I help clients with hacked WordPress Websites all the time. I hear clients that have their WordPress website hacked frequently say that WordPress is so insecure and they got hacked and blame WordPress. However, in 8 years I’ve yet to have a properly maintained website that I manage get hacked. I have a service to clean hacked WordPress websites for clients (not my support clients). Here are a few common denominators that I see every time that lead to their site getting hacked.
Themes and Plugins Not Updated Regularly
WordPress uses external Plugins and themes to provide for functionality and design beyond the basic WordPress installed functionality. However, if these Plugins and themes are not updated regularly they become a target for hackers. For example, if plugin “A” has a known security issue, all a hacker has to do is conduct a web search for all sites using that plugin. Once done, set a robot to attack it exploiting the known security hole. Voila, your WordPress website hacked.
This is why it’s important to update Plugins and themes regularly. Most reputable themes and Plugins stay ahead of hackers and often publish updates to close known security issues.
WordPress not Updated Regularly
A sure fire way to get your WordPress website hacked is to not update WordPress regularly. WordPress, just like Plugins and Themes, has regular updates. Often security issues are found, addressed and patches are released to fix the issue. Keeping WordPress up to date keeps it secure.
Outdated Version of PHP
PHP is the programming language that drives WordPress. PHP runs on your web server and is often updated both for speed and security just like WordPress, Plugins and Themes. At the time of this writing PHP 7.4 is current and PHP 8.0 is on the horizon for general use. Many hacked sites I find are still using PHP 5.3! Updating the PHP version on your server is not only great for security but recent version are many times faster than the old 5.3 version.
Logins are Not Limited
One of the ways hackers access your site is by what’s called brute force. They password guess until they gain access. Depending on how your server is configured, they can even use your own server’s resources to do it! Every password has the weakness of being able to be compromised by guessing. It’s a mathematical certainty and it’s just a matter of time and how fast guesses can be executed. The defense is to slow it down so that the probability of a guessed password extends out to 100 years. This is where limit logins comes in. If a user fails login 3-4 times, you lock them out for an extended period of time. This dramatically increased the time it takes to guess passwords and makes it almost impossible (if you have decent passwords).
No SSL Enabled
An SSL encrypts the communication between the client (web browser) and the server. Without an SSL communication can be intercepted by a malicious 3rd party. They can capture data like logins and passwords making it easier to compromise your site. An SSL is a great security measure, plus, Google gives you some ranking preference if you have an SSL because they consider secure websites a better user experience.
No Re-Captcha on Logins
Google Re-Captcha is the “I’m not a robot” feature you often see on forms across the web. The purpose is to foil robots (malicious hacking programs that try to access websites and fill in forms). This is another measure that can be employed in addition to limit login attempts foil brute force password guessing attacks.
What Can Be Done to not get a WordPress Website Hacked?
Security for your website is like security for a building. You can start with alarms, locks and bars on the windows. However, if you’re a bank, you might also want an armed guard, etc. WodPress is kind of the same, depending on the kind of information you are trying to protect. While the above measures already discussed will dissuade 90% of the attacks, for extra measures of security you implement some of the following measures as well:
- Move the WordPress login page to a new URL location.
- Restrict file permissions greater than the standard WordPress install permissions.
- Use a CDN with firewall
- Block countries IP addresses that are notorious for hacking (China and Russia).
iGo Sales and Marketing Will Help you if you find your WordPress Website Hacked.
We have services to clean and secure hacked websites. Check out our hacked website service.
We also offer monthly WordPress Care Plans that not only secure and monitor your site, but do regular updates, backup your installation (just in case) and provide for general support for your website. Check out one of our WordPress Care Plans.