Whilst it’s true that WordPress is a high profile and popular target for hackers, it doesn’t mean you can’t reduce this risk. It’s only liable to be hacked if you’ve not taken necessary steps to secure it, like any other website. In this article I look at some of the things you’ll need to keep an eye on, to prevent a hacked WordPress website. The threat of a hacked website can’t be eliminated completely, but hopefully these steps should reduce the likelihood of it happening.
Keep an eye on the third party stuff
One of the most common points of entry for a hacked WordPress Website is via a vulnerable third party plugin. It’s not that they’re necessarily badly written, (although they sometimes are). Most of the time it’s because they’re out of date and have since developed vulnerabilities. A few ways I mitigate this, apart from obviously keeping them updated, is to limit the number of plugins I have installed. I also uninstall and completely remove any unused plugins from a WordPress installation.
When I need to add a plugin, I always check that they’ve been maintained recently, at least in the past month, and have a good amount of positive reviews. I also take a look on wpvulndb.com to see if there’s been a past history of vulnerability with the plugin. It’s also a useful reference for themes and WordPress core files.
Software updates are important
As mentioned already, it’s important to keep on top of WordPress updates. They can be applied manually, and as of WordPress 5.5 plugins can be set to update automatically. I’ve found it’s best to use a WordPress management tool such as infinitewp, which allows bulk updating and backups. It’s important to have backups to roll back to if anything goes wrong. I’ve just recently gotten into the idea of using installatron within Cpanel to apply updates and perform backups. It’s flexible enough to even import existing WordPress sites to allow installatron management. The process is relatively quick and easy to use, and allows backup creation to external storage services such as google drive or dropbox.
Use secure passwords
It goes without saying that a secure password goes a long way to protecting your website. Using the built in password generator can help with this, as is using a password manager like lastpass. I also limit the number of administrator level users. Ideally there should be one for dev, and possibly one other if the client really needs it. Surprisingly, lots of users still use unsecure passwords, and the brute force method of gaining login access is still a popular method used by hackers. Especially if that password has been used elsewhere, on a compromised website.
Expect to get hacked, and plan accordingly
If you’ve used custom php code in your theme, made sure it meets security standards. Especially if it’s making direct database calls. You can usually get by without them, but if you do use them make sure it’s via the prepare method. As I’ve already mentioned, it goes without saying that you’ll need to keep backups of your site. You can also use some of the available wp-config options for extra peace of mind.
// disables editing of theme files within the wordpress admin
define( 'DISALLOW_FILE_EDIT', true );Don’t forget your server security
I worked on a WordPress site once before that ended up being hacked. The software was kept up to date. The plugins were all fine. The WordPress core was at it’s most recent. There were no theme code vulnerabilities. Turned out the site was being hacked via an outdated third party server vulnerability, and they were using that exploit to upload malicious files. Once that server was upgraded, there were no more problems. A vulnerability I only discovered after taking searching on cvedetails.com. I promptly let the hosting company know…
Whilst on the topic of server setup, you’ll also need to consider whether you’re on a shared hosting server. Whilst you may have your site locked down in terms of security, it takes only one vulnerable website to become a real problem for everyone else on that server. It’s worth checking with your web host to see what processes they have in place to mitigate the damage an infected website may do on one of their servers. Usually this is done by monitoring their server, and locking down/disabling websites that become a problem and notify the website owner.
If you’re not comfortable with the possibility of some downtime, you’ll have to fork out more money for a private – managed – server.
A plugin like wordfence can help with security
There are a few security plugins available for WordPress, but my go to plugin has always been wordfence. It has a free and premium version, both of which have a lot of configurable options. Monitoring and scanning of files, ip blocking, two factor login authentication, ip login blocking after too many failed attempts and much more. It’s a very powerful tool in your defence against hacking attempts. Installing this plugin will go a long way to help prevent a hacked WordPress website. This could be considered an extra to those plugins I always install on new projects