Preventing WordPress hacks

Why preventing WordPress hacks is easier than recovering from them

An ounce of prevention is worth a pound of cure. This can’t be truer in regards to website hacks. WordPress sites are compromised not by sophisticated hackers but by bots written to exploit known vulnerabilities. These vulnerabilities include weak passwords, outdated plugins and themes, and poor-quality web hosting.

When a site is hacked, the following things can be effected:

• Files can be uploaded to the server containing malicious code or PHP backdoors
• Files already on the server, such as your theme files, can be modified
• Code can be injected into your WordPress database
• Users with administrative privileges can be added to your WordPress database
• Numerous post and pages can be published containing spam code
• Your site can be redirected to malware sites

1 – Use strong passwords

You should get a password tracking tool like 1Password to track all your passwords. You can no longer use the same password on every internet account and get away with it. You can’t use your dog’s name or favorite soft drink or band name. You need unmemorable, long, difficult passwords.

In the past couple weeks, I’ve had two clients call me because their Gmail, Instagram, or AppleID was hacked due to using a weak password. It is very easy to use a password hacking program to discover what your password is. In both cases, my clients used passwords that could be guessed by a password detection tool in under 1 second!

2 – Keep WordPress themes, plugins, and core up to date

It’s not enough to login once a month or less to do updates. Exploits will occur within days on massive numbers of sites as soon as they are published. My forgotten site that I didn’t update was exploited within a couple weeks of the Gravity Forms Vulnerability being announced. You must update immediately when there is an update

3 – Keep your server clean

Delete unused versions of WordPress on the server. It’s easy to forget these exist. Unused WordPress files, plugins, themes, etc., even if they are not being used, not active, not even associated with your current install can be exploited. Delete delete delete. Run a tight ship

4 – Check your plugins and themes for continued support

Don’t use plugins and themes that are no longer maintained. If your plugin or theme hasn’t been updated in a year or more, replace it. This can be a huge problem with themes. Many developers are fly by night and don’t stick around more than a couple years to support their theme.

When you shop for a theme or plugin, look for a theme or plugins with current support requests that have been answered in a timely manner, good star ratings, and recent and frequent updates. Not all top-selling themes are the best themes, however, they are more likely to have ongoing support and updates. Read the comments for quality of response and tone. Look for helpfulness, enthusiasm, thoroughness, quick response, good articulation, and positive attitude.

WordPress premium themes often come bundled with third-party plugins. The theme developer may or may not provide timely updates for these bundled plugins. For example, the Revolution Slider, a popular animated slider, comes bundled with hundreds of themes on ThemeForest. The Revolution Slider had a major security vulnerability in 2014. However, theme developers who bundled it with their themes did not necessarily update the plugin when they updated their themes.

5 – Protect your computer and home network

Run virus scans all the time especially if you run Windows. Be careful of the sites you visit. You can inadvertently give your WordPress login away through a keystroke tracking Trojan which will steal your passwords as you type them on your keyboard. Protecting your computer is often about not visiting websites that are distributing malware. But, even known sites, such as friend’s cooking blog, could be hacked. So, you need some protection wherever you go on the web.

For Mac OS:

• Scanning software isn’t usually needed, but I like Avira because it recognizes malware patterns along with malware and trojan signatures.
• Turn on the Firewall in your System Settings (Security & Privacy). In the Firewall Options, check the box to Enable Stealth Mode. This will allow your computer to not be visible on networks.

For PC:

• Avira and Avast! are both good anti-virus applications.
• Be sure Windows Firewall is running.

6 – Run a WordPress security plugin

I prefer Shield WordPress Sceurity by iControlWP. I have used Wordfence in the past, and it continuously created errors in the error log files on multiple sites. Other popular plugins out there can easily break your site or have you focused on “security” measures that do nothing for security while missing out on important things like login protection. I appreciate the following about Shield:

• No “Pro” restrictions on security features
• It won’t break your website
• Super Admin Security
• Lots of great email newsletters and insights into what’s new in WordPress security
• Blocks malicious URLs and requests
• Blocks ALL automated spambot comments
• Hides your WordPress Admin and Login page
• Prevents brute force attacks on your login and any attempted automatic bot logins.
• Verify user identity with email-based Two-Factor Authentication
• Monitor login activity and restrict username sharing, with User Sessions Management
• Review admin activity with a detailed Audit Trail Log
• Turn on and turn off WordPress Automatic Updates separately for plugins, themes and Core
• Easy to use kill switch to temporarily turn off all Firewall Features without disabling the plugin or even logging into WordPress.

7 – Don’t login on public WiFi networks

If you login to your WordPress site on a public network, you are essentially giving your login credentials away to anyone else on the network who might be running packet sniffing software. If you don’t have an SSL certificate installed on your site (which encrypts your username and password on the network), then use a Virual Private Network(VPN) service to encrypt your traffic on the network. Use this even if you do have an SSL certificate on your site as it’s good to stay in a virtual private network on any public networks.

8 – Install an SSL certificate on your site

This encrypts the data you and users to your site transfer via the site, such as when submitting contact forms or using login in pages. Otherwise, data is transferred like a postcard in the mail, meaning anyone who’s looking can read it. Having SSL installed on your site allows you to login security (via https) while traveling. Many hosts offer this for free, and you can use the Really Simple SSL plugin to force your content to use https.

9 – Consider better web hosting

Hosting companies like WP Engine, Site Ground, and Flywheel have your back when it comes to security. They routinely do security scans and will clean your hacked site for free. Though, you may still want to hire a professional like Jim Walker or Sucuri to avoid a newbie hosting company employee “cleaning” your site and missing something given this new 30-day Google ban.

10 – Backup your site

While backups are not always all that helpful in recovering from a WordPress hack, they are essential for disaster recovery, especially when it comes to damage to your database which is where all your site content stored. See my post on Backing Up WordPress.