Because it's the most popular content management system in use on the Internet, WordPress websites are a common target for hackers and spammers. That is why it is vital to take measures to make your WordPress website as secure as possible.
Whilst most people would assume that a hacked website would simply be defaced and the site replaced with a message to visitors such as "Your Website Has Been Hacked by SOMESILLYNAME!", in reality, the aim of most hacks is to infect your website with malware without you or anyone else knowing! Some of the common malware threats include:
- Pharma Hacks – Injects spam into the website database or files
- Backdoors – Allows hackers to gain access to the website at any time via FTP or the WordPress admin area
- Drive by Downloads – A script downloads a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
- File and Database Injections – Inserts code into the files or database that lets the hackers do a number of different things
- Malicious Redirects – Redirects website visitors to a page of theirs that misleads people into downloading an infected file
- Phishing – Used to acquire usernames, passwords, email addresses and other sensitive information
The reason that hackers generally want their hack not to be noticed is because the longer you don't know your website is infected, the longer they can use it to send spam emails and infect your visitor's computers.
In order to keep a WordPress installation secure, you need to ensure that you keep plugins to a minimum and update them as soon as new versions are released! It can be very tempting to add dozens and dozens of plugins to your WordPress site and give it loads of bells and whistles, but the more plugins you have, the more chance there is that one of them could have a vulnerability. Only install the plugins you need and remove any you aren't using........you can always install them again later if need be.
If a plugin hasn't been updated for a long time, then it's possible that the developer has stopped supporting it and you should consider whether it's safe to keep using. You can find out what plugins have known issues by visiting the WPScan Vulnerability Database. Alternatively there are plugins(!!) that utilise the database to tell you whether any of the plugins you have installed have issues. A scan of this very site with Plugin Vulnerabilities revealed that none of my current plugins have vulnerabilities, but earlier versions did have:
Google Analytics by Yoast4.2-5.3.2 - persistent cross-site scripting (XSS)
Page Builder by SiteOrigin2.0-2.0.4 - reflected cross-site scripting (XSS)
Wordfence Security3.6.1-5.1.2 - reflected cross-site scripting (XSS)
Wordfence Security1.1-5.2.2 - persistent cross-site scripting (XSS)
Yoast SEO1.5.0-1.5.6 - cross-site request forgery (CSRF)/SQL injection
Yoast SEO1.6-1.6.3 - cross-site request forgery (CSRF)/SQL injection
Yoast SEO1.7-1.7.3.3 - cross-site request forgery (CSRF)/SQL injection
This shows the importance of updating plugins as soon as a new version is released!
Further to this, it is recommended that you install a security plugin, which can walk you through all the steps required to make your site more secure. We use iThemes Security (formerly Better WP Security) and it is best to install this as the first plugin you use, as some of the recommended changes cannot be made after you start to build your site and add content. However, even installing and implementing the basic changes on an established WordPress site WILL make it more secure.
As even a secure WordPress website can be hacked without the owner knowing, it is important that you also scan your website regularly to detect if any hidden malware has been injected into your site! As a web host, we shut down sites as soon as we realise they are compromised, but by then it might be too late. Your site is lost and your domain might even be blacklisted!
Our web hosting plans allow you to carry out a full back-up of your website and database, but this involves manually running the back-up. There are automated ways to back-up your website, which we will discuss in the next article. Plus, in a future article we will tell you about the various services and plugin solutions that will help you detect if malicious malware has been injected into your WordPress website, so you can take immediate action!