- 19th Feb, 2019
If you have never scoured through Facebook groups and dedicated WordPress forums, perhaps you should. There is usually a lot of people talking about their WordPress website being hacked. It is not because WordPress is a terrible product or because it has a lot of security holes. In fact, the WordPress core (the important part of WordPress) is quite secure. For us, it is almost a daily instance where we get inquiries from people who have had their WordPress website hacked. The extent of a hack differs, it does depend on how it was hacked and what the intent was.
The last thing that a website owner wants to hear is that their website has been hacked. What we like to see is that some simple things have been done to avoid a hack. Here are 10 things that you can do to avoid your site being a victim of a hack.
How To Protect Your WordPress Website From A Hack
- Make sure that there are no unused plugins or themes installed on your website. As a website owner, it is not expected that you are likely to Tknow what ones are used and what ones aren’t. Typically only people with experience in building websites could tell you without a doubt. The easiest way you can tell for sure is whether the plugin or theme is active. If it is inactive then you are best of deleting it from the site. It will give one less potential access point for hackers to get into your site. While a Plugin or Theme may not be active in WordPress the code is still active. This code can still be executed if a hacker finds out is installed.
- Avoid letting your plugins, themes and WordPress installation from being insecure. This means that you should update the plugins, themes and WordPress core as often as possible. In fact, the ideal world says every time an update comes out. It does get expensive though if you are getting someone else to do this for you.
- WordPress plugins are almost always required when building a WordPress website. There is however both good and bad plugins. The ones to avoid are the ones with a low number of installs. They could be no longer supported or they haven’t been updated frequently. It hasn’t been updates released for a WordPress plugin in about a 6-month window chances are it is no longer supported. Furthermore, it may not be getting worked on at all. Consider replacing it with a newer plugin that is actively supported.
- Get a custom-built theme. Contrary to common belief and unfortunately, common practice, there is a lot of problems with pre-built themes from theme clubs. The problem is not with how functional or how secure they are when they are first purchased and installed. The problem is the fact that everyone can buy them, generally for under $100. This means that people will ill intent will do the same as they can, in turn, hack multiple websites using the same themes. A custom-built theme is more secure because only a select number of people will have access to the code by default. This means only a few people will know how it is built and what potential vulnerabilities are going to be in place. It will cost more initially but can save you more in the long run.
What Else You Can Do
- Find a great website hosting provider. While you may believe that you have reliable website hosting, and the host is great. The sad fact is that in today’s market, the chances are that it is not so great. An ok host will store your website, a good one will provide decent technical support. A great hosting provider will do those things by default and have backups available for you. Whether you can access them for free or not is another story. As long as they are there that is the most important thing. The point is that you would still have some form of access to a potential backup that is clean when you need it.
- Protection options are available. Just like your desktop computer connected to the internet through a normal internet connection, your website can have a firewall as well. While yes a decent hosting vendor will have a firewall on their servers but this is yet again an extra layer of protection that will help. You can get a good one like WordFence which has both Free and Paid Editions.
- Use strong passwords. This sounds like a no brainer and something that is easy for people to achieve. The fact of the matter is that even some “Security Specialists” get lazy and use what they believed to be secure passwords. One such company actually deployed the password of “drowssaP” which was of course not overly secure when they used it on EVERYTHING. Choose passwords with combinations of words, add a couple of numbers and even a couple of special characters. Avoid using a password that is remotely similar on more than one site.
- Remove nonessential administrator-level accounts from your users’ panel within WordPress. If you have user accounts in the system which you or your staff are no longer using then you should remove them. They are literally a security breach point that you want to plug up sooner rather than later.
Save Yourself Some Time With Monitoring And Cleaning
- Consider utilizing a cleaning and monitoring service. There are companies like Sucuri who actually monitor your website and will clean infections out of the website fairly quickly. The turn around time does depend on the plan that you are on. For a total of $499USD per year, it is pretty good as they will do it within a few hours. These types of services will clean out the injections quicker than an individual developer or hosting support specialist will as a rule of thumb.
- Change your website monitoring process. More times than not a smaller business will not frequently monitor its website and its functionality. It is assumed that autopilot is the best method until they realise something has gone wrong. It is important that you are proactive in monitoring your website, its traffic, and the leads. If you keep a closer eye on the website chances are you will be able to secure your site before someone does get a chance to break through a vulnerability on your site.
A very common misconception that you may get told by your website designer/website developer is that changing your SSL Certificate from a FREE one to a PAID one will help stop the issue going forward. It is something that people who don’t have the technical knowledge claim will help protect your WordPress website from injections. It is not how SSL Certificates work. Yes, you should probably get a paid SSL Certificate as they are issued for longer, they have better browser compatibility and they also have a vendor warranty attached to them.
If you have found yourself in a situation where your website has been hacked don’t be afraid to ask for help. The first thing you need to do is get the injection cleaned out of the website. Secondly, once the injection is cleaned out, carry out an update of all the plugins, your website theme (if possible) and WordPress core. Once these 2 things are done monitor the website for a few days and make sure then injections don’t reoccur. In the meantime consider contacting us to find out what else you can do and what should be done to help protect your WordPress website going forward.