware. But, even known sites, such as friend’s cooking blog, could be hacked. So, you need some protection wherever you go on the web.
For Mac OS:
- Scanning software isn’t usually needed, but I like Avira because it recognizes malware patterns along with malware and trojan signatures.
- Turn on the Firewall in your System Settings (Security & Privacy). In the Firewall Options, check the box to Enable Stealth Mode. This will allow your computer to not be visible on networks.
For your network:
6 – Run a WordPress security plugin
I prefer Shield WordPress Security by iControlWP. I have used Wordfence in the past, and it continuously created errors in the error log files on multiple sites. Other popular plugins out there can easily break your site or have you focused on “security” measures that do nothing for security while missing out on important things like login protection. I appreciate the following about Shield:
- No “Pro” restrictions on security features
- It won’t break your website
- Super Admin Security
- Lots of great email newsletters and insights into what’s new in WordPress security
- Blocks malicious URLs and requests
- Blocks ALL automated spambot comments
- Hides your WordPress Admin and Login page
- Prevents brute force attacks on your login and any attempted automatic bot logins.
- Verify user identity with email-based Two-Factor Authentication
- Monitor login activity and restrict username sharing, with User Sessions Management
- Review admin activity with a detailed Audit Trail Log
- Turn on and turn off WordPress Automatic Updates separately for plugins, themes and Core
- Easy to use kill switch to temporarily turn off all Firewall Features without disabling the plugin or even logging into WordPress.
7 – Don’t login on public WiFi networks
If you login to your WordPress site on a public network, you are essentially giving your login credentials away to anyone else on the network who might be running packet sniffing software. If you don’t have an SSL certificate installed on your site (which encrypts your username and password on the network), then use a Virtual Private Network (VPN) service to encrypt your traffic on the network. Use this even if you do have an SSL certificate on your site as it’s good to stay in a virtual private network on any public networks.
8 – Install an SSL certificate on your site
This encrypts the data you and users to your site transfer via the site, such as when submitting contact forms or using login in pages. Otherwise, data is transferred like a postcard in the mail, meaning anyone who’s looking can read it. Having SSL installed on your site allows you to login security (via https) while traveling. Many hosts offer this for free, and you can use the Really Simple SSL plugin to force your content to use https.
9 – Consider better web hosting
Hosting companies like WP Engine, Site Ground, and Flywheel have your back when it comes to security. They routinely do security scans and will clean your hacked site for free. Though, you may still want to hire a professional like Jim Walker or Sucuri to avoid a newbie hosting company employee “cleaning” your site and missing something given this new 30-day Google ban.
10 – Backup your site
While backups are not always all that helpful in recovering from a WordPress hack, they are essential for disaster recovery, especially when it comes to damage to your database which is where all your site content stored. See my post on Backing Up WordPress.
Ongoing monitoring of your site
- It’s important to signup for Google Search Console to be alerted about any issues on your website.
- Monitor error logs on the site via the cPanel File Manager or FTP (SFTP).
- View Raw Access Logs on the server to track any users accessing files on the site, particularly. POST requests. If this is not turned on, you can turn archiving of Access logs on in your cPanel.
- You can use the Shield WordPress Security plugin’s Audit Trail feature to track any changes to files or access to the site.
WordPress security is not hard. Cleaning up hacks is. Please take a little time to review your site, make a list of things you need to, and check them off one at a time. Start by getting everything updated and get a backup solution set up. Update your plugins and sign up for Google Search Console. Reset your passwords. I’ll be writing another post soon on how to audit your site to look for hacked files, so stay tuned!