The security of WP sites.
Many website owners don’t care much about the security of their (WordPress) websites. That’s to say, until they get hacked. However, when that happens it’s often too late for defense. That’s why it is important to properly protect your WP driven site against hackers, bots and malware. This article answers the question “How to protect my WordPress site from hackers?”
- Why would they hack my website?
- How can my WordPress website be hacked?
- Protecting WordPress: what can I do against hackers?
- Choose a good hosting provider.
- Important settings when installing WordPress.
- Limit Login Attempts.
- Don’t just install plugins and/or themes.
- The .htaccess file.
- Two Step Authentication.
- Hide WordPress version number.
- Use your common sense.
- Make regular backups.
- Scan your website.
WordPress is the most popular CMS at the moment, and therefore also a popular target for hackers and spammers. This does not mean that WP is unsafe. Because so many people use WordPress, it is logical that, also from the hacker’s standpoint, there is a lot of attention for WordPress.
In addition, WordPress is extremely accessible; almost anyone can easily set up a website with WordPress. Unfortunately, not everyone knows how to do it properly. According to expert estimates, about 70 percent of all WordPress installations are therefore vulnerable.
Why would they hack my website?
Why would hackers hack your website when you only have a few visitors a day? This is a question that customers often ask me. However, most hackers are not looking for high traffic websites. They use your website to email SPAM through your server, regardless of whether your website has a lot or little traffic.
Sending SPAM mail from your server can be a motive for hackers. This is a good reason to properly secure your WordPress site. If SPAM is sent from your server, it is possible that, for example Google puts the IP address of your server on a “blacklist”. As a result, your “normal” newsletters and/or emails will also end up in the SPAM box. The idea that your site will not be hacked because you have a small-scale website is therefore incorrect.
How can my WordPress website be hacked?
To properly secure your WordPress website, we first need to understand where things often go wrong. Hackers have many different tricks for this. The website WP White Security came up with information on how WordPress is being hacked, but also indicated how WordPress sites are hacked most often. Based on these figures, it soon became clear that web hosting plays an important factor in securing your WordPress website.
- 41 percent of the hacks were related to web hosting;
- 29 percent of the hacks came from unsafe WordPress themes;
- 22 percent came from using unsafe or outdated plugins;
- 8 percent of the hacks were made possible simply by using a weak password.
As many as 41 percent of the attacks are due to problems on your hosting platform. It is therefore extremely important to choose a good hosting provider for your WordPress site. And remember that cheap is often expensive when it comes to web hosting.
Even more important is the fact that no less than 51 percent of the attacks were caused by a plugin (22%) or theme (29%). It often has to do with the fact that people don’t update plugins and themes. Also, you may have downloaded an unsafe plugin from an untrustworthy website, or downloaded Premium WordPress Themes from a Torrent website (sad, because those themes aren’t that expensive).
And finally, 8 percent of the attacks were caused by using a weak password. Hackers here often use a script that keeps trying different passwords (and usernames) until they have the correct password. This sounds time consuming, but such a script can easily try out thousands of passwords per second. This technique is also known as a “brute force” attack.
Securing WordPress: what can I do against hackers?
We now know how most hacks are created. But how do we ensure that this does not happen on our WP sites? In this article I list a number of useful tips. Most techniques are easy to implement, but make a world of difference. It will probably take you no more than an hour to apply these techniques to your online presence.
1. Choose a good web hosting company.
It all starts with choosing a good hosting company. Ask them what measures they take to prevent your website from being hacked (because here too, prevention is better than cure).
Some things to keep in mind when choosing a web hosting service:
- Are the latest versions of PHP and MySQL supported?
- Is the server optimized for WordPress websites?
- Does the hosting provider use a firewall?
- How proactive are they in preventing and solving security issues?
- Do they automatically and regularly make backups of your WordPress website?
2. Important settings when installing WordPress.
While installing WP, you can do a lot to prevent your website from becoming vulnerable to hackers. For example, during the installation you choose a username for the Admin user (the administrator with all rights). By default, this username is “admin”. Hackers also know this, and no less than 60 percent of WordPress websites have a user called “admin”. They then have your username, and all they have to do is guess your password! So make sure your username is not “admin”!
You also choose a strong password during installation. A strong password contains not only letters, but also numbers and special characters. To create a strong password, I recommend a strong password generator that you should be able to find online.
In addition to using an unpredictable username and strong password, you can choose a “table prefix” during WP installations. This is the “prefix” used in your MySQL database. By default this is “wp_”, but it can also be something else. If you make something like this “wp123website_” you are a lot less predictable for hackers.
Finally, the wp-config.php file also contains the “keys and salts”. These ‘keys’ improve the encryption of information that is stored. It also becomes more difficult to “crack” your password, because random things are put in during encryption.
