Malicious hackers are always looking for ways into your WordPress site by exploiting vulnerabilities. Having your website hacked is a concern for all WordPress users and online business owners. Keep reading to see what you can do to help hackproof your WordPress website and steps you can take if you get hacked.
A few years ago we moved to this big ole farmhouse on lots of acres of land. We knew there would take some work to get the house and the property tip-top top shape. Security wasn't our biggest concern at first since I had a big beautiful chocolate lab who always had my back. But Rocco was the kind of dog who would bark at a stranger until they were close enough to lick them to death. I found that out the first time a stranger walked up to our door.
See even though I grew up in a suburbs of Pittsburgh, I knew my neighbors, went to school with many of my community and was actively involved in the neighborhood. But being in a strange place, I quickly realized that while most people meant well, there were those who did not. Being proactive is the key to keep things safe and secure while giving you peace of mind that you are protected enough from bad things happening.
With this three-step safety practice: Identify, Protect and Recover, you can have peace of mind too.
1 – Identify Your Needs
The first thing you need to do to keep your WordPress website safe is to identify your asset needs. There are a lot of pieces to your website including domains, hosting, themes and plugins to start. Whether you are having your site developed by a WordPress designer or doing it yourself, these are items you'll need before you can create your website.
Domain names are the way to our online space. Once you pick the perfect business name, you need a domain name to go with it that allows people to find you on the web easily.
To purchase a domain name, you are going to need to do that through a domain name registrar. They are companies that manage the domain names, and they have to be accredited by ICANN (Internet Corporation for Assigned Names and Numbers), which is a non-profit who has is delegated the responsibility to manage the Domain Name System.
There are a few things you want to watch out for when registering your domain name including pricing add-ons, transfer fees (because you may not want to stay with your original registrar forever), customer support and drop catching or auto-renew.
But we're not talking about registering a domain name we're talking about security. So let's discuss some best domain registration practices.
Register your domain name. I've seen some designers and developers who will register the domain name for you. Here's the problem with this: you won't own complete access to the account. Not that every person who does this is shady but think about what would happen if you part ways with this person. Will they give you access?
Protect your privacy. When your personal information is available in the WHOIS database, your risk level rises. By using private registration, you alleviate that risk because anyone searching WHOIS will see the name of your proxy service. Privacy protection also helps to prevent unwanted solicitation or spamming.
It's always a good idea to go with a quality host for the obvious, performance. But it's an even better decision for the simple reason of security.
Your web hosting provider should be as invested as you for the security of your web space. Many of the top hosting account such as Siteground and WPEngine offer applications and tools to keep your site running securely.
For the safest bet, here are some things you want to look for:
- Regular backups and restore points
- Performs regular network monitoring
- 24/7/365 phone or chat support
- Latest SSD hardware including support for PHP7 and HTTP/s
- SSL, Firewall and DDoS prevention
- Employs at least 128 but AES encryption
- Written policies in case of a breach
Once you choose your host, you want to be sure you have access to the file system and database either through SFTP, SSH, PHPMyAdmin or cPanel.
You'll also want to keep this information on hand as part of your web records. When working with a developer or maintenance provider, they'll need access to keep your site in tip-top shape.
Every WordPress install comes with the default theme that is designed to work well with the version of the framework, but many people choose to replace it with one that is more tailored to their business needs. Making that choice is more than the theme being pretty, you need to to be functional, well-coded and kept up-to-date.
When picking a new theme or having a developer to create a new theme for you, you'll want to follow these best practices.
Find a reputable source. WordPress has an official Theme Directory, and there are a few good choices in there including Astra theme. But often a premium theme will be chosen so you want to be sure you read the reviews, support options and terms thoroughly. StudioPress is a premium theme provider, and they do a great job with coding, updates, and support.
Run a security check. Themecheck.org is a service that lets you verify themes for security and code quality. Not only can you check the theme you are interested in using, but you can see others that users have uploaded. If your theme shows up green, you're good to go.
