Freshly brewed coffee (or tea) is, for many of us, the preferred way to start the day. Waking up to discover that your WordPress website has been hacked by a malicious individual hell-bent on disrupting your business, is not.
The statistics around WordPress are at once impressive and scary. Being the world’s largest CMS means it’s responsible for powering over 23% of the top 10 million websites worldwide. This makes WordPress ripe for hackers who enjoy making other people’s lives miserable.
But it’s not all doom and gloom–with so many websites running on WordPress, a large part of improving WordPress security means taking simple actions that many website owners have either neglected or are too lazy to implement. Thankfully you can reduce your chances of being hacked by being proactive.
The objective of this post is to arm you with some basic knowledge about WordPress security. It is by no means comprehensive since you would need several volumes of text to adequately cover the potential list of topics.
Here’s what we are going to cover:
- Background information about the how and why of hackers.
- Tools you can use to mitigate your risks.
- A few of the manual steps you should take even if you you’re not using a security plugin or file scanning service.
Having your website hacked can represent a variety of risks, depending on your business. The most common is economic or financial risk. If you rely on your website to provide an income for yourself or your family, any disruption can have devastating effects.
The second risk, which becomes more prevalent in larger websites that maintain an established customer base, is a data breach. This represents an incident in which potentially sensitive, confidential or protected information has been viewed or stolen. If you are operating a website in which data breach is of potential concern, it goes without saying you need to be taking security very seriously.
An article in Forbes indicates that as many as 30,000 websites are hacked every day and of particular concern is the perception of many small business owners that their websites are not at risk of being hacked because of their size.
Why Hacking Occurs
To better understand why hacking occurs, its important to know that there are two broad categories of hacking that occur:
Targeted vs Non-Targeted
The first is targeted hacking which, in most cases is both less common and arguably more serious. In these scenarios, a hacker will take a personal interest in your specific website. For whatever reason, you have become a target worthy of individual attention. What makes these attacks more serious is that not only will the attacker use automated tools, they will also look for specific vulnerabilities that software might have missed. Whether or not the hacker is successful is determined by both your preparedness and their skill level.
The second, and also the type that many of our “fixes” or deterrents are designed to more easily prevent, are non-targeted hacking attacks. This means a hacker will use automated tools to scan potentially thousands of websites and blogs looking for known vulnerabilities.
It can be helpful to understand some of the motivations of hackers because it can provide an indication of what to look for. For example, if you are operating a website in the medical field that has authority, you are probably more prone to a pharma hack. Some common reasons for hacking include:
- Obtaining free links to their website / Black Hat SEO
- Malicious behavior
- To steal data and/or economic gain
- You’ve been targeted for one reason or another
How To Know If You’ve Been Hacked
There is no single, tried and tested way to determine if your site has been hacked. That means you’ll have to rely on a combination of free services, paid services & manual inspection some of which are outline below.
Scanning & Site Monitoring Tools
There are a number of good and free online tools that can help you determine if your WordPress website has been hacked. They can be a great place to start when it comes to safeguarding your website.
Both Google Webmaster Tools (GWT) and Google’s safe browsing tool are great places to start– they are useful, but not perfect. While researching this article and testing tools, with just a few minutes of work I managed to find a local website that registered safe with Google but was clearly displaying signs of a potential pharma hack. Using Sucuri, which is described below, I discovered a potential malware injection which was confirmed using Firebug.
To access GWT visit: https://www.google.com/webmasters/
To access Google’s safe browsing tool, just type the following into your browser (substituting “yourwebsite.com”:
An industry leader, Sucuri offers a free site checker that will scan your website for potential problems. This tool offers a great launching point for more in-depth analysis. Beyond their free scanner, Sucuri also offers annual plans (scanning, monitoring, and cleaning) that can be a relatively small investment.
Although time-consuming and technically demanding, nothing beats a thorough manual inspection of your website. The more familiar you become with the file structure of your website, the easier you’ll be able to spot when something is not right. Common file types that are at-risk include your .htaccess, .php and media files. Manual inspection can quickly become an overwhelming process in which case a service like CodeGuard can save you hours of time.
Popular Tools & Plugins
There are plenty of security plugins and backup tools for WordPress, here are some recommended options:
Here are two popular WordPress security plugins you should consider taking a closer look at:
Wordfence is a robust plugin available in both free and paid versions. Although some of the more desirable features like two-factor authentication are only available in the paid version, the cost is small compared to the potential damage caused by a hacker.
iThemes Security (Pro)
You can find a free version of this plugin available in the WordPress depository but it’s really only a launching point for the full-featured pro version. Pricing starts at $80 for two personal licenses.
