How WordPress Websites Get Hacked ?
WordPress is one of the most popular content Management System (CMS) powering more that 40% websites around the globe. Due to its popularity, it has become a prime target for hackers. There are a number of entry points that hackers can exploit to gain access to your website. By default, every WordPress admin login is accessible by going to /wp-admin. This allows for hackers to make bots that find all sites with a /wp-admin URL and try to break in.
If your website is a crucial part of your business, then you need to start paying extra attention to your WordPress website security. We will try to cover the best WordPress website security practices that will improve your WordPress security and keep your site safe from hackers and malware.Here are top 5 reason why WordPress websites get hacked!
Outdated WordPress Core, Themes, or Plugins
Update is the best thing for your website security. Hackers love to exploit is when sites run outdated versions of WordPress, themes, or plugins. You don’t have to search long before finding an example for this type of attack, just look into vulnerabilities patched in the WP Cost Estimation plugin version 9.644, a bug in WordPress version 4.9.8 that can lead to remote code execution or a security issue with WooCommerce versions earlier than 3.5.4.
Security flaws and bugs are often discovered in WordPress plugins and themes. Usually, theme and plugin authors are quick to fix them up. However, if a user does not update their theme or plugin, then there is nothing they can do about it.
Using Weak Passwords
Passwords are the keys to your WordPress site. You need to make sure that you’re using a strong unique password for each of the following accounts because they can all provide a hacker complete access to your website.
Popular attacks against WordPress sites are brute-force and dictionary attacks. First, a hacker scans your website for usernames or email addresses of registered users. Sometimes, hackers don’t even put in the work to scan for usernames and simply try common logins like “admin”, “administrator”, or “root”.
Nulled Themes and Plugins
Downloading WordPress themes and plugins from unreliable sources is very dangerous. Not only they can compromise the security of your website, but they can also be used to steal sensitive information. You should always download WordPress plugins and themes from reliable sources such as the plugin/theme developers website or official WordPress repositories.
All websites on the internet are vulnerable to hacking attempts, while WordPress is the world’s most popular website builder. Hackers use bots to crawl the net and to sniff out known vulnerabilities.
Insecure Web Hosting
WordPress sites are hosted on a web server. Some hosting companies do not properly secure their hosting platform. This makes all websites hosted on their servers vulnerable to hacking attempts. This can be easily avoided by choosing the best WordPress hosting provider for your website. It ensures that your site is hosted on a safe platform. Properly secure servers can block many of the most common attacks on WordPress sites.
Here are a few things you can follow in order to protect your WordPress website from being hacked:
- Protect your WordPress Dashboard login page using a plugin similar to Limit Login Attempts Reloaded. This will stop any Brute Force attacks to find the right admin login combination your Dashboard.
- Adjust your passwords by creating more complex passwords and as an alternative rename your default WordPress admin user.
- Never set more than 2 admins, if possible leave only one admin and downgrade all others to Editors, Authors or even Subscribers. You can use our own WP User Admin in order to schedule user role downgrades or upgrades. This way you can set one user as an admin for a specified timeframe and then automatically downgrade him./her to Author or any other preferred user roles.
- Add Two-factor Authentication for your admin accounts using a WordPress plugin. This way you add one more layer of security to your admin account. Even if the hackers manage to find or guess your admin login details they will still need to confirm through the 2FA service.
- Set your WordPress directory permissions carefully. The general rule of thumb is to set the directory permissions to ‘755’ and files to ‘644’ to protect the whole file system – directories, subdirectories, and individual files.
- Disallow file editing. There are ways to edit theme and plugin files from the wp-admin dashboard. Any user with admin access can do this. To disable this feature, add the following line to your wp-config.php file:
- Disable directory listing through .htaccess. You can do this by adding an n empty index.html or index.php file to your WordPress directories which you wish to disallow from listing. You can also add the following line to your directory .htaccess:
Options All -Indexes
- Choose hosting that comes with SFTP/SSH. While FTP protocol only transfers the FTP commands in their original format, SFTP and SSH protocol provides encryption between your computer and the server, making it difficult for someone to breach the connection or spoof your info.
- Install an SSL certificate to your domain. Just like it’s safer to use SFTP rather then FTP, it’s better to use SSL certificate as it encrypts the data you and your visitors transfer via the site.
- Set strong passwords for your MySQL database. It’s very common for WordPress sites which were hacked to use funny or dead simple login details for their MySQL Database. Make sure you create a unique username and password for each WordPress database you create under your hosting account.
- Backup your WordPress site. Daily if possible! If you ever get hacked you need to have a recent backup in order to restore your WordPress site files(themes and plugins) and database.
- Regularly Update your themes, plugins and WordPress core files. The truth is – outdated software just makes it easy for hackers to gain access to your site.
- Watch out for abandoned WordPress plugins and themes. Another reason for having a hacked WordPress website is using plugins(mostly) or themes which were abandoned by their developers. This means that any vulnerabilities they have in their code are still unpatched risking your WordPress site security. For the same reason, you should audit your site setup once every two or three months making sure everything is in place and updated.
- Monitor your site log files. You should monitor any file changes to your sites weekly if not daily. When a hacker breaks into your WordPress site he/she edits its files. By scanning your file changes logs you can stay on top of any hacking attempt and save time and money which you may need in order to restore and clean your hacked site.
- Scan your site regularly for malware. If you’re using a proper WordPress Hosting provider then they can do this job for you. If not you should see 3rd party service which can scan your site front end and back end content for malware.