Plugins are what add functionality to your WordPress site, and there are tons out there. If you are adding a shop or member area, you're likely to add a plugin to achieve this. And you'll likely need a plugin for SEO, social sharing and even security.
The WordPress plugin directory is the starting point for most people. It has thousands of plugins available which is great, but it can make the decision for the perfect plugin a little overwhelming. You also have choices from premium plugins (like Gravity Forms) that are not found in the repository.
When choosing a plugin, you need to ask yourself:
- Does the plugin have a large install base, usually found in the number of downloads?
- Are there user reviews and what is the average rating?
- Has the developer actively been supporting and updating the plugin?
- Does the vendor list terms of service or use?
- Which version of WordPress is it compatible with?
- What type of feedback or support questions is being asked?
- Will it enhance the user experience?
You want to stay away from older versions of a plugin or those that may not be compatible with the latest WordPress release. Performance is also a big consideration because a secure plugin doesn't necessarily mean a fast plugin.
2 – Protect
Hackers usually exploit the vulnerabilities of your site like weak passwords, easy to guess admin usernames and outdated securities in your theme or plugins. With a few simple things you can do to maintain [link here] your site, you can save yourself a lot of worries.
The first thing you should do is install a security plugin to help monitor activity and privacy controls on your WordPress website. Two of our favorites are iThemes Security (available in our maintenance package and Shield, a low cost ($24/year) plugin. These plugins help you enable two-step authentication, provide brute force protection, monitor core file changes and some user management options.
The security plugin is not designed to 100% guarantee full proof security, but it does give you peace of mind and eyes on site.
Strong Login Credentials
Securing your WordPress site begins with making sure your credentials are not easy to guess. Never use admin, your site address or other easy to guess names as your username. But even more important is using a strong password for your WordPress user accounts.
There are a lot of password tools available to you including WordPress's option, Secure Password Generator or LastPass also has a generate password feature, and you don't need an account to do that. Try it out now. Try to make your password at least 12 characters long because the longer, the better.
You also want to consider using multi-factor authentication that we mentioned above in the security plugin area. Multi-factor adds another layer like ticking a box, sending a text message or adding in a word or code. The idea is that bots cannot do the second step since they auto-generate random usernames and passwords.
You need to keep your website up to date for the WordPress framework, your theme(s) and plugins. Running updates allows your files to include the most recent version which usually provides security patches and fixes.
By default, every WordPress site has automatic updates enabled for minor core releases and translation files. It is possible to disable these automatic updates, but automatic updates for minor core releases are one of the best ways to guarantee your site stays up to date and secure moving forward. For that reason, disabling automatic updates is strongly discouraged.
Auto-updates don't cover your theme or plugin though, and that is why it's crucial to regularly run the updates or have a maintenance plan in place so that you don't have old files on the server.
Many people overlook the importance of SSL and HTTPS. Even Google changed their rules by marking sites without them unsafe in their search results. HTTPS is not reserved for e-commerce and online shops. The idea behind SSL is to protect your user's information including details they provide on your contact forms.
SSL certificates can be obtained (and added) for free on most web hosts, and there are three types of certificates.
- Extended Validation (EV SSL) requires an extended validation of the business. It validates domain ownership and organization information, plus the legal existence of the organization.
- Organization Validated (OV SSL) validates the domain ownership, plus organization information included in the certificate such as name, city, state, and country.
- Domain Validated (DV SSL) validates the domain is registered, and someone with admin rights is aware of and approves the certificate request.
Appropriately installed your SSL certificate will
- Safer, more secure data transfer between servers, with less chance of interception
- Gives you freedom from security warning messages
- Instantly secures your website and visitors
- Increased trust with customers
3 – Detection and Response
Brute-Force Login Attempts
Brute-force login attempts are automated scripts that are designed to exploit weak user credentials to gain access to your site. Monitoring for these attempts is critical, and you should have policies in place to help guard against them. You can do the following:
- Implement a lock-out policy which will lock someone out for a specified amount of time after some failed login attempts.
