WordPress is used to power about 1 in 5 websites at the moment (and as you’re reading this, likely yours is one of them), so like with a Windows PC, it is really worth a hacker’s time to find his way into the WordPress software because if he can break into one site, he can break into millions of others.
That’s not to say that WordPress (or Windows) are bad or insecure, it’s just that there’s loads (literally millions) of websites to hack in exactly the same way once someone figures out how to hack just one.
Why would a hacker want to break into your WordPress website?
Well, there are no shortage of reasons. There are plenty, and most of them will reflect badly on you either directly (your website could stop working, or search engines like Google could see your site as one of the bad guys once it has been hacked), or indirectly (your website visitors won’t be thanking you if their PCs get infected because of your website).
Imagine that your hacker runs a network of dodgy pharmacy (ie selling Valium and Viagra), pornography and adult dating websites. He wants to get more people to visit his websites among them he wants to:
- change your site so that it links to his own (in the hope that the more sites that link to his, the better his search engine rankings will be),
- change your site so that it’s full of affiliate links to sites that sell things so that he gets the commission,
- use your hosting account to send out spam email from a “clean” account and server so it’s less likely to get blocked by the recipients
- use your hosting account’s webspace to host photos or videos that he uses elsewhere
- steal your visitors and just redirect anyone visiting your site to his own
- hide code on your pages that gives your visitors a program to download and run which will cause them trouble – either tricking them into paying the hacker or stealing their PC’s saved passwords
- hide code on your pages which will run a program on your visitors’ PCs if they have old and insecure versions of a web browser like Internet Explorer, Chrome or Firefox, or a plugin like Flash or Java.
How could a hacker break into your WordPress website?
There are three main ways a hacker could break into your WordPress site and take control of it: backdoors, insecurities and by plain brute force:
- Backdoors – if you’ve downloaded and installed a free plugin or a free theme for your WordPress website, you’ve put your trust in whoever created that plugin or theme. You’ve installed their software inside your website: if there’s any malicious code inside what you installed, it doesn’t matter how securely you lock the front door – you’ve already let the bad guys in
- Insecurities – software is updated all the time. You know that from your PC, even your smartphone: regular software updates are made available: sometimes to bring extra features, but usually to fix security problems that have been discovered. Say you have a plugin installed on your WordPress website from last year – it might be version 1.3 of the plugin, but if the developer found a bug or security hole, it could’ve been updated to version 1.4. If you still use version 1.3, your website will be vulnerable to that problem.
Wordpress itself is updated regularly too – you absolutely have to be using the latest version, else you are just asking for trouble. Hackers have automated tools that roam the internet looking for websites using out of date versions of WordPress, plugins and themes: if you are not keeping your website up to date, you will get hacked sooner or later.
- Brute force – this is basically just guessing your password. It doesn’t cost anything for someone to try and log into your website – especially when someone has got remote control of millions of virus-infected PCs in a “botnet”. They can get the PCs under their control to try logging into your WordPress website: if your website is www.mysite.com then everyone knows that the WordPress login page would be at www.mysite.com/wp-admin/ – so the hacker points his brute-force attack there, and starts guessing usernames and passwords. If a PC can try logging in 1000 times an hour, and there are loads of PCs trying, unless your password is really secure, it’s only a matter of time before one of the PCs guesses the right combination of username and password.
Do you really need to protect your WordPress website?
Yes, no question. You absolutely must protect against all three forms of attack: backdoors, insecurities, and brute force. It isn’t optional: either you do it, or someone else does it for you – you can’t ignore this. Even if you don’t change what is on your website often, if it uses WordPress, you absolutely have to protect it – on a weekly basis ideally, but at the very worst, once a month. Just leaving it for months on end is not an option: if your website is hacked, you put your website and online reputation, your visitor’s safety, and the server itself could be in danger.
If you don’t want to, don’t have time, or can’t do this yourself, ask someone else to do it for you. Daniel at Digital Red can do this for you – call him on 020 3411 4445 to arrange it: completing all of the steps below will cost £60 for almost all websites, and maintaining ongoing updates between £15 and £25 per quarter.
You can do it yourself though, if you follow the notes below – you don’t need any special tools or software, just a little computer knowledge and some patience (not having either is not an excuse not to deal with the problem!). Allow 2-3 hours to work through the first 5 steps, and another 1-2 hours for the optional extra steps at the end.
How get your Wordpress website protected now
You can either ask Daniel to do everything for you, or you can do it yourself.
- To ask Daniel to do it for you, read these notes and/or call him on 020 3411 4445
- To make the changes yourself, follow ALL of the steps below:
- Intro – what you need before you start
- Step 1 – Backup before you do anything
- Step 2 – Update WordPress, Plugins and Themes
- Step 3 – Thin out WordPress (delete unused Plugins)
- Step 4 – Password protect the wp-admin folder and wp-login.php
- Step 5 – Disable the XML-RPC function in WordPress
- Step 6 – Installing security plugins, deleting extra users, changing passwords