How would you feel if you woke up one morning to find that the site you have poured your heart and soul (and hard earned dollars) into had been hacked?
One day you’re sending prospective customers to your site and the next day, in its place is some ugly ad site or inane message from the hacker.
The bad news is that once a site is hacked, it is normally very difficult to clean. In fact, without a known clean backup, you risk having to start from scratch again.
SCARY THOUGHT!
Yes, WordPress sites are often targeted by hackers, and odds are your site will be a target at some point. But the good news is that there is a lot you can do to protect yourself (and your site).
Is your website experiencing problems right now?
If your website has already been hacked, we recommend you sign up for Sucuri to clean your site immediately. Malware removal is complex, and whilst many will offer this service, few can deliver – Sucuri are the undisputed experts in this space.
The Basic Plan from Sucuri will have the hack removed and your site cleaned within 12 hours – it’s the best and most affordable solution we’ve seen over the last 12 years of working with WordPress websites, and the only one we trust.
Secure Setup
Most attacks rely on known “shortcuts” used by 1-click installers (and most developers). By simply taking a bit of extra time to set up your WordPress site properly, you will automatically block many hacking attempts.
And if your site is already set up, but has not addressed the issues below?
Well, it can be fixed, but it’s not a job for the faint hearted (or your VA). It requires a high degree of WordPress knowledge and experience. Get in touch with us to discuss your options.
Is Your WordPress Database Secure?
1-click installers included with most hosting accounts generally use the same database name, database user and (often) database user password.
Hackers know these details and can use them to bypass WordPress altogether and add malicious content or additional users. Once they have installed these “back doors”, your site is effectively theirs to control.
Having an unusual (and hard to guess) database name and user effectively blocks these hacks.
Is Your Table Prefix Non-Standard?
If you don’t know what a table prefix is, don’t worry.
All you need to know is that by default WordPress uses “wp_”, and hackers know this too. Many of their attacks rely on this fact, and can be thwarted simply by using some other prefix.
Is Your Admin Username Secure?
By default many 1-click installers create a WordPress user with full rights to your site and name it “admin”.
Imagine how easy it makes it for hackers knowing that more than 90% of WordPress sites still use this account to access the dashboard. All they have to do is run a “brute force” script to crack the password – and anyone can get access to enough computing power to do that in under 24 hours these days.
Simply replacing “admin” with something harder to guess will make it exponentially harder for a hacker to gain access to your site.
Is Your Password Secure And Hard To Guess?
It is scary how many people use passwords that are easy to guess – pet’s names, birthdays, significant others, etc. If you use anything that could easily be discovered on social media, or with a google search, then you are making it way too easy for the hackers.
Worse still, passwords are often reused across multiple sites. That means if your password is compromised on one site, it makes it a lot easier for someone to gain access to your other sites.
And if you are worried about having to remember some random string of characters and numbers (the most secure sort of password), then maybe it is time to invest in a password management program – 1Password is what we use and recommend, but there are plenty of other good options.
Have You Deleted All Unused Themes And Plugins?
Themes and plugins contain code that can be exploited by potential hackers – whether they are active or not.
Play it safe – deactivate and delete any themes and plugins that you do not absolutely need.
Ongoing Maintenance
OK, so you have the basic setup done in a way that makes it harder for hackers to gain access to your site.
But site security is not a once-off effort. There are things you need to do on an ongoing basis to keep hackers out of your site and ensure you can clean up quickly should they gain access.
Is Everything Up To Date?
Have you noticed how often WordPress is updated? Sure, there are some new features added now and then, but the majority of the releases are to address known security issues.
And if WordPress know about the security issues, you can bet the hackers do too.
Don’t take the risk of hackers gaining access through a hole that WordPress (or theme/plugin developers) have already closed. Make sure you regularly check your WordPress dashboard for available updates and apply them promptly.
Do You Run Regular Backups?
This one won’t stop the hackers, but it will certainly make your job of recovering easier.
We recommend running a full backup on a daily basis. That way, if the worst happens you know you can quickly recover without losing much of your hard work.
Of course, you could do this manually, and there are some decent free backup plugins. But I highly recommend you install and use BackupBuddy or WP Time Capsule. Yes, both cost a few dollars, but they allow you to automate the whole process and make it incredibly easy to restore your site should you ever need to.
Are Your Backups Stored Off Site?
What good is a backup file if you can’t access it when you need to restore from it?
Many hacks can make such a mess of your site that any backups stored on it may become inaccessible and/or corrupted.
Given how cheap cloud storage is now, there is no excuse for not keeping all of your backup files on a secure remote drive.
Do You Regularly Scan For Malware?
Don’t be fooled – many hacks are not immediately obvious.
Often hackers will deliberately not leave any visible signs of attack for weeks (or months). Why? So that when your site is restored from a recent backup, they still have access through the back door they installed and can wreak havoc again.
You can manually run a site scan from Sucuri site scan any time you want. This will scan all of the publicly available pages on your site and let you know if any are compromised.
Even better would be to have these scans automated and run regularly for you – good security software like iThemes Security Pro can do this.
Getting Serious
Everything above falls into what I would call “good housekeeping”, and should be considered the bare minimum to protect your site. However, if you really want to keep the nasty hackers out then you’re going to need a good security plugin.
Security software will help you close down even more of the vulnerabilities that hackers exploit. Think of it like kevlar body armour for your site – it won’t make your site totally impervious to attack, but it will make it very hard to bring down.
Questions to consider when selecting security software are:
- Does it automatically block known suspicious users?
- Does it protect against brute force attacks (ie, people trying to guess your passwords)?
- Does it automatically alert you when files on your site are changed?
- Is it able to enforce strong passwords for all users?
- Does it allow you to force 2 factor authentication for users?
- Does it stop code from executing in directories that it shouldn’t (eg, your uploads directory)?
- Does it prevent browsing of the files that make up your site (often used by hackers to find vulnerable plugins that could be exploited)
We use and recommend iThemes Security Pro. It has the best protection, without overloading your site or slowing it down.
What to do next
If you answered “no” to any of the above questions then your site is at serious risk of attack. These days it is not so much a matter of “if”, but “when” someone will try to attack your site.
Don’t make it easy for them – plug the gaps NOW! If you need help securing your site or if your site has been hacked, choose one of our Website Care Packages so we can take care of your site in the best way possible.