- Use a challenge-response test to prevent automated submissions of the login page such as free reCAPTCHA.
- Enforce the use of strong passwords
- Monitoring and notification by your security plugin.
Malicious redirects create a backdoor into your WordPress installation using FTP, wp-admin or other protocols to inject redirection codes into the website. Usually, this happens so that the hacker can use your site to generate advertising impressions.
Generally, the malicious WordPress redirect is detected through the site when a visitor becomes redirected to any other page instead of the page or any website he requested. If any malicious script is added by hackers, it’s often named to look like a legitimate file like that’s the part of WordPress files on the website. A common place to hide these files are your uploads folder, but I've found them in the plugins folder, theme folders, and even the wp-includes core folder.
You’ll need to remove the malicious scripts that cause website redirection to the abusive sites. If you've found you've been hit with the redirects, it's best to hire a developer or WP clean up service since these files can be well hidden.
You've done everything you can to prevent your WordPress site from being hacked. But things happen and so do hacked sites. What to do when you think a hacker has hit your site?
Hire a professional is my best piece of advice but that might not be your first thought. Panic is usually it. It will save you time and heartache to let a professional tackle it from here because there are some things you need to do.
Run A Security Scan
A first step and most times it will come back positive but not always. If you notice things are wonky the first thing to do is stay calm. With proper backups, all is not lost, and it's not the end of the world. There now let's move on.
Restore Your Backup
The reason you have a backup of your site is for additional protection when things go wrong. Nothing is more wrong than having your site hacked. The problem with backups is that if you don't know when this happened, you could be restoring a corrupt version. It's a good idea to contact your host to see what the last backup of your site is too. Often it's a day or a week, but sometimes you get lucky, and they do have an older version.
When running your site backups or having your maintenance provider run backups to be sure that the following applies:
- Have both a database and full site backup of the files.
- The backup copies are reviewed to make sure there is no corruption of data
- Look at your site to make sure nothing is amiss.
- Keep the files off your server so that if something happens on the server end, you have your back files intact
Remove Malicious Code
If a backup is not available or you aren't sure that it too is not corrupted, you'll need to locate the hack to fix it. Part of the fix entails that you'll need to find and remove all of the corrupt files. Start by asking yourself these four questions.
- Are you able to log in to your WordPress dashboard using /wp-admin or wp-login?
- Is your website sending you to other websites?
- Does your website contain illegal links?
- Has Google pinged you and marked your website as insecure?
If you've answered yes to any of those, contact your host to help you find the files that are corrupt or ask them to restore your site to a point you know was good to go.
After removing the malicious files, you also need to reset your SALT keys, review your database and update all passwords. I also recommend that you reinstall your WordPress core file for an extra layer of the fix.
Finding the files and folders and looking to see what also had been affected is not for the faint of heart and it is my opinion that you need to stop and hire someone versed in hack removal.
Google is the most popular and top-ranking search engine so getting blacklisted by them is a big deal. Blacklist means that you're removed from the index or marked with a warning. If Google blacklists your website, it loses about 95% of its organic traffic. Whenever a user visits any blacklisted site, a warning message with a big red splash screen displays warning you that trouble may be ahead.
If you find your website blacklisted by Google, you should follow these steps to remove your site from Google’s Blacklist or remove Google blacklist Warning.
To request a security issue review from Google:
- Navigate to the Security Issues tab in Search Console.
- Review the issues to confirm all the problems are addressed or cleaned.
- Check the box to confirm I have fixed these issues.
- Click Request a Review.
- Fill in the information with as much detail as possible about what steps were taken to clean the site.
Having a safety plan is the first step to good website help but having a recovery plan will ensure you back up and running in no time. Keeping hackers at bay may seem like a lot of work, but with an experiences WordPress maintenance provider it can be taken off your plate and put onto theirs.
What are you doing to keep hackers at bay on your WordPress website