A solid WordPress Security strategy is a key element to help prevent WordPress website hacking. If your website earns money, a hacked WordPress website can damage your business revenue severely. More importantly, a hacked website is damaging to the reputation of your business.
Regardless of your technical abilities, you can implement some very simple solutions to prevent WordPress website hacking on your site.
But first, let’s understand some of the basics of website security.
Why Would Someone Hack My Website?
There are a vast number of bored young people learning the intricacies of the Internet. They often have no respect for the effort and time you put into your website. So they scan the Internet with tools specially designed to find sites with potential vulnerabilities.
Hackers are usually looking for websites that will allow them to install a small script or file so they can:
- Attack other websites
- Send spam emails
- Host or store illegal files or
- Mine BitCoin or other cryptocurrencies
Unless you are a large organisation with a lot of personal data, one of these reasons is usually why your website was hacked.
There are many reasons why your website was selected as a potential target:
- WordPress was not updated
- WordPress themes or plugins were not updated
- A user on your website used a weak password for their account
- A vulnerability was caused by your hosting provider
More than 50% of hacked WordPress websites were caused by out of date core files, themes or plugins. Roughly 40% of hacked websites were due to hosting provider vulnerabilities while 10% of hacked websites were from weak user passwords.
The goal to prevent WordPress website hacking is to make things more difficult for the hacker by taking precautionary measures. We address exactly how to do that shortly.
How do I Know if my WordPress Website has been Hacked?
One of the scariest and direct methods is when you visit your website and are greeted with a big Warning or Red Error screen in your browser. The message on your screen shouts, “Access to this website has been blocked”.
Ouch! Panic ensues.
Another way is if you noticed strange sub-folders or directories showing up on your website or in your Google Analytics reports. Something like http://yourdomain.com/jkhjfhfd.
Yet another method is when you see a long string of characters in the code of the header section on every page of your website. This is usually a trigger to Google to block your site but sometimes you get through and can see the horrible code presenting itself. This string of characters is actually computer code (usually PHP) that has been encrypted using a common programming method. So when the browser loads up that page, it reads that code and understands that it needs to perform additional tasks quietly in the background.
These tasks are usually installing scripts on your server to communicate with another computer somewhere in the world. The communication then allows the attacker access to your websites file system to install backdoors and other tools to use your server to serve up Malware or other virus top be installed on your visitors computers.
If any of these situations exist for you at the moment, your WordPress website has been compromised.
You can get immediate help from these websites:
- How to Clean a Hacked WordPress Site
- WordPress is not Working
- Sucuri – Online Guide and Immediate Help Service
What Methods are Commonly used to Hack a Website?
I feel it is important to describe, in simple terms, the basic methods used by a hacker when attacking a WordPress website. Here are the most common:
Brute Force Attacks
One way this is done is when an attacker keeps trying to log in through the WordPress dashboard in an attempt to guess the user’s password. Many times they have scripts that will perform these actions automatically.
To protect against this, we want something that will help to enforce strong passwords for user accounts. We would also want to limit the number of bad login attempts. Then, after trying a fixed number of times, locking out anyone trying to log in as that user.
Since, in WordPress, most of our changes are being done in a database, there is really no reason to change a file or its contents. One exception is when updating a theme, a plug-in or the WordPress core. So we will want to monitor our website for file changes to determine if someone is trying to attack our website.
Hackers often used “bots” to crawl websites looking for vulnerabilities. When these bots do not find what they are looking for, the website will return a 404 error (Web Page Not Found) back to the bot. To prevent this from happening and keep the bots guessing, we want to monitor our website for any sharp increase in 404 errors.
DDOS refers to a “distributed denial of service” attack. In simple terms, the hacker floods the website server with loads of network traffic making it impossible to serve up web pages. In a distributed attack, this flood of traffic originates from multiple locations around the globe. You can read more about DDOS attacks here.
