Have you ever wondered why some websites are more susceptible to hackings than others? Is your site one of those? Well, if so it has to be a bit worrisome for you.
There are a lot of factors which can influence the target of a hack and how a cybercriminal infiltrates your website and steal personal information.
Getting hacked is a pretty big deal, at least for me; I feel it’s more like having broccoli stuck between my teeth, and that’s awful!
Anyway, technically speaking, your website being hacked means the bad guys can end up serving your user’s spam, steal sensitive private information, and in the worst case scenario, they can succeed in turning your website into a mine trap, in the form of Bitcoin. And heaven forbid, hackers, can literally deface your website and cause major damage to your brand as well.
We’ll emphasize on how to be aware of the broccoli effect; By which I mean, getting hacked!
Like it or not, the truth is that WordPress websites are more likely to store tons and tons of data that can potentially put a company out of business if they get hacked!
However, with the rising awareness and tighter enforcement of regulations such as GDPR, protecting your site from getting hacked has become mandatory, and, in fact, it’s easier to do than most people think.
Below, I would like to emphasize on a number of factors that increase the chances of your WordPress website getting hacked and what you need to do to protect it.
Is WordPress insecure?
Here is a million dollar question that a lot of people ask –
Is WordPress insecure as a platform?
The short answer is “No” it is indeed a secured platform!
The numbers speak for themselves; WordPress makes up over 32 percent of the top 1,000,000 websites on the internet.
There is no denying in the fact that why the CMS acts as a real darling in the eyes of attackers. Some even call it the Microsoft of the web.
However, there are times when evil minds end up creating code to run on WordPress; this is when security vulnerabilities happen.
In most cases, there is a team right on top which develops and releases instant updates in a very timely manner as compared to other major open source content management systems.
OK moving on, let’s now get acquainted with a few pointers that must be taken into account that aren’t even worth putting your business at risk for!
1. Not updating WordPress
One of the commonalities among WordPress hack victims is not updating their website.
According to several reports, the reliable ones, 55-61% of WordPress hack victims were running out-of-date WordPress when they got infected, which is definitely not a coincidence.
WordPress security updates are set to happen on an automatic basis. However, there are some users, especially the non-techies, who disable that functionality altogether. People who don’t update their site on a regular basis fall into two traps:
- First, they put off updates or ignore them as they are preoccupied.
- Second, they are afraid that updating will break their site’s performance.
Luckily, if you are the one who falls into the latter category, try taking these steps so that nothing breaks your site. For example, create a complete back up of your site before you run an update. Even if the site crashes; you will always have the option to restore to the previous version.
2. Bad password hygiene
Don’t be offended because this point is for those who still use the same password for every single website they visit. Well, it’s time for an intervention. And consider it mandatory too!
Also, stop storing credentials in Google Sheets. In the context of WordPress, you require setting the password rules. With the help of the Force Strong Passwords plugin, you can set it across your entire user base.
3. Two-Factor authentication
You may think that I’m asking a lot from you today, but it’s simply because I care.
You have set a strong password set for your WordPress site, but have you considered setting a “Two Factor authentication” process for logging into your website as well?
This means that every time you log in to your website, you will need to authenticate with another device.
Although it is challenging for hackers to spoof, after all, full disclosure is something which is not impossible. Thus, it automatically adds one more layer of security to prevent unauthorized access to your website.
Fortunately, WordPress has many different solutions for two factor from more commercial implementations like Duo Security that’s fully featured or something more straightforward like Two Factor from George Stephanis.
Other popular plugins have 2FA built in as an additional feature like Jetpack, WordFence, and iThemes Security.
4. Protect WordPress admin directory
One of the most common WordPress hack attempts includes getting access to your WordPress login credentials; this can be either through brute force attacks or password theft. To prevent this from happening, you need to protect your WordPress admin directory (in short your wp-admin page).
Of course, one of the best ways to do it is by enabling solid password protection to your WordPress admin page.
The second thing you can consider is the two-factor authentication set up as I mentioned above. Here the users don’t just require a password to log in – they’ll also need to input a code that’s sent to them via text message, email, or an app.
Fabrizio uses WordFence with two-factor authentication enabled on Magnet4Blogging, however, as I mentioned earlier, there are many other plugins you can use to set up 2FA.
Do not use “admin” as your WordPress username. This is the most common idea used by hackers to get into your site using this default username, so you should definitely switch it up.
5. Dodgy themes
Since we don’t have all day, I won’t go into a great deal of detail with this. You can do a quick Google research later if you like.
Initially, it might seem like a cool money-saving tactic for website owners but what you may not know is most of the websites that sell cheap and cheerful themes are dodgy.
Dodgy in the sense their themes are badly coded, lack timely updates, and have poor support.
Downloading and installing any random theme might compel you to end up compromising on the overall security of your website. You know the old saying, there’ no such thing as a free lunch. For a premium theme, make sure you get it from a reputable WordPress development company. A company that has been around for a very long time and have built up trust and reputation, like StudioPress.
6. Plain FTP instead of SFTP/SSH
Generally, FTP accounts are used to upload files to your web server using an FTP client. Although most of the providers end up supporting FTP connections with the help of different protocols. With the help of plain FTP, SFTP, or SSH, things can be connected easily.
Now the thing is when you connect your site using plain FTP, your password is automatically sent to the server encrypted which can be easily spied upon or stolen in worst cases. So, instead of plain FTP, try using SFTP or SSH.
Fortunately, most FTP clients can connect to your website on SFTP as well as SSH. You just need to change the protocol to ‘SFTP – SSH’ when linking to your site.
Check out this detailed tutorial video for a full explanation of FTP, SFTP, and SSH.
7. Insecure web hosting
When it comes to the web, you may find a perfect correlation between price and quality of hosting. Hosts who have the ability to hire more professionals/experts might charge more in comparison of others. Several critical issues like security shouldn’t be ignored or put off for another day. You must even consider looking around for a quality host provider who can offer everything from convenient budget to quality services in one package.
When it comes to secured WordPress hosting, I encourage you to take a look at SiteGround or WPEngine.
In a nutshell
This is just a partial list. There are many things you can do and I can simply go on and on. Do check out some of the following blog posts on Magnet4Blogging for more tips, though. In the meantime, be cautious and make some real efforts to minimize or even stop WordPress hack attempts on your site, before it’s too late!
More WordPress security tips?
Check out these posts –
- How To Enable Secure SSL On Your WordPress Website Quickly
- How To Change The Login URL In WordPress (Security Tip)
- 15 Security Tips And Tools To Lock Down Your WordPress Site
About the Author
Kibo Hutchinson is a Technology Analyst at Tatvasoft UK which is a website development company in London. She has a keen interest in learning the latest practices in the development so she is spending her most of the time on the Internet navigating the unique and the extraordinary topics and technologies trends.