I’ve written previously about my love/hate affair with WordPress as a website builder. As I said back then, one of the things I hate is how it draws hackers like bees to a honeypot. But they’re killer bees. And they’re getting worse.
The stats are alarming. Just check one of the monthly attack reports generated by Wordfence to see the 10s of millions of attacks occurring each month. It’s a handy report listing the countries that perform the attacks and the WordPress themes and plugins that are most targeted.
It also seems that the speed with which hackers can find and exploit new vulnerabilities is increasing rapidly. It’s downright scary.
That’s why I say that security is, without doubt, the number one issue with WordPress. Just in the past 12 months there have been at least three major updates to the WordPress core to patch up new holes that could easily allow attacks.
PS. I don’t think that WordPress is inherently un-secure, but it attracts the lion’s share of hacking attention simply because there are so many millions of sites using it. And a lot of those sites are small sites – blogs, personal, or small business – which may not be maintained as often as they should.
But why would anyone target my little site? you ask.
Unfortunately it’s precisely because yours is a little site. Big sites get attacked too, but their protection is usually much more solid, more expensive, and they have teams of vigilant nerds working full time to keep them safe.
Small sites are just an easier target.
Don’t take it personally. There aren’t hackers sitting at a desk visiting your site in person and thinking “Hey, here’s a pretty site selling handbags. I hate handbags. I think I’ll deface it just to mess with their day/week/business so that no-one can buy handbags anymore”.
No, these days hackers scan millions of sites with automated code bots, in a similar way to Google and search engines, looking for specific code versions and other backdoors. They don’t care what your site is about, just that it receives traffic. And they especially like WordPress sites.
With WordPress powering so many blogs and sites around the world, the hackers’ chances of success at finding vulnerable access points is high. They employ a scatter-gun approach in the same way as spam emails – and scam emails.
(As an aside: With some scam emails you might wonder “why on earth would anyone click on that link, it’s so obviously a scam?” But the sad fact is that people do click. And so the scammers win, even if only 1 out of 1000. That’s why they keep on trying.
Even worse is that scam emails are getting more sophisticated and more likely to trap you even if you are scam-savvy. There was a recent widespread hoax email purporting to be from ASIC for business name renewals – it looked quite legitimate but would install ransomware if you unsuspectingly clicked their innocuous-looking link. By the way, ASIC warns of such scam attempts at http://asic.gov.au/online-services/service-availability/scams-targeting-asic-customers/)
Some of the things that a WordPress hacker might do include:
- perform malicious file uploads
- add subversive code to insert advertising
- add links to other sites
- from which they make money, like selling fake Ugg boots or Michael Kors handbags – see, even hackers are into handbags
- or as part of a dodgy SEO link-building campaign
- use your bandwidth and storage space to send spam emails
Many of these hacks won’t visibly affect your site, so if you’re not aware of them or know what to look for you may be oblivious to their effect.
You can read more in this Sucuri article about what hackers stand to gain from accessing any site.
What can you do to reduce your security risk on WordPress?
- Obviously, keeping your site software up to date is paramount. These days you need to be super vigilant. Wait a week to update to the latest version and your site can easily be hacked in that timeframe.
Thankfully a lot of web hosting services now perform WordPress core updates automatically for you, usually within 24 hours. Some will also update plugins. If your web host can’t or won’t do this, I’d seriously consider moving to one that does.
I recommend Siteground for hosting – if your site is WordPress on cPanel they will also transfer your site for you. PS. It would be lovely if you’d use my affiliate link to signup for Siteground hosting. It doesn’t cost you any extra, but helps keep my hobby site afloat.
- Install a security plugin. I love Wordfence and wouldn’t run a WordPress site without it these days. The free version is so good that you shouldn’t need the premium one.
I have also made use of the Wordfence website hack cleanup service and highly recommend it if your unprotected site has been hacked. I don’t have an affiliation with Wordfence, just admiration for the service they provide. I think every WordPress site should have at least the free version of Wordfence installed.
Wordfence is highly configurable, but I recommend that you don’t set it to email you each time a login attempt fails – you’ll be inundated with emails (and scared out of your wits) by the number of times that someone, somewhere, is trying to login to your WordPress admin panel. Instead I set mine to alert me when someone with admin access logs in successfully, because that’s when you really need to know!
Other worthwhile security plugins include Sucuri and Shield (which is an updated version of WordPress Simple Firewall).
- There are a bunch of other things you can do to help reduce the ways that your site can be exploited.
- Delete old themes and unused plugins, because even inactive files can be used by hackers
- Maintain strong passwords for everyone that accesses your site
- Check out this short step-by-step guide to get your site secured.