These are just a few of the methods used. There are other alternatives we could go into here, and we could get far more technical. But for the purpose of keeping things simple, let’s move forward with these as they are the most common.
How Can You Prevent WordPress Website Hacking
There are many manual methods to undertake to secure a WordPress site.
The first thing to do is to ensure your WordPress core, themes and plugins are always up to date. You do not need to check every day for updates. Usually, once every 1 to 2 weeks is sufficient to keep things secure. This also helps you avoid bugs in newly released versions of plugins. If you update immediately, you might experience issues. If you wait a few days, you can determine if the update is safe enough to apply.
A simple, effective way to keep WordPress secure is with a WordPress Security plugin. These are powerful, simple to use and take the pain out of making WordPress secure.
Let’s take a look at a few of the top plugins for securing your WordPress website.
iThemes Security offers a Free and a Paid version of their plugin. This allows you to prevent WordPress website hacking immediately. There are a lot more features in the paid version that help with hacker prevention.
Once installed, it has a wizard for quickly securing a WordPress website. It protects against Malware and a variety of common hacks known to the WordPress Security community.
Here is a quick overview of how this plug-in helps to prevent WordPress website hacking:
- Monitors your website for Malware using Sucuri SiteCheck
- Brute Force Protection
- Strong Password enforcement and monitoring
- Lockout bad user login attempts
- Ability to hide WordPress login and Admin area
- File Change Detection
- 404 monitoring and detection
- WordPress and System tweaks for additional security
- Scheduled database backups
In the iThemes Security Pro Version, you can add things like “two-factor authentication” for Dashboard logins. It also comes with a Security Grade report that constantly monitors and reports on the security of your website. This gives you suggested improvements you can implement with the click of a button. If you are not sure, there is integrated contextual help to assist you.
The Pro version also offers a User Security check. This assesses the security of all your WordPress user accounts, allowing you to take action on them if needed. The Malware scanner is also more advanced in the Pro version. This allows you to run regularly scheduled scans on your website for malware and will send you a report if anything is found.
For beginners and newbies, this is a well-rounded security tool that is simple to configure and easy to use.
Sucuri is a major player in the web security community, not just WordPress Security. So it is no surprise they offer a robust security plug-in for the WordPress platform. The number of features and options offered can be a little overwhelming. But this is a serious tool to prevent WordPress website hacking and does a great job of keeping WordPress secure.
Their SiteCheck technology is included in the iThemes Pro security plugin for WordPress. This means other security providers trust them. But this comes at a price. The premium version of this plug-in is the most expensive of the bunch but offers the most complete suite of security tools.
For a beginner, we have found the configuration choices a bit overwhelming. From the WordPress dashboard, alerts and suggested fixes are clearly presented to help you make the best security decisions. And if you get stuck, Sucuri wants to hear from its users to help get problems fixed.
You can read a full review of the Sucuri Security for WordPress plug-in here.
Upgrading to a premium version is not a simple task of clicking a button. There are multiple services available at a few different price levels. Lower priced packages are sufficient if you are an individual or small business.
Another premium service they offer is an immediate response service with a promised response within 4 hours. With this service, you can call a US toll-free number is available so you can talk to someone that will help you. Other immediate methods are available for non-US users such as live chat, support tickets and email.
Sucuri is a more complex, high-end service offering a full suite of security products for your website.
WebARX, as a product, is a fairly new security product focusing on WordPress websites. It is a website security and monitoring platform that helps freelancers, digital agencies and website owners protect and monitor multiple websites on a single dashboard.
From the dashboard, you have a complete overview of your websites, first line of defence and an intelligence system that will let you know when there’s a risk and how to fix the problem. WebARX monitors your website’s uptime, site speed, defacement (and hacking databases), blacklists, software vulnerabilities, domain expiration, site errors and much more. It even allows you to set up alerts for all of these attack type allowing you to be notified by E-mail or Slack.