This plugin offers over 30 features (with more planned) that would take you hours to implement on a manual basis. A few of the key features included are:
- Changing the WordPress table prefix
- Removes login error messages
- Renames the admin account
- Ban a host with too many login attempts
- Enforces strong passwords
- Disables file editing within the WordPress admin console
- Creates and emails a scheduled database backup
- Provides two-factor authentication
- Online file comparison
Backups are simple yet often overlooked. Depending on the frequency with which you update your website, you’ll want to make sure you maintain and rotate multiple backups. Nothing is worse that discovering you just backed up and overwrote your clean site with one that has been hacked!
It’s possible to backup from within Cpanel, but not always the best option. Due to resource limitations, some hosting companies may not allow a Cpanel backup if your site exceeds 500mb. Maintaining off-server backups can also be a hassle and for this reason, it’s worth considering a plugin or backup service.
CodeGuard provides a hands-off service that automates backups and makes restoring a website as simple as one-click. With plans starting as low as $5/month for 5GB of storage, it affordable too. Following an initial backup, CodeGuard will monitor your site and email you in the event that there are changes to any source code. Any additions, deletions or modifications to a file are detailed in your dashboard and an appropriate backup is made.
Taking a slightly different approach, iThemes BackupBuddy is an easily installed plugin that automates your backup process. You can choose to run a full site backup or, if speed and file size are a concern, a simple database backup is possible as well.
With plans starting at just $80/year, BackupBuddy also provides you with the ability to backup to a variety of off-site storage options including AWS, Dropbox, Rackspace, Google Drive and more. Although restoring files is a simple process, one feature that is not offered is website monitoring or notifications of file changes.
Basic Manual Hardening Techniques
If you’re dead-set against using a plugin to make your life easier, there are still many things you can do to harden your security. Although it may seem overwhelming, a large percentage of hacks that occur are “crimes of opportunity”. By making your website inconvenient to hack, you can can decrease your risk. Here are some simple ideas worth implementing:
Use A Host That Specializes in WordPress
Your first line of defence lies in selecting a hosting company that specializes in WordPress. The more familiar they are with the unique requirements imposed by WordPress, the more likely they will have taken action required for hardening Apache, PHP and MySQL. Here are just a few of the hosting companies that specialize in WordPress:
- WP Engine
Install WordPress Correctly
A more secure website begins with the installation. Whether you are using an script (automated installer) or completing the process manually there are four things to pay attention to:
- Select a unique table prefix. WordPress has a default prefix of wp_ which you should change. A smart hacker might find a way around this but a lazy hacker probably won’t.
- NEVER use the default admin username. In fact, don’t use a name at all. Instead select something random.
- Use a complex password. What’s complex? If you can remember it, it’s not complicated enough. If it makes sense, it’s too easy. Ideally, it should be hard enough that you need to copy and paste it.
- Use your admin account for admin work. For all other tasks, use an account that has the appropriate privileges.
Protect Your Login Info
By default WordPress applies the username to the nice_name field. This means that if someone hovers over your author archive or admin link, they will be able to see the URL which includes your username. You can fix this by changing the user_nicename to match the display_name field. Here are the steps:
- Login to cPanel
- Open up phpMyAdmin
- Find the database you are looking for on the left side and select it
- Select the yourprefix_users table
- Click “edit” on the appropriate user
- Make sure the user_nicename field is the same as display_name
- Select “Save” and click “Go”
Pick Reputable Themes & Plugins
Pick a reputable theme and plugins that also have a well established user base. The majority of security defects are in fact caused by themes and plugins, not WordPress itself. Always use sFTP when uploading files and always keep your core files, themes and plugins up to date.
Use Two-Factor Authentication
Two-factor authentication creates yet another headache for hackers by requiring the user enter the correct username and password plus provide a third, key piece of information via another piece of equipment (such as a mobile phone). Here are some of the top plugins:
- Google Authenticator uses the standard mobile app and can be enabled on a per-user basis.
- Clef provides comprehensive protection and allows you to login using your phone and a pin.
- Authy is a simple two-factor authentication plugin for WordPress.
Use Blank index.php Files
If your website is hosted on a shared server, it’s possible that directory listings may be enabled allowing access to a complete directory listing like you see below. By adding a blank index.php to directories, you’ll be able to prevent browsing.
Move wp-config.php Up One Level
By default, WordPress will refer to the folder above the root when searching for wp-config.php. Given the sensitive nature of this file, it’s a good idea to move it one directory higher making it inaccessible without FTP access.
Here are some links to common resources:
- Open Web Application Security Project (OWASP) for WordPress
- Hardening WordPress at WordPress.org
- Apache security hint and tips
- Security for php
- WP White Security
WordPress security is a highly complicated topic and the effectiveness of many hardening techniques are up for debate. As the owner or administrator of a WordPress website, you need to understand that there is no such thing as 100% secure–it’s just not possible. Instead, your objective is to make the hackers job as difficult as possible in the hopes that they will move on to an easier target. In the event you are the victim or a targeted attack, you can relax knowing that you make regular backups of your entire website.
Has your website ever been hacked? What security measures do you have in place should your website become the target of a hacker? Please let us know in the comments below.