This part of the wp-config file looks like this:
define (‘AUTH_KEY’, ‘put your unique phrase here’);
define (‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define (‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define (‘NONCE_KEY’, ‘put your unique phrase here’);
define (‘AUTH_SALT’, ‘put your unique phrase here’);
define (‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define (‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define (‘NONCE_SALT’, ‘put your unique phrase here’);
To make this a unique ‘code’, you can use the salts and keys generator of WordPress. Look this up in Google. Not only WP itself has a generator, there are also several other sites offering this.
3. Limit Login Attempts.
Use a WP plugin that limits login attempts. These are simple plugins that make your WordPress website much safer. Earlier I explained how hackers try to retrieve your password through a “brute force” attack. A limits login attempts plugin ensures that your account is temporarily blocked if an incorrect password is entered more than three times. An absolute must have, because it makes it thousands of times more difficult to guess your username and/or password.
4. Don’t just install plugins and/or themes.
WordPress is known for the fact that almost anything is possible. This is thanks to the huge community that builds themes and plugins. Great of course, but remember that not every developer is equally good. So check carefully how often a plugin or theme has been downloaded and whether there are any complaints. Also check the reviews. With plugins you can often also find out when it was last updated. Of course this does not say everything, but it does help. If, for example, the last update was months ago, something is wrong.
Also look carefully where you get your themes and plugins. If you download them from WordPress.org you can see if they have a good rating and when they were last updated, but if you download them from another website you don’t know this.
It is also not recommended to download themes and/or plugins from Torrent websites. You often see that these plugins and/or themes intentionally contain a leak. When it comes to premium themes or plugins, you should pay the small amount instead of going to Torrent sites.
5. File permissions; no 777.
You may be familiar with “file permissions” on your server. Often you can give folders and files on your server certain “permissions” if you are logged in via FTP (or DirectAdmin).
It is best to follow the advice of WordPress itself here:
Folders and directories: 755 or 750
Files: 644 or 640
These codes may not tell you very much. In that case, ask your web hosting service if they want to check this for you.
6. The .htaccess file.
Also with the .htaccess file you can better secure your WordPress website.
For example, you can use the following code to ensure that your wp-config file is well protected:
deny from all
The code below ensures that only a specific IP address can reach the wp-admin. For this you need to create a separate .htaccess file and upload it to the wp-admin folder.
allow from 123.456.7.8
deny from all
Note: replace the IP address above with your own IP address.
7. Two Step Authentication.
Two-step authentication is becoming increasingly popular. When you use this, it is no longer enough to just use a username and password to log in. You often get an SMS with a code with this method, making your WordPress admin as safe as online banking.
For example, a free solution for two-step authentication is:
Google Authentication: You can get a secret key through the Google Authenticator App on your smartphone. You can download the Google plugin for free.
You may find this too time consuming (grab your phone every time you log in), but it is a very effective way to protect your WordPress admin!
8. Hide WordPress version number.
With this technique you hide the version number of your WordPress website. For example, hackers are less likely to know which version of WordPress you are using, so they do not know which “weak spots” your website might contain.
The version number of your WordPress website is shown in several places. You can find out how to hide it online. Basically there are 2 options: the first and best one is to change some coding in your theme and the second option is to use a plugin.
Use common sense.
In addition to the techniques mentioned above, there are many more things you can do to (better) secure your WP se. But more importantly; use your common sense! So:
- Make sure your computer is free from viruses;
- Never log into your WordPress website over an unsecured WiFi network;
- Never give your password to someone you don’t (fully) trust;
- Make regular backups (more on this later);
- Do not send passwords by email, but by SMS;
- Change your password regularly;
- Don’t just give anyone admin rights to your WordPress website;
- Make sure your WordPress password is unique (and is not used on other websites, such as mail or Facebook);
The above all sounds very logical, but many people think about it too easily or, for example, forget to change their password regularly.
Make regular backups.
If you have properly secured your website with the tips mentioned above, the chance that your online presence will be hacked is much smaller. But if it does happen, you obviously don’t want to lose everything. That is why it is important to make regular backups of your WordPress website.
Make sure that these backups are not only stored on your server, but also on your computer (and possibly in Google Drive and/or Dropbox). If you only store backups on your server, a hacker can delete these backups and you will still lose everything.
Scan your website.
You may not think about it, but it may just happen that you don’t even notice when your website is hacked. Many people think that their entire website will stop working, but of course it doesn’t have to be! If a hacker wants to use your server to send SPAM, he doesn’t necessarily want you to know (and therefore the hacker can benefit from leaving your website intact as much as possible).
So it can be useful to scan your website regularly for malware and other suspicious files. Many hosting services already do this, but there are also many who don’t. There are enough WP plugins for this purpose.
Securing your WordPress website is important. However, many people only think of this when it is too late; they will lose everything and may even be blocked by Google because of SPAM.
If your website is hacked, contact your web host immediately, change all your passwords or restore a backup. In any case, you now know how to protect a WordPress site from hackers. If you need to know even more, you can also click on the link you just skipped. It links to an extensive WP protection guide which was published by the website WP Beginner. Good luck!