The WebARX tool analyzes thousands of websites per day for hacking incidents. They provide the info gathered to national CERTs (Computer Emergency Response Teams) around Europe. They also use the same data to update the firewall on your website in real-time.
You get a 14-day, free trial when you register. After that, the basic service is $39 per month. They have more expensive packages that increase the number of websites you can monitor and the level of support you receive.
There is a full review of the WebArx security and monitoring platform here.
If you couple the WebArx platform with the iThemes Security plugin, you have a complete, iron-clad security system to protect any website.
For simplicity and ease of use, this security tool is my number one choice.
We picked Wordfence as one of the top security plug-ins because of the features it offers in the free version of its tool. And if you do go premium, there is one price, completely removing any decision making process.
The Wordfence plugin uses what they term a “Threat Defense Feed” that keeps the plugin up to date with the newest firewall rules, malware signatures and malicious IP addresses to keep your website safe.
For me, it was not as intuitive as the other top rated plug-ins in this list. But I understand they have updated their User Interface and it provides a much richer and informative picture of your website WordPress Security situation.
Many website owners use Wordfence and we have found a few reasons why this security plugin is so popular.
- Website Firewall comes as a Standard (free) feature
- Brute Force Attack Blocking
- Malware Scanner
- Activity Tracking
- File Repair and Monitoring
I especially like the activity tracking feature. It shows you how people and bots are interacting with your site. You can determine who is a threat and who isn’t. You can also see who has logged in, logged out and what hacking attempts were made if any.
There are a number of useful items in their premium version as well:
- Two-factor authentication
- Real-time Threat monitor
- Scans your website to see if it is generating malware, Spam, etc.
This is a tool that is very simply packaged. It does not have all of the features we would want in a security plug-in. But it covers many of the critical areas.
Additional Steps to Prevent WordPress Website Hacking
A good website security strategy is made up of preventative, proactive security measures. As a website owner, you should expect your website to be hacked. Then take the necessary steps to prevent your website from being damaged as a result of an attack.
Unfortunately, there are very few steps you can take to prevent an attack on your website. If it is on the Internet and publicly accessible, hackers will try to attack it. But, thanks to these tools, you will have the technology and the functionality available to assist you. And these tools will quickly deter hacking attempts and prevent any damage.
Another good security strategy is to configure layers of protection for your website. These solutions in this post deliver layered security solutions. And they help you configure and manage these security layers effectively.
Scan Your Website Now
One very popular tool that hackers may use to look for opportunities is call “WPSCAN” (https://wpscans.com). This started as a command line tool for Linux that would scan a WordPress site. Running it would display all of the data about the website such as the plug-ins used, the theme used, user account, and a lot more. They now offer the website scanner via their website.
The free account lets you scan a single website to determine the level of security deployed. The results identify potential security issues with your WordPress website. I ran it on my website with the Security plugin active and I was getting an error telling me the website was not a WordPress website. So my security plugin was doing its job effectively.
Another website scanner available is from Sucuri at https://sitecheck.sucuri.net/. This tool provides a more complete picture of your WordPress website’s security situation. This tool will also do a blacklist check at a number of places to make sure your website is not blacklisted. There is also some helpful feedback on the WordPress security elements that are not yet implemented on your website.
Implement a website backup utility that will backup your website files and the database. Most tools allow you to schedule backups at regular intervals so you do not have to do anything. Having a backup ensures that, if you ever have a security issue, you still have a good, recent copy of your website.
Keep Activity logs
It is a good idea to monitor the activity of visitors and other users on your website. That way, if a problem occurs, you know where to start your investigations. Many of the plug-ins in this article handle these tasks nicely.
Pick a WordPress Security plugin and give it a try. Don’t deliberate too much on this. Any of these are good choices and extremely useful towards preventing WordPress website hacking.
You will be able to sleep well at night knowing your WordPress security tool is protecting your website.