Research | Why do WordPress sites get attacked by hackers?
First of all, you need to understand that attacks will happen no matter how big or small you think your site is. Hackers take advantage of common vulnerabilities and perform hacks on a large scale, hoping to succeed on as many websites as possible. Hackers use automated bots to scan the internet for websites with security vulnerabilities and hack wherever there is an opportunity. Millions of users can be affected by a vulnerable website.
Hackers don’t usually target a specific website. They tend to create programs that identify vulnerabilities in WordPress sites.
Why are there so many vulnerabilities in WordPress websites?
Apart from the fact that creating a website in WordPress is easy and fast, WordPress has a very strongly built community and a wide range of ready-made different accessories (design templates, plugins, extensions, etc.).
You can add new features to your WordPress without needing advanced coding skills or relying on someone’s available time. You can find the answers to most of your questions about this in various forums.
However, what you always need to keep in mind when using an open source CMS, and thus WordPress, is that you need to maintain your website regularly, which includes monitoring for new WordPress security patches and updating them regularly.
Common reasons why WordPress is targeted by hackers
Reason 1: Wide reach ensures more opportunity to do harm. As a result, hackers look for vulnerabilities that affect as large a number of websites as possible.
Reason 2: WordPress site owners typically lack the technical expertise to take care of their sites and find maintenance too time-consuming.
Reason 3: Both newbies and experts are attracted to the simplicity of the system, which leaves some room for error.
The most popular CMS (Content Management System) nowadays is WordPress: about 40% of all websites worldwide are powered by WordPress.
Here are some tips on how to protect your WordPress sites to prevent future attacks before any damage is done.
1. Creating strong passwords
This may be the most straightforward way to protect your website. Many people have the excuse that it takes a lot of time, but it needs to be taken seriously. Every site should (or should I say MUST) have a different password.
Each password must be at least 15 characters long, and it’s best if it doesn’t contain a real word. Symbols such as question marks, upper- and lower-case letters, numbers and punctuation marks must be used. Creating a strong password is one of the best ways to protect yourself from hackers. Once you have strong passwords, you should never write them down. Your passwords should only be stored in your head or in an encoded password manager (with a powerful master password).
You need to back up your password database if you use Password Manager so your passwords are safe in case the database gets corrupted or your hard drive fails.
2. Update your website regularly
In regards to WordPress, many people don’t want to take the time to keep up with all the latest updates. Keep in mind that WordPress doesn’t create these updates to attract media attention. The purpose of the updates is to fix bugs and security vulnerabilities and introduce new features.
You can’t stay one step ahead of the hackers, but you can implement known vulnerabilities and workarounds on your site. There is no excuse for not being aware of the update. Don’t forget to update your add-ons and themes. If you have a VPS or dedicated server, update everything on that as well.
3. Change your WordPress username
The default username for the administrator should be changed when you set up your account. Generally, brute force attacks on your site tend to be automated, which is why they always use something like: “administrator”, “admin” or “user” to try and hack your account – therefore, use a randomly generated identifier instead. However, the username must be secured with a strong password as per the instructions above.
4. Protection from Brute Force attacks
Most people don’t realize that most websites get at least a few hundred unauthorized login attempts daily. These attacks can not only lead to a successful hack, but also put pressure on your server’s resources. To protect yourself from these attacks with a brute force attack, you should follow the previous steps. You can install the plug-in as a test connection restriction (Login Restriction Attempts), which will automatically lock the attacker after a certain number of failed login attempts.
Or you can do something even better: install high quality WAF (Web Application Firewall) and protect your site in the best possible way.
5. Malware control
You need to constantly monitor your website to ensure that it is not infected with malware. There are some free plugins’ solutions for this task which scan your WordPress database, plugins and themes and checks for changes in the files in the WordPress system. However, we recommend using some high-quality Premium security tools that includes server-side scanning such as Virusdie, which has many great additional features and quality support.
6. How to solve problems caused by malware
Ridding your blog of malware is always a productive step. This includes trying to identify and fix the problems that are causing it. One aspect of the cost that blog and website owners tend to overlook is the downtime as a result of security issues and the time it takes to fix them.
Virusdie is a great solution to rid a website of malware in the event of a hacking attack. You can benefit from this service even if you were hacked before you signed up and your site is already infected with viruses / malwares.
7. Choosing the right hosting provider
The fact that your blog is hosted on a shared server poses a significant risk, if the sites are not perfectly isolated. Think about the risks for your particular blog and multiply them by the number of different blogs that are on the same server. If you choose shared hosting, you’ll likely have to share hosting with hundreds of other sites. The reason this type of hosting is a big risk is that if another website on the same server as you get hacked, there’s a good chance your website will get hacked too.
Having your own Virtual Private Servers (VPS) or dedicated server may not be the best solution for you, as knowledge is required to manage these servers in addition to the cost. Dedicated servers might be a good alternative. They are more expensive, but worth it when you consider the risks of shared hosting. If you choose dedicated hosting, you can expect to get better security, a faster website, premium support, and full backups that are automatically created for you.
8. Clean your website
Protecting your blog is a must, but you also need to make sure you keep only the most important things. Delete any old plugins, add-ons and themes that you no longer use. This includes separating staging sites that are still being developed from those that have already been produced by uploading them to different servers.
You may find yourself working on a new site, but then forget about it for a few months. This makes it outdated and very vulnerable to hacking. For this reason, it’s always a good idea to separate the sites you’re still working on from those that are already active.
9. Sensitive control information
When cleaning up blog files, be careful not to leave important information available to the world. Check your phpinfo.php files, they are like configuration guides, and a hacker can use this information to sneak in. Another point of vigilance: don’t store backups of your website on the same server that your website is on. This is just an invitation to potential hackers to download the backups and hack your site effortlessly! They can also infect your backups with malware, rendering them useless. Store your backups off-site (e.g. in some clouds).
Disabling directory indexing is a good idea to prevent hackers from browsing your blog’s folders and files to get information they can use to exploit you. Add “Options -Indexes” (without quotes) to your .htaccess file to disable directory browsing. Lastly, keep in mind that cPanel’s file transfer manager is not a secure way to manipulate (upload/download) with important files, such as wp-config.php. Therefore, it is better to use sFTP (Secure file transfer protocol) with a program like FileZilla instead.
Conclusion
Prevention is necessary, and online security should be a must! Whether you want to expand your offerings with new website security services, grow your business with website security, or simply protect your clients’ websites to preserve your agency’s reputation, Virusdie can do it all. But with all the tools available, it’s imperative that YOU do your part and follow all the steps outlined in this article.
Absolute and 100% security doesn’t exist, so the goal of security measures is to minimize vulnerabilities and the probability of future hacks.
———
Article by Ivica Delic
founder of FreelancersTools,
exclusively for Virusdie.
Join our private Facebook group to get help from other security experts, and share your own web security experiences and expertise. Group members receive exclusive news and offers. They can also communicate directly with the Virusdie team. Join us on Facebook.
Comments